In order to utilize access controls, Holocron requires an SSO service to be configured. Any request to the Holocron API will need a JWT attached as an `Authorization` header, using the `Bearer <token>` format. As such, you will need to set Holocron behind some form of reverse proxy, service mesh, or similar.
In order to utilize access controls, Holocron requires an SSO service to be configured. Any request to the Holocron API will need a JSON Web Token ([JWT](https://jwt.io/)) attached as an `Authorization` header, using the `Bearer <token>` format. As such, you will need to set Holocron behind some form of reverse proxy, service mesh, or similar.
Currently, Holocron has only been tested to work with Keycloak, but any other form of SSO should work if it can be configured similarly to below.
Currently, Holocron has only been tested to work with Keycloak, but any other form of SSO should work if it can be configured similarly to below.
A group will need to be created for any Holocron administrators. The API will need to be provided the name of the group with the `SSO_ADMIN_GROUP` environment variable. It will also need the key names for where to find key information about the user from the decoded JWT; These can be provided with the environment variables `SSO_GROUPS_KEY` and `SSO_USERNAME_KEY`.
To set up Holocron administrators, you must create a group. To do this, you'll need to specify the following information using environment variables:
If the experimental feature `COST_METRICS` is enabled, another group should be created for anyone who should be able to work with pay data. This group can be provided with the environment variable `SSO_LEADERSHIP_GROUP`.
1. The name of the group should be provided using the `SSO_ADMIN_GROUP` environment variable.
2. You should also specify where to find key information about the user from the decoded JWT. This information can be defined using two environment variables:
-`SSO_GROUPS_KEY` for group information.
-`SSO_USERNAME_KEY` for the username.
If you have enabled the experimental feature COST_METRICS, create a separate group for individuals who need access to pay data. You can assign this group by using the `SSO_LEADERSHIP_GROUP` environment variable.
### App access control
### App access control
...
@@ -25,28 +30,40 @@ If enabled, Holocron has the following access control groups and roles:
...
@@ -25,28 +30,40 @@ If enabled, Holocron has the following access control groups and roles:
More on these roles access control is show in the matrix below.
More on these roles access control is show in the matrix below.
| Permissions | Admin | Admin + OrgLeadership | Org admin | Org admin + OrgLeadership | VS Admin | VS Admin + OrgLeadership | Team Admin | Team Admin + OrgLeadership |
Please be aware that the following roles: Organization Leader, Organization Admin, Value Stream Admin, and Team Admin, are granted and relevant only within the confines of their respective organizations.
Y <sup>1</sup> user must also be admin of organization
Y <sup>2</sup> user must also be admin of value stream
Y <sup>3</sup> user must also be admin of Organization which contains value stream
Y <sup>4</sup> user must also be admin of Team
Y <sup>5</sup> user must also be admin of Value stream which contains Team
| Permissions | Admin + OrgLeadership | Admin | Org admin | Org admin + OrgLeadership | VS Admin | VS Admin + OrgLeadership | Team Admin | Team Admin + OrgLeadership |
Read Value Stream Metrics | **Y** | **Y** | if the Value Stream falls under Organization they are admin of | if the Value Stream falls under Organization they are admin of | if they are admin of Value Stream | if they are admin of Value Stream | | |
Read Value Stream Cost Metrics | | **Y** | | if the Value Stream falls under Organization they are admin of | | if they are admin of Value Stream | | | |
Update Value Stream | **Y** | **Y** | if the Value Stream falls under Organization they are admin of | if the Value Stream falls under Organization they are admin of | if they are Admin of Value Stream | if they are admin of Value Stream | | |
Update Value Stream | **Y** | **Y** |**Y**<sup>3</sup>| Y <sup>3</sup> |**Y**<sup>2</sup>|**Y**<sup>2</sup>| | |
Delete Value Stream | **Y** | **Y** | if the Value Stream falls under Organization they are admin of | if the Value Stream falls under Organization they are admin of | if they are Admin of Value Stream | if they are admin of Value Stream | | |
Delete Value Stream | **Y** | **Y** |**Y**<sup>3</sup>| Y <sup>3</sup> |**Y**<sup>2</sup>|**Y**<sup>2</sup>| | |
Read Team Metrics | **Y** | **Y** | if the Team falls under Organization they are admin of | if the Team falls under Organization they are admin of | if the Team falls under Value Stream they are admin of | if the Team falls under Value Stream they are admin of | if they are Team Admin | if they are Team Admin|
Read Team Metrics | **Y** | **Y** |**Y**<sup>1</sup>|**Y**<sup>1</sup>|**Y**<sup>5</sup>|**Y**<sup>5</sup>|**Y**<sup>4</sup>|**Y**<sup>4</sup>|
Read Team Cost Metrics | | **Y** | | if the Team falls under Organization they are admin of | | if the Team falls under Value Stream they are admin of | | if they are Team Admin|
Read Team Cost Metrics | **Y** || |**Y**<sup>1</sup>| |**Y**<sup>2</sup>| |**Y**<sup>4</sup>|
Update Team | **Y** | **Y** | if the Team falls under Organization they are admin of | if the Team falls under Organization they are admin of | if the Team falls under Value Stream they are admin of | if the Team falls under Value Stream they are admin of | if they are Team Admin | if they are Team Admin|
Update Team | **Y** | **Y** |**Y**<sup>1</sup>|**Y**<sup>1</sup>|**Y**<sup>2</sup>|**Y**<sup>2</sup>|**Y**<sup>4</sup>|**Y**<sup>4</sup>|
Delete Team | **Y** | **Y** | if the Team falls under Organization they are admin of | if the Team falls under Organization they are admin of | if the Team falls under Value Stream they are admin of | if the Team falls under Value Stream they are admin of | if they are Team Admin | if they are Team Admin|
Delete Team | **Y** | **Y** |**Y**<sup>1</sup>| Y <sup>1</sup>|**Y**<sup>2</sup>|**Y**<sup>2</sup>|**Y**<sup>4</sup>|**Y**<sup>4</sup>|
Delete User | **Y** | **Y** | | | | | | |
Delete User | **Y** | **Y** | | | | | | |
## What are Collectors?
## What are Collectors?
Collectors can be thought of as an infinitely running background jobs. They constantly run within a set interval and collect data from sources (GitLab, Jira etc.), and transform the data into the data the backend API can understand.
Collectors can be thought of as an infinitely running background jobs. They constantly run within a set interval then collect data from sources such as GitLab, Jira etc., to transform the data into useable information the backend API can understand.
### What kind of collectors do I need?
### What kind of collectors do I need?
It depends on what the team uses for source data (GitLab, Jira etc.). For example, a team could be using a Jira board at a certain hosted Jira domain, and source code management using GitLab at a certain GitLab hosted domain. Therefore, the team would need one collector running for each domain.
It depends on what the team uses for source data (GitLab, Jira etc.). For example, a team could be using a Jira board at a certain hosted Jira domain, and source code management using GitLab at a certain GitLab hosted domain. Therefore, the team would need one collector running for each domain.
