This repository has been archived by the owner on Jul 12, 2023. It is now read-only.
authz: principal blacklist #669
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danielnorberg
force-pushed
the
authz-principal-blacklist
branch
2 times, most recently
from
2a66c34
to
6fc659a
Compare
Codecov Report
@@ Coverage Diff @@
## master #669 +/- ##
============================================
+ Coverage 83.01% 83.06% +0.05%
Complexity 1659 1659
============================================
Files 163 163
Lines 7359 7371 +12
Branches 448 448
============================================
+ Hits 6109 6123 +14
+ Misses 1123 1121 -2
Partials 127 127 |
Codecov Report
@@ Coverage Diff @@
## master #669 +/- ##
============================================
+ Coverage 83.03% 83.06% +0.02%
Complexity 1659 1659
============================================
Files 163 163
Lines 7358 7371 +13
Branches 448 448
============================================
+ Hits 6110 6123 +13
Misses 1121 1121
Partials 127 127 |
Allow blacklisting specific undesirable principals.
danielnorberg
force-pushed
the
authz-principal-blacklist
branch
from
4c8dc44
to
0d4c38b
Compare
honnix
reviewed
Feb 7, 2019
| @@ -472,7 +497,7 @@ static ServiceAccountUsageAuthorizer create(String serviceAccountUserRole, | |||
| String gsuiteUserEmail, | |||
| String serviceName, | |||
| String message, | |||
| List<String> administrators) { | |||
| List<String> administrators, List<String> blacklist) { | |||
honnix
approved these changes
Feb 7, 2019
|
I guess https://github.com/spotify/styx/blob/master/doc/api.apib should also be updated |
|
I will do that. |
|
Let's take it in a separated PR though. |
|
Take liberty merging it. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
Description
Allow blacklisting specific undesirable principals from authorizing.
Motivation and Context
Protect against users granting authorization access to principals like e.g. a global default CI/CD service account.
Those workflows would otherwise be modifiable by (more or less) any user, which is not intended.
Have you tested this? If so, how?
Checklist for PR author(s)
Checklist for PR reviewer(s)