|
|
cda49f2912
|
implement OAuth authentication with Authentik support
Core OAuth infrastructure:
- permissions.py: 5-level permission model (read_only → full_admin)
Maps all 94 tools to permission levels
Maps OAuth groups to permission sets
- audit.py: Centralized logging with OAuth user identity
- auth.py: OIDCProxy configuration for Authentik/OIDC providers
- middleware.py: Permission checking decorator and tool wrapper
Server integration:
- config.py: Add OAuth settings (oauth_enabled, oauth_issuer_url, etc.)
Validate OAuth config completeness, require HTTP transport
- server.py: Integrate auth provider, add HTTP transport support
Show OAuth status in startup banner
Deployment:
- docker-compose.oauth.yml: Authentik stack (server, worker, postgres, redis)
- .env.example: Document all OAuth and Authentik environment variables
Permission model:
- vsphere-readers: READ_ONLY (32 tools)
- vsphere-operators: + POWER_OPS (14 tools)
- vsphere-admins: + VM_LIFECYCLE (33 tools)
- vsphere-host-admins: + HOST_ADMIN (6 tools)
- vsphere-super-admins: + FULL_ADMIN (9 tools)
|
2025-12-27 01:12:58 -07:00 |
|
