User management and authentication
By default, Infrahub will allow anonymous access in read-only mode. It's possible to disable this via the configuration main.allow_anonymous_access or via the environment variable INFRAHUB_ALLOW_ANONYMOUS_ACCESS.
Authentication mechanisms
Infrahub supports two authentication methods:
- JWT Token: Short-lived tokens generated on demand from the API.
- API Token: Long-lived tokens generated ahead of time.
| JWT | TOKEN | |
|---|---|---|
| API / GraphQL | Yes | Yes |
| Frontend | Yes | No |
| Python SDK | Yes | Yes |
| infrahubctl | Yes | Yes |
| GraphQL Playground | No | Yes |
More information on managing API tokens can be found in the Managing API Tokens Guide.
While using the API, the authentication token must be provided in the header:
X-INFRAHUB-KEY: 06438eb2-8019-4776-878c-0941b1f1d1ec```
Users permissions management
Users are allocated permissions through groups and roles.
- Users are members of Groups.
- Groups are related with Roles.
- Roles are allocated Permissions (global or object-specific).
Using roles and groups to manage permissions, Infrahub offers a scalable way to control access for numerous users simultaneously. For more detailed information, visit the role and permissions page.
Default setup
Infrahub comes with a default configuration that contains pre-configured users, groups, and roles to simplify access management from the start. These default settings guarantee that key access and admin capabilities are ready to use out of the box.
Default account
| Accounts | Description |
|---|---|
| Admin | The default administrative user in Infrahub. This user is part of the Super Administrators group, which gives them full system-wide permissions. |
Default groups
| Group Name | Description | Assigned Role |
|---|---|---|
| Infrahub Users | Standard users who have general access to Infrahub, with permission to view and interact with resources. | General Access |
| Super Administrators | Administrators with full control over the system. Users in this group have unrestricted access to all features. | Super Administrator |
Default roles
General access
This role gives standard users general permissions to view and interact with resources across the platform while restricting administrative actions.
| Permission | Description |
|---|---|
global:manage_repositories:allow_all | Enables repository management for all branches. |
global:manage_schema:allow_all | Permits global schema management. |
global:merge_proposed_change:allow_all | Allows merging proposed changes across all branches. |
object:*:*:view:allow_all | Allows seeing all objects, across all branches and namespaces. |
object:*:*:any:allow_other | Permits executing any action on non-default branches for all object types. |
Super administrator
This role provides full administrative control over Infrahub. Users with this role can manage everything within the system.
| Permission | Description |
|---|---|
global:super_admin:allow_all | Permits complete administrative control, including schema, permissions, users, and repositories management. |
Anonymous user
If Infrahub is setup to allow anonymous access when it is first initialized, an additional account role called Anonymous User will be created. This role defines all the permissions that a user will inherit when not logged in. The default configuration for this role ships with two permissions:
| Permission | Description |
|---|---|
object:*:*:any:deny | Denies anything on all objects, across all branches (this one is not required, but it is more explicit) |
object:*:*:view:allow_all | llows seeing all objects, across all branches and namespaces. |
The role is defined by its name in Infrahub's configuration and can be adjusted by changing the setting main.anonymous_access_role or the environment variable INFRAHUB_ANONYMOUS_ACCESS_ROLE.
Note that an anonymous user will never be able to make changes to data inside Infrahub whether the role's permisssions allow it or not.
Authentication backends
Infrahub supports authenticating users in a local user store or by using single sign-on through an external identity provider.
Local user store
Users can be created in the local user store. Local users can be added to groups, which can have roles assigned to them.
Single sign-on
Infrahub supports identity providers that support either OAuth2 or OpenID Connect (OIDC).
Multiple identity providers can be enabled simultaneously, for example to support organizations that use different providers for different security domains.
A user that was authenticated using SSO will be created in the local user store of Infrahub and optionally automatically added to groups, which can have roles assigned to them.
For more information on setting up single sign-on can be found in the configuring single sign-on guide.