Skip to content

kbs/admin: modularize admin authentication and authorization #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Xynnn007 wants to merge 1 commit into
base: admin-3
Choose a base branch
from
Open

kbs/admin: modularize admin authentication and authorization #2

Xynnn007 wants to merge 1 commit into from

Conversation

@Xynnn007
Copy link

@Xynnn007 Xynnn007 commented Dec 23, 2025

Refactor the admin module from simple monolithic implementations to a modular architecture that separates token verification from authorization decisions.

Key changes:

  • Split admin functionality into two independent modules:
    • token_verifier: Handles token parsing and verification (BearerJwt)
    • authorization: Handles access control decisions (RegexAcl)
  • Replace simple backend types (allow_all, deny_all, simple) with trait-based architecture for better extensibility
  • Update AdminConfig to use "mode" enum (InsecureAllowAll, DenyAll, Enforce) instead of "type" for clearer semantics
  • Enforce mode requires both token_verifier and authorizer configuration
  • Improve error handling with detailed reason messages in AdminAccessDenied

This refactoring improves code organization, maintainability, and makes it easier to add new token verifiers or authorization strategies in the future.

Note that this PR does not handle the following things

  • Unit tests
  • Config updations
  • Documents
  • KBS client updates

@Xynnn007
kbs/admin: modularize admin authentication and authorization
a2d9d1c 
Refactor the admin module from simple monolithic implementations to a
modular architecture that separates token verification from authorization
decisions.

Key changes:
- Split admin functionality into two independent modules:
  * token_verifier: Handles token parsing and verification (BearerJwt)
  * authorization: Handles access control decisions (RegexAcl)
- Replace simple backend types (allow_all, deny_all, simple) with
  trait-based architecture for better extensibility
- Update AdminConfig to use "mode" enum (InsecureAllowAll, DenyAll, Enforce)
  instead of "type" for clearer semantics
- Enforce mode requires both token_verifier and authorizer configuration
- Improve error handling with detailed reason messages in AdminAccessDenied

This refactoring improves code organization, maintainability, and makes it
easier to add new token verifiers or authorization strategies in the future.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007 Xynnn007 mentioned this pull request Jan 7, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Xynnn007