Merge pull request #660 from Vafilor/feat/revert.jwt

feat: revert jwt changes as it creates issues with workflow authentication logic

api/api.swagger.json

@@ -3,7 +3,7 @@
   "info": {
     "title": "Onepanel",
     "description": "Onepanel API",
-    "version": "0.13.0",
+    "version": "0.14.0",
     "contact": {
       "name": "Onepanel project",
       "url": "https://github.com/onepanelio/core"
@@ -77,7 +77,7 @@
             "in": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/TokenWrapper"
+              "$ref": "#/definitions/IsValidTokenRequest"
             }
           }
         ],
@@ -2967,11 +2967,28 @@
         }
       }
     },
+    "IsValidTokenRequest": {
+      "type": "object",
+      "properties": {
+        "username": {
+          "type": "string"
+        },
+        "token": {
+          "type": "string"
+        }
+      }
+    },
     "IsValidTokenResponse": {
       "type": "object",
       "properties": {
         "domain": {
           "type": "string"
+        },
+        "token": {
+          "type": "string"
+        },
+        "username": {
+          "type": "string"
         }
       }
     },
@@ -3394,14 +3411,6 @@
         }
       }
     },
-    "TokenWrapper": {
-      "type": "object",
-      "properties": {
-        "token": {
-          "type": "string"
-        }
-      }
-    },
     "UpdateSecretKeyValueResponse": {
       "type": "object",
       "properties": {

api/auth.pb.go

@@ -204,65 +204,19 @@ func (x *IsAuthorizedResponse) GetAuthorized() bool {
 	return false
 }
 
-type TokenWrapper struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
-}
-
-func (x *TokenWrapper) Reset() {
-	*x = TokenWrapper{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *TokenWrapper) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*TokenWrapper) ProtoMessage() {}
-
-func (x *TokenWrapper) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use TokenWrapper.ProtoReflect.Descriptor instead.
-func (*TokenWrapper) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{3}
-}
-
-func (x *TokenWrapper) GetToken() string {
-	if x != nil {
-		return x.Token
-	}
-	return ""
-}
-
 type IsValidTokenRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Token *TokenWrapper `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+	Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	Token    string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
 }
 
 func (x *IsValidTokenRequest) Reset() {
 	*x = IsValidTokenRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[4]
+		mi := &file_auth_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -275,7 +229,7 @@ func (x *IsValidTokenRequest) String() string {
 func (*IsValidTokenRequest) ProtoMessage() {}
 
 func (x *IsValidTokenRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[4]
+	mi := &file_auth_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -288,14 +242,21 @@ func (x *IsValidTokenRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use IsValidTokenRequest.ProtoReflect.Descriptor instead.
 func (*IsValidTokenRequest) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{4}
+	return file_auth_proto_rawDescGZIP(), []int{3}
 }
 
-func (x *IsValidTokenRequest) GetToken() *TokenWrapper {
+func (x *IsValidTokenRequest) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
+func (x *IsValidTokenRequest) GetToken() string {
 	if x != nil {
 		return x.Token
 	}
-	return nil
+	return ""
 }
 
 type IsValidTokenResponse struct {
@@ -303,13 +264,15 @@ type IsValidTokenResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	Domain   string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	Token    string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
+	Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"`
 }
 
 func (x *IsValidTokenResponse) Reset() {
 	*x = IsValidTokenResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[5]
+		mi := &file_auth_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -322,7 +285,7 @@ func (x *IsValidTokenResponse) String() string {
 func (*IsValidTokenResponse) ProtoMessage() {}
 
 func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[5]
+	mi := &file_auth_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -335,7 +298,7 @@ func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use IsValidTokenResponse.ProtoReflect.Descriptor instead.
 func (*IsValidTokenResponse) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{5}
+	return file_auth_proto_rawDescGZIP(), []int{4}
 }
 
 func (x *IsValidTokenResponse) GetDomain() string {
@@ -345,6 +308,20 @@ func (x *IsValidTokenResponse) GetDomain() string {
 	return ""
 }
 
