Teams and Users
User
represents a user that has been loaded from a configured
Identity Provider (IdP) that can log into the platform.
Currently, users are automatically synchronized by TSB from a
configured LDAP server.
The following example creates a user named john
under the organization
myorg
.
apiVersion: api.tsb.tetrate.io/v2
kind: User
metadata:
name: john
organization: myorg
spec:
loginName: john
firstName: John
lastName: Doe
displayName: John Doe
email: john.doe@acme.com
ServiceAccount
can be created to leverage machine authentication via JWT tokens.
Each service account has a key-pair that can be used to create signed JWT tokens that
can be used to authenticate to TSB.
The following example creates a service account named my-sa
under the organization
myorg
.
apiVersion: api.tsb.tetrate.io/v2
kind: ServiceAccount
metadata:
name: my-sa
organization: myorg
spec:
displayName: My Service Account
description: Service account used for service integrations
Team
is a named collection of users, service accounts, and other
teams. Teams can be assigned access permissions on various
resources. All members of a team inherit the access permissions
assigned to the team.
The following example creates a team named org
under the organization
myorg
with all members of product1
and product2
teams, and
users alice
and bob
.
apiVersion: api.tsb.tetrate.io/v2
kind: Team
metadata:
name: org
organization: myorg
spec:
members:
- organizations/myorg/users/alice
- organizations/myorg/users/bob
- organizations/myorg/teams/product1
- organizations/myorg/teams/product2
ServiceAccount
ServiceAccount
represents a service account that can be used to access the TSB platform.
Service accounts have a set of associated public and private keys that can be used to generate
signed JWT tokens that are suitable to authenticate to TSB.
A default key-pair is generated on service account creation and the public key is stored in TSB.
Private keys are returned when service accounts are created, but TSB will not store them. It
is up to the client to store them securely.
Field | Description | Validation Rule |
---|---|---|
description | string | – |
keys | List of tetrateio.api.tsb.v2.ServiceAccount.KeyPair | – |
KeyPair
Represents key-pair associated to the service account.
Field | Description | Validation Rule |
---|---|---|
id | string | – |
publicKey | string | – |
privateKey | string | – |
encoding | tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding | – |
defaultToken | string | – |
Team
Team
is a named collection of users under a tenant.
Field | Description | Validation Rule |
---|---|---|
members | List of string | – |
sourceType | tetrateio.api.tsb.v2.SourceType | enum = { |
User
User
represents a user from the Identity Provider that is allowed to log into
the platform.
Field | Description | Validation Rule |
---|---|---|
loginName | string | string = { |
firstName | string | – |
lastName | string | – |
string | – | |
sourceType | tetrateio.api.tsb.v2.SourceType | enum = { |
Encoding
Format in which the keys in this keypair are encoded
Field | Number | Description |
---|---|---|
PEM | 0 | |
JWK | 1 |
SourceType
SourceType
describes where teams come from.
Teams can be synchronized from the Identity Provider but can also be manually
created using the Team API to create convenient groupings of users and other
teams in order to configure fine-grained permissions in the Management Plane.
Field | Number | Description |
---|---|---|
INVALID | 0 | |
LDAP | 1 | LDAP is used for users and teams that are automatically synchronized from LDAP. |
LOCAL | 2 | LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead. |
AZURE | 3 | AZURE is used for users synchronized from an Azure Active Directory. |
MANUAL | 4 | MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions. |