Introduce "bypass", "one_factor", "two_factor" and "deny" ACL rules #289
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this PR we deprecate the
auth_methods
and allow ACL rules to be more granular. That way a user could be granted access with one or two factor depending on the resource he wants to access and not only the domain.[DEPRECATION]
auth_methods
is deprecated after this PR.[BREAKING] The format of ACLs is changing to handle more use cases.
The new format allows to specify the subject of the ACL that can be either anybody, a group or a specific user instead of putting ACLs into categories as before. Adding this attribute and replacing categories (any, groups, users) by a list of ACLs allows Authelia to treat ACLs as iptables does with rules which enables more expressiveness.
With this new formalism, the first matching rules is applied so make sure your rules are properly sorted.