Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expiration of Authz Policies #2204

Closed
erictune opened this issue Nov 6, 2014 · 4 comments
Closed

Expiration of Authz Policies #2204

erictune opened this issue Nov 6, 2014 · 4 comments
Labels
priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@erictune
Copy link
Member

erictune commented Nov 6, 2014

Add expiration time/date field to type policy in pkg/auth/authorizer/abac/abac.go and to the match() function there.
@erictune erictune mentioned this issue Nov 6, 2014
Closed
@derekwaynecarr
Copy link
Member

Just wondering if we will use expiration TTL in etcd for this?

@erictune
Copy link
Member Author

erictune commented Nov 7, 2014

The policy object will have an expiration date in it. Whether we use etcd
TTL or our own GC is not something I had given thought. In any case we
might want to keep the objects around after authorization expiry for
debugging so there need to be two kinds of expiration dates.
On Nov 7, 2014 8:06 AM, "Derek Carr" notifications@github.com wrote:

Just wondering if we will use expiration TTL in etcd for this?


Reply to this email directly or view it on GitHub
#2204 (comment)
.

@erictune
Copy link
Member Author

erictune commented Nov 7, 2014

I should have also said that the authorizer would verify the expiration
date explicitly rather than relying on absence in storage.
On Nov 7, 2014 8:53 AM, "Eric Tune" etune@google.com wrote:

The policy object will have an expiration date in it. Whether we use etcd
TTL or our own GC is not something I had given thought. In any case we
might want to keep the objects around after authorization expiry for
debugging so there need to be two kinds of expiration dates.
On Nov 7, 2014 8:06 AM, "Derek Carr" notifications@github.com wrote:

Just wondering if we will use expiration TTL in etcd for this?


Reply to this email directly or view it on GitHub
#2204 (comment)
.

@erictune erictune mentioned this issue Nov 11, 2014
Merged
@goltermann goltermann added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Dec 17, 2014
@bgrant0607 bgrant0607 added priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. and removed priority/backlog Higher priority than priority/awaiting-more-evidence. labels Feb 28, 2015
@erictune erictune added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed area/security labels Apr 12, 2016
@liggitt
Copy link
Member

liggitt commented Sep 23, 2017

closing for lack of movement. could be implemented on top of RBAC with a binding-removing controller, or via a webhook authorizer.

@liggitt liggitt closed this as completed Sep 23, 2017
@liggitt liggitt mentioned this issue Jan 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@liggitt @thockin @derekwaynecarr @bgrant0607 @erictune @goltermann