Introduce per-user path restrictions [RHELDST-23442] #691
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, exodus-gw's publish APIs allowed any authorized user to publish to any paths within a given CDN environment.
Now, it is possible to restrict individual users to publishing to certain paths in a given CDN environment using the publish_paths setting, or the EXODUS_GW_PUBLISH_PATHS environment variable.
An example of the publish paths config:
{
"pre": {
"fake-user": [
"^(/content)?/origin/files/sha256/[0-f]{2}/[0-f]{64}/[^/]{1,300}$"
],
},
"live": {
"fake-user": [
"^(/content)?/origin/files/sha256/[0-f]{2}/[0-f]{64}/[^/]{1,300}$"
],
}
}
Any clients identified in the config are authorized to publish to any path which matches the defined regex. When a client attempts to publish to a path to which does not match the defined regex, they will get a 403 response. Any client which is not included in the publish_paths config will be authorized to publish to any path (assuming they have the necessary publish roles).
This should reduce the risk of conflicts and other issues between exodus-gw users.