+func (x *IsValidTokenResponse) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+func (x *IsValidTokenResponse) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
 var File_auth_proto protoreflect.FileDescriptor
 
 var file_auth_proto_rawDesc = []byte{
@@ -370,32 +347,33 @@ var file_auth_proto_rawDesc = []byte{
 	0x7a, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
 	0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61,
 	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x0a, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22, 0x24, 0x0a, 0x0c, 0x54,
-	0x6f, 0x6b, 0x65, 0x6e, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x74,
-	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
-	0x6e, 0x22, 0x3e, 0x0a, 0x13, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
-	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65,
-	0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x54, 0x6f,
-	0x6b, 0x65, 0x6e, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
-	0x6e, 0x22, 0x2e, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
-	0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x32, 0xea, 0x01, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
-	0x65, 0x12, 0x6c, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
-	0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
-	0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70,
-	0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x27, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x21, 0x22, 0x18,
-	0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75,
-	0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12,
-	0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12,
-	0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
-	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e,
-	0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f, 0x61,
-	0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68,
-	0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x0a, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22, 0x47, 0x0a, 0x13, 0x49,
+	0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14,
+	0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x60, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
+	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f,
+	0x6d, 0x61, 0x69, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xe6, 0x01, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x68, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69,
+	0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56,
+	0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x1d, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
+	0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a,
+	0x12, 0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
+	0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f,
+	0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74,
+	0x68, 0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -410,27 +388,25 @@ func file_auth_proto_rawDescGZIP() []byte {
 	return file_auth_proto_rawDescData
 }
 
-var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
+var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
 var file_auth_proto_goTypes = []interface{}{
 	(*IsAuthorized)(nil),         // 0: api.IsAuthorized
 	(*IsAuthorizedRequest)(nil),  // 1: api.IsAuthorizedRequest
 	(*IsAuthorizedResponse)(nil), // 2: api.IsAuthorizedResponse
-	(*TokenWrapper)(nil),         // 3: api.TokenWrapper
-	(*IsValidTokenRequest)(nil),  // 4: api.IsValidTokenRequest
-	(*IsValidTokenResponse)(nil), // 5: api.IsValidTokenResponse
+	(*IsValidTokenRequest)(nil),  // 3: api.IsValidTokenRequest
+	(*IsValidTokenResponse)(nil), // 4: api.IsValidTokenResponse
 }
 var file_auth_proto_depIdxs = []int32{
 	0, // 0: api.IsAuthorizedRequest.isAuthorized:type_name -> api.IsAuthorized
-	3, // 1: api.IsValidTokenRequest.token:type_name -> api.TokenWrapper
-	4, // 2: api.AuthService.IsValidToken:input_type -> api.IsValidTokenRequest
-	1, // 3: api.AuthService.IsAuthorized:input_type -> api.IsAuthorizedRequest
-	5, // 4: api.AuthService.IsValidToken:output_type -> api.IsValidTokenResponse
-	2, // 5: api.AuthService.IsAuthorized:output_type -> api.IsAuthorizedResponse
-	4, // [4:6] is the sub-list for method output_type
-	2, // [2:4] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
+	3, // 1: api.AuthService.IsValidToken:input_type -> api.IsValidTokenRequest
+	1, // 2: api.AuthService.IsAuthorized:input_type -> api.IsAuthorizedRequest
+	4, // 3: api.AuthService.IsValidToken:output_type -> api.IsValidTokenResponse
+	2, // 4: api.AuthService.IsAuthorized:output_type -> api.IsAuthorizedResponse
+	3, // [3:5] is the sub-list for method output_type
+	1, // [1:3] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }
 
 func init() { file_auth_proto_init() }
@@ -476,18 +452,6 @@ func file_auth_proto_init() {
 			}
 		}
 		file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*TokenWrapper); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*IsValidTokenRequest); i {
 			case 0:
 				return &v.state
@@ -499,7 +463,7 @@ func file_auth_proto_init() {
 				return nil
 			}
 		}
-		file_auth_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+		file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*IsValidTokenResponse); i {
 			case 0:
 				return &v.state
@@ -518,7 +482,7 @@ func file_auth_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_auth_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   6,
+			NumMessages:   5,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

api/auth.pb.gw.go

@@ -39,7 +39,7 @@ func request_AuthService_IsValidToken_0(ctx context.Context, marshaler runtime.M
 	if berr != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
 	}
-	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Token); err != nil && err != io.EOF {
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -56,7 +56,7 @@ func local_request_AuthService_IsValidToken_0(ctx context.Context, marshaler run
 	if berr != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
 	}
-	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Token); err != nil && err != io.EOF {
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 

api/auth.proto

@@ -9,7 +9,7 @@ service AuthService {
     rpc IsValidToken(IsValidTokenRequest) returns (IsValidTokenResponse) {
         option (google.api.http) = {
             post: "/apis/v1beta1/auth/token"
-            body: "token"
+            body: "*"
         };
     }
 
@@ -37,14 +37,13 @@ message IsAuthorizedResponse {
     bool authorized = 1;
 }
 
-message TokenWrapper {
-    string token = 1;
-}
-
 message IsValidTokenRequest {
-    TokenWrapper token = 1;
+    string username = 1;
+    string token = 2;
 }
 
 message IsValidTokenResponse {
     string domain = 1;
+    string token = 2;
+    string username = 3;
 }

db/go/20200929153931_update_jupyter_lab_workspace_command.go

@@ -2,7 +2,6 @@ package migration
 
 import (
 	"database/sql"
-	v1 "github.com/onepanelio/core/pkg"
 	uid2 "github.com/onepanelio/core/pkg/util/uid"
 	"github.com/pressly/goose"
 )
@@ -103,13 +102,7 @@ func Up20200929153931(tx *sql.Tx) error {
 		return err
 	}
 	for _, namespace := range namespaces {
-		workspaceTemplate := &v1.WorkspaceTemplate{
-			UID:      uid,
-			Name:     jupyterLabTemplateName,
-			Manifest: jupyterWorkspaceTemplate3,
-		}
-
-		if _, err := client.UpdateWorkspaceTemplate(namespace.Name, workspaceTemplate); err != nil {
+		if _, err := client.UpdateWorkspaceTemplateManifest(namespace.Name, uid, jupyterWorkspaceTemplate3); err != nil {
 			return err
 		}
 	}
@@ -144,14 +137,9 @@ func Down20200929153931(tx *sql.Tx) error {
 	if err != nil {
 		return err
 	}
-	workspaceTemplate := &v1.WorkspaceTemplate{
-		UID:      uid,
-		Name:     jupyterLabTemplateName,
-		Manifest: jupyterWorkspaceTemplate2,
-	}
 
 	for _, namespace := range namespaces {
-		if _, err := client.UpdateWorkspaceTemplate(namespace.Name, workspaceTemplate); err != nil {
+		if _, err := client.UpdateWorkspaceTemplateManifest(namespace.Name, uid, jupyterWorkspaceTemplate2); err != nil {
 			return err
 		}
 	}

go.mod

@@ -43,4 +43,5 @@ require (
 	k8s.io/apimachinery v0.16.7-beta.0
 	k8s.io/client-go v0.16.4
 	sigs.k8s.io/yaml v1.2.0
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 )

pkg/client.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	sq "github.com/Masterminds/squirrel"
 	argoprojv1alpha1 "github.com/argoproj/argo/pkg/client/clientset/versioned/typed/workflow/v1alpha1"
+	"github.com/jmoiron/sqlx"
 	"github.com/onepanelio/core/pkg/util/gcs"
 	"github.com/onepanelio/core/pkg/util/router"
 	"github.com/onepanelio/core/pkg/util/s3"
@@ -38,6 +39,24 @@ func NewConfig() (config *Config) {
 	return
 }
 
