add admin service account

Signed-off-by: jkoberg <jkoberg@owncloud.com>
2026-02-18 03:18:52 -06:00 · 2023-06-01 13:50:32 +02:00
parent 24475e5498
commit 0bc0972b0b
4 changed files with 22 additions and 3 deletions
--- a/services/settings/README.md
+++ b/services/settings/README.md
@@ -8,7 +8,7 @@ The settings service is currently used for managing the:
 *   possible user roles and their respective permissions,
 *   assignment of roles to users.

-As an example, user profile settings that can be changed in the Web UI must be persistent.  
+As an example, user profile settings that can be changed in the Web UI must be persistent.

 The settings service supports two different backends for persisting the data. The backend can be set via the `SETTINGS_STORE_TYPE` environment variable. Supported values are:

@@ -67,3 +67,7 @@ Infinite Scale services can register *settings bundles* with the settings servic
 ## Settings Usage

 Services can set or query ocis *setting values* of a user from settings bundles.
+
+## Service Accounts
+
+The settings service needs to know the ID's of service accounts but it doesn't need their secrets. Currently only one service account can be configured which has the admin role. This can be set with the `SETTINGS_SERVICE_ACCOUNT_ID_ADMIN` envvar, but it will also pick up the global `OCIS_SERVICE_ACCOUNT_ID` envvar. Also see the 'auth-service' service description for additional details.
--- a/services/settings/pkg/config/config.go
+++ b/services/settings/pkg/config/config.go
@@ -37,6 +37,8 @@ type Config struct {

 	SetupDefaultAssignments bool `yaml:"set_default_assignments" env:"SETTINGS_SETUP_DEFAULT_ASSIGNMENTS;IDM_CREATE_DEMO_USERS" desc:"The default role assignments the demo users should be setup."`

+	ServiceAccountIDAdmin string `yaml:"service_account_id_admin" env:"OCIS_SERVICE_ACCOUNT_ID;SETTINGS_SERVICE_ACCOUNT_ID_ADMIN" desc:"The ID of the service account having the admin role. See the 'auth-service' service description for more details."`
+
 	Context context.Context `yaml:"-"`
 }

--- a/services/settings/pkg/config/defaults/defaultconfig.go
+++ b/services/settings/pkg/config/defaults/defaultconfig.go
@@ -64,8 +64,9 @@ func DefaultConfig() *config.Config {
 				TTL:            time.Minute * 10,
 			},
 		},
-		BundlesPath: "",
-		Bundles:     nil,
+		BundlesPath:           "",
+		Bundles:               nil,
+		ServiceAccountIDAdmin: "service-user-id",
 	}
 }

--- a/services/settings/pkg/store/defaults/defaults.go
+++ b/services/settings/pkg/store/defaults/defaults.go
@@ -822,6 +822,11 @@ func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignmen
 				AccountUuid: "534bb038-6f9d-4093-946f-133be61fa4e7",
 				RoleId:      BundleUUIDRoleSpaceAdmin,
 			},
+			{
+				// service user
+				AccountUuid: "service-user-id",
+				RoleId:      BundleUUIDRoleAdmin,
+			},
 		}
 	}

@@ -833,5 +838,12 @@ func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignmen
 		})
 	}

+	if cfg.ServiceAccountIDAdmin != "" {
+		assignments = append(assignments, &settingsmsg.UserRoleAssignment{
+			AccountUuid: cfg.ServiceAccountIDAdmin,
+			RoleId:      BundleUUIDRoleAdmin,
+		})
+	}
+
 	return assignments
 }