Infra Role Handling and Admin Token Create, better Token documentation

doc/index.html

@@ -12474,7 +12474,11 @@ <h3 id="metalstack.api.v2.MethodPermission">MethodPermission</h3>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p>Subject maybe either the project or the tenant
-for which the methods should be allowed </p></td>
+for which the methods should be allowed
+
+asterisk (*) can be specified to match any subject
+empty string (&#34;&#34;) can be specified for requests that do not require a subject, e.g. partition list
+otherwise either a projectid or a tenant login should be specified </p></td>
                 </tr>
 
                 <tr>
@@ -12492,7 +12496,7 @@ <h3 id="metalstack.api.v2.MethodPermission">MethodPermission</h3>
 
 
         <h3 id="metalstack.api.v2.Token">Token</h3>
-        <p>Token is a jwt authentication token to access the api</p>
+        <p>Token generates a jwt authentication token to access the api</p><p>There are two different types of tokens, api- and user- tokens</p><p>A user token is used to authenticate end user requests for example from a cli.</p><p>The configured roles in a user token are expanded in the api server</p><p>based on the memberships in other projects and tenants based on the role granted there.</p><p>User tokens will never contain permissions.</p><p>Permissions are always derived from the tenant and project roles and memberships.</p><p>The api token should be used to authenticate services.</p><p>In contrast to a user token, the api token permissions and roles apply as configured during the token create process.</p>
 
 
           <table class="field-table">
@@ -12578,6 +12582,13 @@ <h3 id="metalstack.api.v2.Token">Token</h3>
                   <td><p>AdminRole defines the admin role of the token owner </p></td>
                 </tr>
 
+                <tr>
+                  <td>infra_role</td>
+                  <td><a href="#metalstack.api.v2.InfraRole">InfraRole</a></td>
+                  <td>optional</td>
+                  <td><p>InfraRole defines the infrastructure role of the token owner </p></td>
+                </tr>
+
             </tbody>
           </table>
 
@@ -12699,6 +12710,13 @@ <h3 id="metalstack.api.v2.TokenServiceCreateRequest">TokenServiceCreateRequest</
                   <td><p>AdminRole defines the admin role of the token owner </p></td>
                 </tr>
 
+                <tr>
+                  <td>infra_role</td>
+                  <td><a href="#metalstack.api.v2.InfraRole">InfraRole</a></td>
+                  <td>optional</td>
+                  <td><p>InfraRole defines the infrastructure role of the token owner </p></td>
+                </tr>
+
                 <tr>
                   <td>labels</td>
                   <td><a href="#metalstack.api.v2.Labels">Labels</a></td>
@@ -13014,6 +13032,13 @@ <h3 id="metalstack.api.v2.TokenServiceUpdateRequest">TokenServiceUpdateRequest</
                   <td><p>AdminRole defines the admin role of the token owner </p></td>
                 </tr>
 
+                <tr>
+                  <td>infra_role</td>
+                  <td><a href="#metalstack.api.v2.InfraRole">InfraRole</a></td>
+                  <td>optional</td>
+                  <td><p>InfraRole defines the infrastructure role of the token owner </p></td>
+                </tr>
+
                 <tr>
                   <td>labels</td>
                   <td><a href="#metalstack.api.v2.UpdateLabels">UpdateLabels</a></td>
@@ -13168,7 +13193,7 @@ <h3 id="metalstack.api.v2.TokenService">TokenService</h3>
                 <td>Create</td>
                 <td><a href="#metalstack.api.v2.TokenServiceCreateRequest">TokenServiceCreateRequest</a></td>
                 <td><a href="#metalstack.api.v2.TokenServiceCreateResponse">TokenServiceCreateResponse</a></td>
-                <td><p>Create a token to authenticate against the platform, the secret will be only visible in the response</p></td>
+                <td><p>Create a token to authenticate against the platform, the secret will be only visible in the response.</p></td>
               </tr>
 
               <tr>
@@ -13391,7 +13416,8 @@ <h3 id="metalstack.admin.v2.TokenService">TokenService</h3>
                 <td>Create</td>
                 <td><a href="#metalstack.admin.v2.TokenServiceCreateRequest">TokenServiceCreateRequest</a></td>
                 <td><a href="#metalstack.admin.v2.TokenServiceCreateResponse">TokenServiceCreateResponse</a></td>
-                <td><p>Create a token to authenticate against the platform, the secret will be only visible in the response</p></td>
+                <td><p>Create a token to authenticate against the platform, the secret will be only visible in the response.
+This service is suitable to create tokens for other users instead of deriving users from tokens directly.</p></td>
               </tr>
 
