-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default Policy examples #201
Comments
I think, we can consider the following use case example of tokens validation(1) So, for example of tokens validation we can consider the case of matching clients and endpoints by their SPIFFE IDs. The map of matching(endpoint’s spiffe id -> list of allowed clients by spiffe id) can be stored on NSMgrs. The policy of matching also can be stored on NSMgrs. So let’s consider the case more detailed:
Am I in the right direction? We have the following problems:
|
No... an Endpoint itself applies its own policy. The NSMgr is not responsible for that policy. The NSMgr may have certain kinds of policy applicable to its own role... but client/endpoint permissiblity isn't among them.
We are recommending (but not requiring) SpiffeJWTTokenGeneratorFunc It populates
This means that as the Path is extended, you can rule out man in the middle attacks by comparing the identity of the 'aud' from token n with the identity of the 'sub' from token n+1.
Don't worry yet about the policy deploying pieces... OPA has some standard APIs for that, for the moment we are just passing them into the authorize chain element |
@edwarnicke I have some questions about first and third policies
You wrote
I think, that the first policy should be like that:
So, I think third policy should be like that:
Where should we get the certificate(tlsInfo)? Is it a right direction? Other policies(2,4) and use cases you can take a look in spec Also have implemented use case about validity chain(path_segments[n-1].token.aud == path_segments[n].token.sub). You can take a look it in draft pr on this |
This looks like a great start! :) |
We need default OPA Policies based upon the update in input found in #200
Among the examples we'd want:
The text was updated successfully, but these errors were encountered: