Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce "bypass", "one_factor", "two_factor" and "deny" ACL rules #289

Merged
merged 4 commits into from Nov 17, 2018
Merged

Introduce "bypass", "one_factor", "two_factor" and "deny" ACL rules #289

merged 4 commits into from Nov 17, 2018

Conversation

clems4ever
Copy link
Member

@clems4ever clems4ever commented Oct 23, 2018
edited

In this PR we deprecate the auth_methods and allow ACL rules to be more granular. That way a user could be granted access with one or two factor depending on the resource he wants to access and not only the domain.

[DEPRECATION] auth_methods is deprecated after this PR.

[BREAKING] The format of ACLs is changing to handle more use cases.
The new format allows to specify the subject of the ACL that can be either anybody, a group or a specific user instead of putting ACLs into categories as before. Adding this attribute and replacing categories (any, groups, users) by a list of ACLs allows Authelia to treat ACLs as iptables does with rules which enables more expressiveness.
With this new formalism, the first matching rules is applied so make sure your rules are properly sorted.

@clems4ever clems4ever force-pushed the remove-auth-methods branch 7 times, most recently from a48aed1 to 51359eb Compare October 24, 2018 21:59
@clems4ever
Copy link
Member Author

cc @nightah

@clems4ever clems4ever mentioned this pull request Oct 27, 2018
Closed
@clems4ever
Integrate more policy options in ACL rules.
9fc5554 
The possible values for ACL policies are now: bypass, one_factor, two_factor,
deny.

This change also deprecate auth_methods because the method is now associated
directly to a resource in the ACLs instead of a domain.
@clems4ever
Create a docker-compose.dev.yml to reproduce integration test cases.
2bc650f
@clems4ever
[BREAKING] Flatten the ACL rules to enable some use cases.
97bfafb 
With previous configuration format rules were not ordered between groups and
thus not predictable. Also in some cases `any` must have been a higher
precedence than `groups`. Flattening the rules let the user apply whatever
policy he can think of.

When several rules match the (subject, domain, resource), the first one is
applied.

NOTE: This commit changed the format for declaring ACLs. Be sure to update
your configuration file before upgrading.
@clems4ever clems4ever merged commit 6c4d06b into master Nov 17, 2018
@clems4ever clems4ever deleted the remove-auth-methods branch February 24, 2019 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@clems4ever