APPUiO Control API: User
apiVersion: appuio.io/v1 kind: User metadata: name: kate.demo (1) spec: preferences: defaultOrganizationRef: acme-corp status: (2) id: bec0d928-2ae2-4cec-94a0-5f72f12b8b39 displayName: Kate Demo username: kate.demo email: firstname.lastname@example.org defaultOrganizationRef: acme-corp
|1||Username in Keycloak|
|2||Reflects actual configuration from adapter and exposes read-only fields|
As this is a cluster-scoped resource, access control has to be defined in the cluster scope.
User object, a
ClusterRoleBinding is generated in the background, which grants edit rights to the subject (owner) which relates to the
kind: ClusterRole metadata: name: kate.demo-owner rules: - apiGroups: ["appuio.io"] resources: ["users"] resourceNames: ["kate.demo"] verbs: ["get", "update", "patch"] (1) --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kate.demo-owner subjects: - kind: User name: appuio#kate.demo (2) apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: kate.demo-owner apiGroup: rbac.authorization.k8s.io
|1||A user can’t delete themselves in the current iteration of the API.|
|2||This depends on the API server configuration:
By default, only the subject which is the owner of the
User object gets edit rights.