+// GetDefaultClient loads a default k8s client
+func GetDefaultClient() (*Client, error) {
+	kubeConfig := NewConfig()
+	client, err := NewClient(kubeConfig, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	config, err := client.GetSystemConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	dbDriverName, dbDataSourceName := config.DatabaseConnection()
+	client.DB = NewDB(sqlx.MustConnect(dbDriverName, dbDataSourceName))
+
+	return client, nil
+}
+
 // NewClient creates a client to interact with the Onepanel system.
 // It includes access to the database, kubernetes, argo, and configuration.
 func NewClient(config *Config, db *DB, systemConfig SystemConfig) (client *Client, err error) {

pkg/config_types.go

@@ -38,6 +38,12 @@ func NewSystemConfig(configMap *ConfigMap, secret *Secret) (config SystemConfig,
 	}
 	config["databasePassword"] = string(databasePassword)
 
+	hmac, err := base64.StdEncoding.DecodeString(secret.Data["hmac"])
+	if err != nil {
+		return
+	}
+	config["hmac"] = string(hmac)
+
 	return
 }
 
@@ -183,6 +189,16 @@ func (s SystemConfig) UpdateNodePoolOptions(parameters []Parameter) ([]Parameter
 	return result, nil
 }
 
+// HMACKey gets the HMAC value, or nil.
+func (s SystemConfig) HMACKey() []byte {
+	hmac := s.GetValue("hmac")
+	if hmac == nil {
+		return []byte{}
+	}
+
+	return []byte(*hmac)
+}
+
 // ArtifactRepositoryS3Provider is meant to be used
 // by the CLI. CLI will marshal this struct into the correct
 // YAML structure for k8s configmap / secret.

pkg/workflow_execution.go

@@ -18,7 +18,6 @@ import (
 	"gopkg.in/yaml.v2"
 	"io"
 	"io/ioutil"
-	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/watch"
 	"net/http"
 	"strconv"
@@ -197,70 +196,21 @@ func injectArtifactRepositoryConfig(artifact *wfv1.Artifact, namespaceConfig *Na
 	}
 }
 
-// injectContainerResourceQuotas adds resource requests and limits if they exist
-// Code grabs the resource request information from the nodeSelector, compared against running nodes.
-// If the running node is not present, no resource information is retrieved.
-func (c *Client) injectContainerResourceQuotas(wf *wfv1.Workflow, template *wfv1.Template, systemConfig SystemConfig) error {
+// injectHostPortToContainer adds a hostPort to the template container, if a nodeSelector is present.
+// Kubernetes will ensure that multiple containers with the same hostPort do not share the same node.
+func (c *Client) injectHostPortToContainer(template *wfv1.Template) error {
 	if template.NodeSelector == nil {
 		return nil
 	}
 
-	supportedNodePoolLabels := []string{"beta.kubernetes.io/instance-type", "node.kubernetes.io/instance-type"}
-	nodePoolLabel := ""
-	var value string
-	for k, v := range template.NodeSelector {
-		for _, supportedNodePoolLabel := range supportedNodePoolLabels {
-			if k == supportedNodePoolLabel {
-				nodePoolLabel = k
-				value = v
-				break
-			}
-		}
+	ports := []corev1.ContainerPort{
+		{Name: "node-capturer", HostPort: 80, ContainerPort: 80},
 	}
-	if value == "" {
-		return nil
+	if template.Container != nil {
+		template.Container.Ports = ports
 	}
-	if strings.Contains(value, "{{workflow.") {
-		parts := strings.Split(strings.Replace(value, "}}", "", -1), ".")
-		paramName := parts[len(parts)-1]
-		for _, param := range wf.Spec.Arguments.Parameters {
-			if param.Name == paramName && param.Value != nil {
-				value = *param.Value
-				break
-			}
-		}
-	}
-
-	runningNodes, err := c.Interface.CoreV1().Nodes().List(ListOptions{})
-	if err != nil {
-		return err
-	}
-	for _, node := range runningNodes.Items {
-		if node.Labels[nodePoolLabel] == value {
-			cpu, memory, gpu, gpuManufacturer := CalculateResourceRequirements(node, nodePoolLabel, value)
-			if cpu != "" && memory != "" {
-				resourceList := corev1.ResourceRequirements{
-					Limits: nil,
-					Requests: map[corev1.ResourceName]resource.Quantity{
-						corev1.ResourceCPU:    resource.MustParse(cpu),
-						corev1.ResourceMemory: resource.MustParse(memory),
-					},
-				}
-				if gpu > 0 {
-					stringGpu := strconv.FormatInt(gpu, 10)
-					resourceList.Limits = make(map[corev1.ResourceName]resource.Quantity)
-					resourceList.Limits[corev1.ResourceName(gpuManufacturer)] = resource.MustParse(stringGpu)
-				}
-				if template.Container != nil {
-					template.Container.Resources = resourceList
-				}
-				if template.Script != nil {
-					template.Script.Container.Resources = resourceList
-				}
-				//process only one node
-				return nil
-			}
-		}
+	if template.Script != nil {
+		template.Script.Container.Ports = ports
 	}
 	return nil
 }
@@ -332,7 +282,7 @@ func (c *Client) injectAutomatedFields(namespace string, wf *wfv1.Workflow, opts
 				Name:      "sys-dshm",
 				MountPath: "/dev/shm",
 			})
-			err = c.injectContainerResourceQuotas(wf, template, systemConfig)
+			err = c.injectHostPortToContainer(template)
 			if err != nil {
 				return err
 			}
@@ -340,7 +290,7 @@ func (c *Client) injectAutomatedFields(namespace string, wf *wfv1.Workflow, opts
 		}
 
