Skip to content

Allow multiple users and open read-only APIs to non-admins#600

Open
benoit-nexthop wants to merge 6 commits intocloudbase:mainfrom
nexthop-ai:multi-user-readonly
Open

Allow multiple users and open read-only APIs to non-admins#600
benoit-nexthop wants to merge 6 commits intocloudbase:mainfrom
nexthop-ai:multi-user-readonly

Conversation

@benoit-nexthop
Copy link
Contributor

@benoit-nexthop benoit-nexthop commented Feb 9, 2026
edited
Loading

Summary

This PR enables multi-user support in GARM by allowing multiple admin users and relaxing admin requirements for read-only operations. This is particularly useful when combined with OIDC authentication, allowing SSO users to view resources without requiring admin privileges.

Changes

Allow multiple admin users

  • Remove restriction that prevented creating multiple admin users

Relax admin requirement for read-only endpoints

  • Update AdminRequiredMiddleware to only require admin for POST/PUT/DELETE
  • GET/OPTIONS/HEAD requests now work for all authenticated users
  • Remove IsAdmin checks from read-only operations in runner package

Add user management

  • Add /api/v1/users endpoint to list all users
  • Add users page to webapp UI

Rationale

Currently GARM only supports a single admin user, which makes it difficult to:

  1. Use OIDC/SSO authentication (each SSO user needs to be able to view resources)
  2. Have multiple operators manage the system
  3. Provide read-only access for monitoring/auditing

This change maintains security by still requiring admin privileges for any mutating operations.

Testing

Tested with OIDC authentication in staging and production environments.

This PR is part of a stack of changes:

  1. fix: remove invalid Unlock calls in scaleset worker #598
  2. Add OIDC authentication support #599
  3. Allow multiple users and open read-only APIs to non-admins #600 ← you are here
  4. Add version display to navigation sidebar #601

@benoit-nexthop
fix: remove invalid Unlock calls in scaleset worker
40e555e 
- Remove Unlock call in handleScaleDown that was called before any lock
  was acquired
- Change defer Unlock to immediate Unlock in consolidateRunnerState loop
  to avoid holding locks until function exit
@benoit-nexthop
Add OIDC authentication support
dd874ac 
- Add OIDC configuration to config.go with validation
- Add OIDC provider integration with state management and token exchange
- Add OIDC login/callback/status API endpoints
- Update NewUserParams with IsSSOUser flag for SSO users without passwords
- Consolidate CreateOIDCUser into CreateUser with IsSSOUser check
- Add OIDC login button to webapp login page
- Add OIDC tests and documentation
@benoit-nexthop
Rebuild webapp with OIDC support
f4e90d5
@benoit-nexthop
Allow multiple admin users and relax admin requirement for read-only …
429bdd5 
…endpoints

- Remove restriction that prevented creating multiple admin users
- Update AdminRequiredMiddleware to only require admin for POST/PUT/DELETE
- GET/OPTIONS/HEAD requests now work for all authenticated users
@benoit-nexthop
Remove IsAdmin checks from read-only operations to allow non-admin us…
1054264 
…ers to view resources
@benoit-nexthop
Add list users API endpoint and UI page
66f639d
This was referenced Feb 9, 2026
Open
Open
Open
@gabriel-samfira
Copy link
Member

gabriel-samfira commented Feb 9, 2026

Hi @benoit-nexthop,

Thank you for having a look into enabling multi user support. This seems like a big change, which opens up a lot of API endpoints. While the very long term goal is to make GARM multi user capable, we need to do it in a way that allows true separation between user resources. These changes seem to allow users to be created, but I don't see changes made to the models that enables real multi user support for all resources.

Would you mind opening a discussion and detailing what you would like to accomplish, a user story, a use case, etc. Changes of these scale should be discussed first, especially if they involve broad architectural changes to GARM itself.

@benoit-nexthop
Copy link
Contributor Author

benoit-nexthop commented Feb 11, 2026

This isn't true multi user support but it does allow people in my organization to login with SSO and see the web UI of GARM in read-only mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@benoit-nexthop @gabriel-samfira