Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rust): allow kafka portals to anchor trust on identities #8074

Merged
merged 3 commits into from
May 25, 2024
Merged

feat(rust): allow kafka portals to anchor trust on identities #8074

merged 3 commits into from
May 25, 2024

Conversation

polvorin
Copy link
Member

This is a rebase of #8072 on top of the latest changes on #7938.

Changes are:

  • Make authority optional, instead of mandatory for evaluating abac rules
  • Propagate that change everywhere
  • 🔴 🔴 🔴 Hardcoded response_outgoing_access_controlto AllowAll in interceptor_listener ⚠️⚠️ ⚠️. Because couldn't make the standalone, no orchestrator, example work otherwise. No matter what policy I tried to put there ( (= "true" "true") for example), it end up failing because something not being able to find the identity that the message would be sent to (iiuc DEBUG ockam_abac::policy::outgoing: identity identifier not found; access denied policy=(= "true3" "true3")). So it's something with the setup or with the code, for now I'm letting this here so others can reference and test it.

Last item requires 👁️ !!

@polvorin polvorin force-pushed the polvorin/abac-identity-kafka branch from f73f30f to 32987fc Compare May 24, 2024 23:58
@polvorin polvorin mentioned this pull request May 25, 2024
Closed
Base automatically changed from davide-baldo/abac-policies-for-kafka to develop May 25, 2024 08:36
@polvorin polvorin force-pushed the polvorin/abac-identity-kafka branch from 32987fc to b8fba9f Compare May 25, 2024 13:30
@polvorin polvorin marked this pull request as ready for review May 25, 2024 13:30
@polvorin polvorin requested a review from a team as a code owner May 25, 2024 13:30
SanjoDeundiak
SanjoDeundiak reviewed May 25, 2024
View reviewed changes
Copy link
Member

@SanjoDeundiak SanjoDeundiak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

implementations/rust/ockam/ockam_abac/src/policy/policies.rs Outdated Show resolved Hide resolved
implementations/rust/ockam/ockam_api/src/nodes/service/manager.rs Outdated Show resolved Hide resolved
implementations/rust/ockam/ockam_api/src/kafka/outlet_service/interceptor_listener.rs Show resolved Hide resolved
@polvorin polvorin enabled auto-merge May 25, 2024 18:36
@polvorin
feat(rust): allow kafka portals to anchor trust on identities
c5b1237 
this means it don't require credentials, nor the setup of a project/authority
@polvorin
chore(rust): fix typo and re-add instrumentation
eb5c9be 
fix typo on comment
@polvorin
chore(rust): adapt test after rebase
f871dc1 
adapt test case
@polvorin polvorin force-pushed the polvorin/abac-identity-kafka branch from 3bf44b7 to f871dc1 Compare May 25, 2024 18:54
@polvorin polvorin added this pull request to the merge queue May 25, 2024
Merged via the queue into develop with commit cc75366 May 25, 2024
26 checks passed
@polvorin polvorin deleted the polvorin/abac-identity-kafka branch May 25, 2024 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SanjoDeundiak SanjoDeundiak SanjoDeundiak left review comments

@etorreborre etorreborre etorreborre approved these changes

@davide-baldo davide-baldo Awaiting requested review from davide-baldo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@polvorin @etorreborre @SanjoDeundiak