cameleer/cameleer-server
1
0
Fork 0
Code Issues 45 Pull Requests Actions Packages Projects Releases Wiki Activity
122 Commits 2 Branches 2 Tags
a4de2a7b792b7c2161e2322e0b14f7905812aff0
Commit Graph

4 Commits

Author SHA1 Message Date
hsiegeln
a4de2a7b79 Add RBAC with role-based endpoint authorization and OIDC support
Some checks failed
CI / build (push) Successful in 1m19s
Details
CI / docker (push) Successful in 1m38s
Details
CI / deploy (push) Has been cancelled
Details 
Implement three-phase security upgrade:

Phase 1 - RBAC: Extend JWT with roles claim, populate Spring
GrantedAuthority in filter, enforce role-based access (AGENT for
data/heartbeat/SSE, VIEWER+ for search/diagrams, OPERATOR+ for
commands, ADMIN for user management). Configurable JWT secret via
CAMELEER_JWT_SECRET env var for token persistence across restarts.

Phase 2 - User persistence: ClickHouse users table with
ReplacingMergeTree, UserRepository interface + ClickHouse impl,
UserAdminController for CRUD at /api/v1/admin/users. Local login
upserts user on each authentication.

Phase 3 - OIDC: Token exchange flow where SPA sends auth code,
server exchanges it server-side (keeping client_secret secure),
validates id_token via JWKS, resolves roles (DB override > OIDC
claim > default), issues internal JWT. Conditional on
CAMELEER_OIDC_ENABLED=true. Uses oauth2-oidc-sdk for standards
compliance.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-14 12:35:45 +01:00
hsiegeln
a44a0c970b Revert to JdbcTemplate for schema init, keep comment-stripping fix
All checks were successful
CI / build (push) Successful in 48s
Details
CI / docker (push) Successful in 36s
Details
CI / deploy (push) Successful in 9s
Details 
The DriverManager-based approach likely failed because the ClickHouse
JDBC driver wasn't registered with DriverManager. The original
JdbcTemplate approach worked for route_diagrams and agent_metrics —
only route_executions was skipped due to the comment-parsing bug.

Reverts to simple JdbcTemplate-based init with unqualified table names
(DataSource targets cameleer3 database). The CLICKHOUSE_DB env var on
the ClickHouse container handles database creation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 22:05:12 +01:00
hsiegeln
ce0eb58b0c Fix schema init: bypass DataSource, use direct JDBC with qualified table names
All checks were successful
CI / build (push) Successful in 48s
Details
CI / docker (push) Successful in 40s
Details
CI / deploy (push) Successful in 7s
Details 
The auto-configured DataSource targets jdbc:ch://.../cameleer3 which fails
if the database doesn't exist yet. Schema init now uses a direct JDBC
connection to the root URL, creates the database first, then applies all
schema SQL with fully qualified cameleer3.* table names.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 21:50:47 +01:00
hsiegeln
9dffa9ea81 Move schema initialization from ClickHouse init scripts to server startup
All checks were successful
CI / build (push) Successful in 49s
Details
CI / docker (push) Successful in 43s
Details
CI / deploy (push) Successful in 15s
Details 
Server now applies schema via @PostConstruct using classpath SQL files.
All statements use IF NOT EXISTS/IF NOT EXISTS so it's idempotent and
safe to run on every startup. Removes ConfigMap and init script mount
from K8s manifest since ClickHouse no longer needs to manage the schema.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 19:59:33 +01:00