 		if template.Script != nil {
-			err = c.injectContainerResourceQuotas(wf, template, systemConfig)
+			err = c.injectHostPortToContainer(template)
 			if err != nil {
 				return err
 			}
@@ -1901,14 +1851,14 @@ func workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, wo
 
 func workflowExecutionsSelectBuilder(namespace, workflowTemplateUID, workflowTemplateVersion string, includeSystem bool) sq.SelectBuilder {
 	sb := workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, workflowTemplateVersion, includeSystem)
-	sb = sb.Columns(getWorkflowExecutionColumns("we", "")...).
+	sb = sb.Columns(getWorkflowExecutionColumns("we")...).
 		Columns(`wtv.version "workflow_template.version"`, `wtv.created_at "workflow_template.created_at"`, `wt.name "workflow_template.name"`, `wt.uid "workflow_template.uid"`)
 
 	return sb
 }
 
 func (c *Client) getWorkflowExecutionAndTemplate(namespace string, uid string) (workflow *WorkflowExecution, err error) {
-	sb := sb.Select(getWorkflowExecutionColumns("we", "")...).
+	sb := sb.Select(getWorkflowExecutionColumns("we")...).
 		Columns(getWorkflowTemplateColumns("wt", "workflow_template")...).
 		Columns(`wtv.manifest "workflow_template.manifest"`, `wtv.version "workflow_template.version"`).
 		From("workflow_executions we").

pkg/workspace.go

@@ -15,8 +15,6 @@ import (
 	"github.com/onepanelio/core/pkg/util/request"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
-	corev1 "k8s.io/api/core/v1"
-	"strconv"
 	"strings"
 	"time"
 )
@@ -287,26 +285,7 @@ func (c *Client) addResourceRequestsAndLimitsToWorkspaceTemplate(t wfv1.Template
 	if !ok {
 		return nil, errors.New("unable to type check statefulset manifest")
 	}
-	//Get node selected
-	labelKey := "sys-node-pool-label"
-	labelKeyVal := ""
-	for _, parameter := range argoTemplate.Spec.Arguments.Parameters {
-		if parameter.Name == labelKey {
-			labelKeyVal = *parameter.Value
-		}
-	}
-
-	nodePoolKey := "sys-node-pool"
-	nodePoolVal := ""
-	for _, parameter := range workspace.Parameters {
-		if parameter.Name == nodePoolKey {
-			nodePoolVal = *parameter.Value
-		}
-	}
-	extraContainer, err := generateExtraContainerWithResources(c, labelKeyVal, nodePoolVal)
-	if err != nil {
-		return nil, err
-	}
+	extraContainer := generateExtraContainerWithHostPortToSequesterNode()
 	if extraContainer != nil {
 		containers, ok := templateSpec["containers"].([]interface{})
 		if !ok {
@@ -322,93 +301,25 @@ func (c *Client) addResourceRequestsAndLimitsToWorkspaceTemplate(t wfv1.Template
 	return resultManifest, nil
 }
 
