web: add tenant and project scoped, JWT-protected actions

A user with the right JSON Web Token (JWT) can trigger a autohold,
reenqueue or dequeue a buildset from the web API.

The Token is expected to include a key called "zuul.admin" that
contains a list of the tenants the user is allowed to perform
these actions on.

The Token must be passed as a bearer token in an Authorization header.

The Token is validated thanks to authenticator declarations in Zuul's
configuration file.

Change-Id: Ief9088812f44368f14234ddfa25ba872526b8735

1 files changed, 9 insertions, 0 deletions

diff --git a/releasenotes/notes/admin_web_api-1331c81070a3e67f.yaml b/releasenotes/notes/admin_web_api-1331c81070a3e67f.yaml
new file mode 100644
index 000000000..de6f96a59
--- /dev/null
+++ b/releasenotes/notes/admin_web_api-1331c81070a3e67f.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Add an endpoint protection mechanism to zuul-web's REST API, based on the JWT
+    standard. A user can access protected endpoints with a valid bearer token.
+    The actions associated to these endpoints are tenant-scoped via a token claim.
+    Zuul supports token signatures using the HS256 or RS256 algorithms. External
+    JWKS are also supported.
+    Current protected endpoints are "autohold", "enqueue" and "dequeue".