-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(authz): added groups mechanism #1123
Conversation
b52e99d
to
3cc2fbd
Compare
3d73ffb
to
ce9e017
Compare
to summarize: group policies have priority over user policies which have priority over default policy. can you add a test please in controller_test? |
ce9e017
to
66d1f1c
Compare
Codecov Report
@@ Coverage Diff @@
## main #1123 +/- ##
==========================================
+ Coverage 89.97% 90.00% +0.03%
==========================================
Files 93 93
Lines 20426 20469 +43
==========================================
+ Hits 18379 18424 +45
+ Misses 1542 1541 -1
+ Partials 505 504 -1
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
af75f26
to
8947df6
Compare
8947df6
to
59f6314
Compare
Quick note: right now in the config, groups memberships are only hardcoded into the config file and not taken from LDAP. Also, the issue #983 suggest to take the group membershipt from another source |
Some notes:
Latest edit: |
Thanks @andaaron, I'm editing my post to reflect those notes |
wrt LDAP (served by Windows AD backend at least), |
Thank you @rchincha, but as @andaaron suggested the attribute should be part of config. Your proposal is perfect for us (we are using AD), but many other people use other services like OpenLDAP and samba, which uses different attributes. Restrict to those filelds only would be limitative. |
@Skiepp understood, these attributes are not hard-coded, and you are allowed to configure what the attributes are called and zot would just query of those attributes. If there is sample backend config that you can share, we will be happy to include it in our CI/CD tests. |
59f6314
to
febd214
Compare
febd214
to
9c44a18
Compare
cdacb4c
to
6ce1ffd
Compare
a580022
to
f05d35e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the commit msg has not been fixed yet?
"BREAKING CHANGE: A groups mechanism has been added, with policies for groups" ^ this is NOT the breaking change. |
|
BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
What type of PR is this?
Which issue does this PR fix:
#983
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.