-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prepare input for OPA #225
Conversation
cert := input.auth_info.certificate
|
"spiffe_id": spiffeID, | ||
}, | ||
"operation": operation, | ||
"role": role, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tell me what you are thinking about the "role" parameter :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@edwarnicke I don't understand what the authorization client chain element should do. Please can you explain some usage cases when we need to use authorization client? Authz server is handle policies by using connection and tls info from context, but what authz client should do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Client-side authorization is used to decide if you trust who is providing you the Network Service.
Client-side authorization would also use OPA to do authorization based on the TLSInfo and Connection... but in this case its the Connection returned from its Request call.
Signed-off-by: Dmitry Vlasov <dmitry.vlasov@xored.com>
Signed-off-by: Dmitry Vlasov <dmitry.vlasov@xored.com>
Signed-off-by: Dmitry Vlasov <dmitry.vlasov@xored.com>
Signed-off-by: Dmitry Vlasov <dmitry.vlasov@xored.com>
Signed-off-by: Dmitry Vlasov <dmitry.vlasov@xored.com>
@edwarnicke What do you think about operation and role parameters? In my implementation of OPA input we just pass these parameters to OPA as strings in authorization chain element. What do you think about of this approach? |
Now OPA input provides the following objects:
An example of using OPA input for the case of token signature verification
Motivation #200
Signed-off-by: Dmitry Vlasov dmitry.vlasov@xored.com