New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify configuration based mapping of token roles to deployment-specific SecurityIdentity #39269
Comments
/cc @sberyozkin (security) |
Thanks @michalvavrik Sure, the In general it is not only about making a few properties to set for the By the way, there was another issue related to optimizing things for the |
I see, you've created the issue for optimizing the mapping of the roles but linked to sharing the policies :-), if I'm not confused, maybe both cases can be covered with this issue |
Yeah, I definitely didn't plan to align anything. I thought the idea was to define roles that are always mapped, regardless of path and policies. That was your suggestion I remembered, hope I'm not confusing it...
+1
Hmm, I think there was some suggestion for I don't remember details.
No idea, sorry. Please give me some hint.
I couldn't really remember where and what we agreed on, so I took a guess, linked shared policies and made some rationale from your reminder :-) |
Sergey, thinking of it, if you suggest something else than in the issue description, you will have to adjust the description or create new issue because I'm bit lost. Sorry. This was the only thing I had in a memory. |
@michalvavrik OK, lets try to figure out what we'd like to optimize. And you name this issue accordingly, but you refer to the different situation, where roles can be shared with other policies which is not related to the problem of mapping. See what I mean ? |
I understand it now, alright, let me update the description. |
This is on hold till #39236 is in because it requires touching same lines of code and I want to avoid conflicts. Will have a look after that. |
Description
We have shared HTTP permissions that allow to configure checks and mappings that are always applied when the path is matched in addition to winning most-specific path policy. Here #37989 (comment) it was suggested we could add configuration properties like
that will always be merged to whatever winning most specific policy mapping is applied. This way, user can avoid repeating path patterns. Also it simplifies token roles to deployment-specific SecurityIdentity roles mapping that right now requires:
which also requires that all HTTP requests to application endpoints are authenticated, which is something users need to avoid at many scenarios (app has often public endpoints, or decides to secure some endpoints with standard security annotations instead, of just optionally do stuff if user is authenticated and has certain role etc.).
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: