Hi Community, This is Bisakh. This thread is regarding an issue/request [1] in the apisix-dashboard project to support a *viewer account *that basically can be used by non-admin users (users with low access privileges). These accounts will be purely view-only, users of these accounts are restricted to perform any sort of change/modification to the gateway internal state.
Now, coming to the implementation part I am proposing the following approach. As we are working on our authentication framework to support dynamic user registration and login, I think we can extend the implementation in two phases: Phase - 1 [Implementing viewers account] The dashboard is for the authenticated users, we definitely can work on top of the authentication framework by storing another field something similar to `"restrict-full-access": bool` in the etcd for each user extending the current schema that we have [2]. The info gets encoded into the existing jwt and passed to the web-ui / CLI on a successful sign in. We will add middleware or modify the existing one to restrict the protected routes (here HTTP methods, allow only GET requests (maybe selectively, we can maintain a list here), no POST, PUT, PATCH and DELETE). And for the frontend part, we can cache the info in a react state while receiving the jwt from the backend and perform all sorts of restrictions. Phase - 2 [Implementing mechanism to manage viewers account- IAM] Now, still, there is another question left, how we/admins are going to manage it? I am proposing an *IAM* (Identity and Access Management) section into the dashboard (both in manager API and dashboard web) that can be used to - List all available members. - Upgrade/Downgrade certain members for from/to viewers account - Blacklist certain users from further using the dashboard instance for a certain period/permanently. Let me know how it sounds. Looking forward to your feedback : ) Thank you. Best regards, Bisakh <https://github.com/bisakhmondal> [1] : https://github.com/apache/apisix-dashboard/issues/1825 [2] : https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
