diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-04-05 11:04:13 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-04-05 11:04:13 +0300 |
commit | ec0dbc5e46b026013024977b2c04e4a08a625681 (patch) | |
tree | 5cc2b7bf37ece658017158c88f211b135313735e /architecture.mdwn | |
parent | 0a9c6b591887782667ff33dd15363c36154254f7 (diff) | |
download | ick.liw.fi-ec0dbc5e46b026013024977b2c04e4a08a625681.tar.gz |
Change: improve description of IDP and access control
Diffstat (limited to 'architecture.mdwn')
-rw-r--r-- | architecture.mdwn | 31 |
1 files changed, 10 insertions, 21 deletions
diff --git a/architecture.mdwn b/architecture.mdwn index c7640a3..228bd00 100644 --- a/architecture.mdwn +++ b/architecture.mdwn @@ -249,22 +249,15 @@ to all API providers at deployment time. Getting an access token ----------------------------------------------------------------------------- -(FIXME: We don't have an IDP for handing out access tokens. Each API client -gets the RSA key pair to sign tokens itself. This will be fixed -later. We will be using [Qvisqve][] as the IDP and OAuth2 client -credentials grants for getting access tokens.) +Ick uses [Qvisqve][] as the IDP solution. -[Qvisqve]: http://www.qvarn.org/qvisqve/ - -The API client (user's command line tool, a putative web app, git -server, worker-manager, etc) authenticates itself to the IDP, and if -successful, gets back a signed JSON Web Token. It will include the -token in all requests to all APIs so that the API provider will know -what the client is allowed to do. +The API client (`icktool`, worker-manager) authenticates itself to the +IDP, and if successful, gets back a signed JSON Web Token. It will +include the token in all requests to all APIs so that the API provider +will know what the client is allowed to do. The privileges for each API client are set by the sysadmin who -installs the CI system, or a user who's been given IDP admin -privileges by the sysadmin. +installs the CI system. @startuml hide footbox @@ -276,14 +269,10 @@ privileges by the sysadmin. All API calls need a token. Getting a token happens the same way for every API client. -FIXME: The exception, at least for now, is the API call to trigger a -project build. This is currently un-authenticated, to avoid -difficulties in distributing credentials to git servers. We will -eventually make that API call also require authentication and add a -"trigger service", with an unauthenticated API call that git servers -can use to notify of changes in a git repository. The trigger service -will examine the change and decide if it warrants a build to be -triggered. +The exception is the API call to trigger a project build. This is +un-authenticated, to avoid having to distribute API credentials to git +servers. We will add a safer approach for that later. + Worker (worker-manager) registration |