Skip to main content

Authentication & Permissions

OCP includes Role Based Access Control (RBAC) to govern access to the API, several roles are predefined and can be assigned to a user, these are;

  • administrator All operations allowed on all resources
  • viewer Read operations allowed on all resources
  • owner All operations for all resources they own
  • stack_owner All operations for stacks they own

Authorized users are identified to the API through bearer tokens, the tokens are opaque and can be generated using any acceptable methodology:

cat /dev/urandom | head -c 32 | base64

Tokens are tied to a principal and assigned a role from the above list or roles using YAML configuration, see the example below:

tokens:
  admin:
    api-key: 7lPLBKKpmiljMa0J9GwyYWLDJKEVFXEO6ZGAjmDf5eQ=
    scopes:
    - role: administrator