Skip to content
Kessel

Package: console

The console package provides helpers useful across the service.

Functions

  • principalFromRHIdentity (identity : dict | object, domain? : string) : SubjectReference

    Builds a principal SubjectReference from a parsed platform identity object.

    This function eliminates the need for consumers to manually inspect identity types, extract user IDs, and construct subject references. It accepts the inner identity dict/object from the x-rh-identity header and handles the resolution internally.

    Supported identity types:

    Type Accepted fields
    User user.user_id
    ServiceAccount service_account.user_id

    Unsupported types (System, X509, Associate) raise an error. The resolved user ID is combined with the domain to produce a resource ID of the form {domain}/{userId} (e.g. redhat/7393748), which is passed to principalSubject.

    Example:

    from kessel.console import principalFromRHIdentity

# User identity (e.g. from request.auth in Django, or Identity object)
identity = {
    "type": "User",
    "org_id": "12345",
    "user": {"user_id": "7393748", "username": "jdoe"}
}
subject = principalFromRHIdentity(identity)

# ServiceAccount identity
sa_identity = {
    "type": "ServiceAccount",
    "org_id": "456",
    "service_account": {
        "user_id": "2647318",
        "username": "service-account-2647318"
    }
}
subject = principalFromRHIdentity(sa_identity)
    identity : dict | object

    The inner identity dict/object from the x-rh-identity header (e.g. {"type": "User", "org_id": "...", "user": {...}}). This is the parsed identity — not the full {"identity": {...}} envelope and not the raw base64 string. Use principalFromRHIdentityHeader if you have the raw header.

    domain? : string

    The domain or organization the user belongs to. Defaults to "redhat".

  • principalFromRHIdentityHeader (header : string, domain? : string) : SubjectReference

    Builds a principal SubjectReference from a raw base64-encoded x-rh-identity header.

    Example:

    from kessel.console import principalFromRHIdentityHeader

# Directly from the HTTP header
header = request.headers["x-rh-identity"]
subject = principalFromRHIdentityHeader(header)

# Use in a permission check
checkResponse = checkClient.check(
    resource=workspaceResource(workspaceId),
    permission="workspace_view",
    subject=subject,
)
    header : string

    The base64-encoded x-rh-identity header value.

    domain? : string

    The domain or organization the user belongs to. Defaults to "redhat".