-// generateExtraContainerWithResources will add an extra container to a workspace.
-// The extra container will have the calculated resource request for the node selected by the workspace.
+// generateExtraContainerWithHostPortToSequesterNode will add an extra container to a workspace.
+// The extra container have a hostPort set. Kubernetes will ensure the hostPort does not get conflict
+// between containers, scheduling a new node as needed.
 // The container will sleep once started, and generally consume negligible resources.
-//
-// The node that was selected has to be already running, in order to get the resource request correct.
-func generateExtraContainerWithResources(c *Client, labelKeyVal string, nodePoolVal string) (map[string]interface{}, error) {
-	runningNodes, err := c.Interface.CoreV1().Nodes().List(ListOptions{})
-	if err != nil {
-		return nil, err
+func generateExtraContainerWithHostPortToSequesterNode() map[string]interface{} {
+	extraContainer := map[string]interface{}{
+		"image":   "alpine:latest",
+		"name":    "node-capturer",
+		"command": []interface{}{"/bin/sh"},
+		"args":    []interface{}{"-c", "while :; do sleep 2073600; done"},
+		"ports": []interface{}{
+			map[string]interface{}{
+				"name":          "node-capturer",
+				"hostPort":      80,
+				"containerPort": 80,
+			},
+		},
 	}
-	for _, node := range runningNodes.Items {
-		cpu, memory, gpu, gpuManufacturer := CalculateResourceRequirements(node, labelKeyVal, nodePoolVal)
-		if cpu != "" && memory != "" {
-			extraContainer := map[string]interface{}{
-				"image":   "alpine:latest",
-				"name":    "resource-requester",
-				"command": []interface{}{"/bin/sh"},
-				"args":    []interface{}{"-c", "while :; do sleep 2073600; done"},
-				"resources": map[string]interface{}{
-					"requests": map[string]interface{}{
-						"cpu":    cpu,
-						"memory": memory,
-					},
-					"limits": map[string]interface{}{},
-				},
-			}
-
-			if gpu > 0 {
-				res, ok := extraContainer["resources"].(map[string]interface{})
-				if !ok {
-					return nil, errors.New("unable to type check extraContainer")
-				}
-				reqs, ok := res["requests"].(map[string]interface{})
-				if !ok {
-					return nil, errors.New("unable to type check extraContainer")
-				}
-				reqs[gpuManufacturer] = gpu
-
-				limits, ok := res["limits"].(map[string]interface{})
-				if !ok {
-					return nil, errors.New("unable to type check extraContainer")
-				}
-				limits[gpuManufacturer] = gpu
-
-			}
-			//process only one node
-			return extraContainer, err
-		}
-	}
-	return nil, nil
-}
-
-// CalculateResourceRequirements will take the passed in Node and try to figure out the
-// allocatable capacity. Once the capacity is discovered, function figures out how to request 90%.
-// - We use 90% because manual calculation is error prone and not necessarily reliable.
-// Params:
-//  k8sInstanceTypeLabel - Such as 'beta.kubernetes.io/instance-type'
-//  nodeSelectorValue - Server/VM Type Name, Such as "Standard_NC6", on Azure.
-func CalculateResourceRequirements(node corev1.Node, k8sInstanceTypeLabel string, nodeSelectorValue string) (string, string, int64, string) {
-	var cpu string
-	var memory string
-	var gpu int64
-	gpuManufacturer := ""
-	if node.Labels[k8sInstanceTypeLabel] == nodeSelectorValue {
-		cpuInt := node.Status.Allocatable.Cpu().MilliValue()
-		cpu = strconv.FormatFloat(float64(cpuInt)*.9, 'f', 0, 64) + "m"
-		memoryInt := node.Status.Allocatable.Memory().MilliValue()
-		kiBase := 1024.0
-		ninetyPerc := float64(memoryInt) * .9
-		toKi := ninetyPerc / kiBase / kiBase
-		memory = strconv.FormatFloat(toKi, 'f', 0, 64) + "Ki"
-		//Check for Nvidia
-		gpuQuantity := node.Status.Allocatable["nvidia.com/gpu"]
-		if gpuQuantity.IsZero() == false {
-			gpu = gpuQuantity.Value()
-			gpuManufacturer = "nvidia.com/gpu"
-		}
-
-		//Check for AMD
-		//Source: https://github.com/RadeonOpenCompute/k8s-device-plugin/blob/master/example/pod/alexnet-gpu.yaml
-		gpuQuantity = node.Status.Allocatable["amd.com/gpu"]
-		if gpuQuantity.IsZero() == false {
-			gpu = gpuQuantity.Value()
-			gpuManufacturer = "amd.com/gpu"
-		}
-	}
-	return cpu, memory, gpu, gpuManufacturer
+	return extraContainer
 }
 