           </tbody>

generate/Makefile

@@ -4,7 +4,6 @@ generate: go-mocks
 	rm -f ../go/permissions/servicepermissions.go
 	rm -f ../go/client/client.go
 	rm -f ../go/tests/mock_clients.go
-	rm -f ../js/permissions/servicepermissions.json
 
 	go run ./generate.go
 

generate/generate.go

@@ -100,7 +100,11 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 			Tenant:  permissions.Tenant{},
 			Project: permissions.Project{},
 		}
-		methods    = permissions.Methods{}
+		methods = permissions.Methods{
+			// Allow service reflection to list available methods
+			serverReflectionInfov1alpha1: true,
+			serverReflectionInfo:         true,
+		}
 		visibility = permissions.Visibility{
 			Public: map[string]bool{
 				// Allow service reflection to list available methods
@@ -177,10 +181,10 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 							// noop
 						// Infra
 						case v1.InfraRole_INFRA_ROLE_EDITOR.String():
-							roles.Infra[v1.InfraRole_INFRA_ROLE_EDITOR.String()] = append(roles.Admin[v1.InfraRole_INFRA_ROLE_EDITOR.String()], methodName)
+							roles.Infra[v1.InfraRole_INFRA_ROLE_EDITOR.String()] = append(roles.Infra[v1.InfraRole_INFRA_ROLE_EDITOR.String()], methodName)
 							visibility.Infra[methodName] = true
 						case v1.InfraRole_INFRA_ROLE_VIEWER.String():
-							roles.Infra[v1.InfraRole_INFRA_ROLE_VIEWER.String()] = append(roles.Admin[v1.InfraRole_INFRA_ROLE_VIEWER.String()], methodName)
+							roles.Infra[v1.InfraRole_INFRA_ROLE_VIEWER.String()] = append(roles.Infra[v1.InfraRole_INFRA_ROLE_VIEWER.String()], methodName)
 							visibility.Infra[methodName] = true
 						case v1.InfraRole_INFRA_ROLE_UNSPECIFIED.String():
 							// noop

generate/go_servicepermissions.tpl

@@ -1,4 +1,4 @@
-// Code generated discover.go. DO NOT EDIT.
+// Code generated generate.go. DO NOT EDIT.
 package permissions
 
 import (

go.mod

@@ -10,25 +10,26 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/go-cmp v0.7.0
-	github.com/klauspost/connect-compress/v2 v2.0.0
+	github.com/klauspost/connect-compress/v2 v2.1.0
 	github.com/stretchr/testify v1.11.1
 	google.golang.org/protobuf v1.36.10
 )
 
 require (
-	cel.dev/expr v0.24.0 // indirect
+	cel.dev/expr v0.25.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/cel-go v0.26.1 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
+	github.com/minio/minlz v1.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
-	golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b // indirect
-	golang.org/x/text v0.30.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251007200510-49b9836ed3ff // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -2,8 +2,8 @@ buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-202509121410
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1/go.mod h1:fUl8CEN/6ZAMk6bP8ahBJPUJw7rbp+j4x+wCcYi2IG4=
 buf.build/go/protovalidate v1.0.0 h1:IAG1etULddAy93fiBsFVhpj7es5zL53AfB/79CVGtyY=
 buf.build/go/protovalidate v1.0.0/go.mod h1:KQmEUrcQuC99hAw+juzOEAmILScQiKBP1Oc36vvCLW8=
-cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
-cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
+cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
 connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
@@ -22,17 +22,19 @@ github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
 github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/connect-compress/v2 v2.0.0 h1:L7TVsLa6Oo9Hkkb6r3DwSrhBbcWlXjneqBj7fCRXviU=
-github.com/klauspost/connect-compress/v2 v2.0.0/go.mod h1:604CD9JSAjGqtVzCM4SRgM/9TFTkWBcp+2wlQfGyJ6c=
+github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
+github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
+github.com/klauspost/connect-compress/v2 v2.1.0 h1:8fM8QrVeHT69e5VVSh4yjDaQASYIvOp2uMZq7nVLj2U=
+github.com/klauspost/connect-compress/v2 v2.1.0/go.mod h1:Ayurh2wscMMx3AwdGGVL+ylSR5316WfApREDgsqHyH8=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/minio/minlz v1.0.1 h1:OUZUzXcib8diiX+JYxyRLIdomyZYzHct6EShOKtQY2A=
+github.com/minio/minlz v1.0.1/go.mod h1:qT0aEB35q79LLornSzeDH75LBf3aH1MV+jB5w9Wasec=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -50,14 +52,14 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b h1:18qgiDvlvH7kk8Ioa8Ov+K6xCi0GMvmGfGW0sgd/SYA=
-golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
-google.golang.org/genproto/googleapis/api v0.0.0-20251007200510-49b9836ed3ff h1:8Zg5TdmcbU8A7CXGjGXF1Slqu/nIFCRaR3S5gT2plIA=
-google.golang.org/genproto/googleapis/api v0.0.0-20251007200510-49b9836ed3ff/go.mod h1:dbWfpVPvW/RqafStmRWBUpMN14puDezDMHxNYiRfQu0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff h1:A90eA31Wq6HOMIQlLfzFwzqGKBTuaVztYu/g8sn+8Zc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba h1:B14OtaXuMaCQsl2deSvNkyPKIzq3BjfxQp8d00QyWx4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:G5IanEx8/PgI9w6CFcYQf7jMtHQhZruvfM1i3qOqk5U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=