 // startWorkspace starts a workspace and related resources. It assumes a DB record already exists

pkg/workspace_template.go

@@ -1158,6 +1158,19 @@ func (c *Client) UpdateWorkspaceTemplate(namespace string, workspaceTemplate *Wo
 	return workspaceTemplate, nil
 }
 
+// UpdateWorkspaceTemplateManifest updates a workspace template by creating a new version where the only difference is the manifest
+func (c *Client) UpdateWorkspaceTemplateManifest(namespace, uid string, manifest string) (*WorkspaceTemplate, error) {
+	existingTemplate, err := c.GetWorkspaceTemplate(namespace, uid, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	existingTemplate.UID = uid
+	existingTemplate.Manifest = manifest
+
+	return c.UpdateWorkspaceTemplate(namespace, existingTemplate)
+}
+
 // ListWorkspaceTemplates returns a list of workspace templates that are not archived, sorted by most recent created first
 func (c *Client) ListWorkspaceTemplates(namespace string, request *request.Request) (workspaceTemplates []*WorkspaceTemplate, err error) {
 	sb := c.workspaceTemplatesSelectBuilder(namespace).

server/auth/auth.go

@@ -2,9 +2,13 @@ package auth
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"github.com/onepanelio/core/api"
+	"github.com/onepanelio/core/pkg/util"
+	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/http"
 	"strings"
 
@@ -36,6 +40,9 @@ func getBearerToken(ctx context.Context) (*string, bool) {
 			return nil, false
 		}
 		t = strings.ReplaceAll(t, prefix, "")
+		if t == "null" {
+			return nil, false
+		}
 		return &t, true
 	}
 
@@ -64,7 +71,12 @@ func getClient(ctx context.Context, kubeConfig *v1.Config, db *v1.DB, sysConfig
 		return nil, status.Error(codes.Unauthenticated, `Missing or invalid "authorization" header.`)
 	}
 
+	if sysConfig["token"] != *bearerToken {
+		sysConfig["token"] = *bearerToken
+	}
+
 	kubeConfig.BearerToken = *bearerToken
+
 	client, err := v1.NewClient(kubeConfig, db, sysConfig)
 	if err != nil {
 		return nil, err
@@ -98,6 +110,43 @@ func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (
 	return
 }
 
+func verifyLogin(client *v1.Client, tokenRequest *api.IsValidTokenRequest) (rawToken string, err error) {
+	accountsList, err := client.CoreV1().ServiceAccounts("onepanel").List(v1.ListOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	authTokenSecretName := ""
+	for _, serviceAccount := range accountsList.Items {
+		if serviceAccount.Name != tokenRequest.Username {
+			continue
+		}
+		for _, secret := range serviceAccount.Secrets {
+			if strings.Contains(secret.Name, "-token-") {
+				authTokenSecretName = secret.Name
+				break
+			}
+		}
+	}
+	if authTokenSecretName == "" {
+		return "", util.NewUserError(codes.InvalidArgument, fmt.Sprintf("unknown service account '%v'", tokenRequest.Username))
+	}
+
+	secret, err := client.CoreV1().Secrets("onepanel").Get(authTokenSecretName, v12.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	currentTokenBytes := md5.Sum(secret.Data["token"])
+	currentTokenString := hex.EncodeToString(currentTokenBytes[:])
+
+	if tokenRequest.Token != fmt.Sprintf("%s", currentTokenString) {
+		return "", util.NewUserError(codes.InvalidArgument, "token doesn't match what's on record")
+	}
+
+	return string(secret.Data["token"]), nil
+}
+
 // UnaryInterceptor performs authentication checks.
 // The two main cases are:
 //   1. Is the token valid? This is used for logging in.
@@ -113,10 +162,25 @@ func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfi
 
 			tokenRequest, ok := req.(*api.IsValidTokenRequest)
 			if !ok {
-				return resp, errors.New("IsValidToken does not have correct request type")
+				return resp, errors.New("LogInRequest does not have correct request type")
 			}
 
-			md.Set("authorization", tokenRequest.Token.Token)
+			defaultClient, err := v1.GetDefaultClient()
+			if err != nil {
+				return nil, err
+			}
+
+			rawToken, err := verifyLogin(defaultClient, tokenRequest)
+			if err != nil {
+				return nil, err
+			}
+
+			sysConfig, err := defaultClient.GetSystemConfig()
+			if err != nil {
+				return nil, err
+			}
+
+			md.Set("onepanel-auth-token", rawToken)
 
 			ctx, err = getClient(ctx, kubeConfig, db, sysConfig)
 			if err != nil {

server/auth_server.go

@@ -66,8 +66,10 @@ func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequ
 	if err != nil {
 		return
 	}
-	res = &api.IsValidTokenResponse{}
-	res.Domain = config["ONEPANEL_DOMAIN"]
+	res = &api.IsValidTokenResponse{
+		Domain: config["ONEPANEL_DOMAIN"],
+		Token:  config["token"],
+	}
 
 	return res, nil
 }

server/label_server.go

@@ -7,21 +7,22 @@ import (
 	"github.com/onepanelio/core/server/auth"
 )
 
-func resourceIdentifierToArgoResource(identifier string) string {
+func getGroupAndResourceByIdentifier(identifier string) (group, resource string) {
+	group = "argoproj.io"
 	switch identifier {
 	case v1.TypeWorkflowTemplate:
-		return "workflowtemplates"
+		return group, "workflowtemplates"
 	case v1.TypeWorkflowTemplateVersion:
-		return "workflowtemplates"
+		return group, "workflowtemplates"
 	case v1.TypeWorkflowExecution:
-		return "workflows"
+		return group, "workflows"
 	case v1.TypeCronWorkflow:
-		return "cronworkflows"
+		return group, "cronworkflows"
 	case v1.TypeWorkspace:
-		return "statefulset"
+		return "onepanel.io", "workspaces"
 	}
 
-	return ""
+	return "", ""
 }
 
 func mapLabelsToKeyValue(labels []*v1.Label) []*api.KeyValue {
@@ -54,10 +55,10 @@ func NewLabelServer() *LabelServer {
 }
 
 func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -73,10 +74,10 @@ func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest)
 }
 
 func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -97,10 +98,10 @@ func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest)
 }
 
 func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -121,11 +122,11 @@ func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsR
 }
 
 func (s *LabelServer) DeleteLabel(ctx context.Context, req *api.DeleteLabelRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
 	// update verb here since we are not deleting the resource, but labels
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}

server/workspace_server.go

@@ -363,7 +363,7 @@ func (s *WorkspaceServer) RetryLastWorkspaceAction(ctx context.Context, req *api
 func (s *WorkspaceServer) GetWorkspaceStatisticsForNamespace(ctx context.Context, req *api.GetWorkspaceStatisticsForNamespaceRequest) (*api.GetWorkspaceStatisticsForNamespaceResponse, error) {
 	client := getClient(ctx)
 
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "list", "argoproj.io", "workspaces", "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "list", "onepanel.io", "workspaces", "")
 	if err != nil || !allowed {
 		return nil, err
 	}