You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This document describes how Arborist should behave when the user is or is not known to Arborist.
(Note: As of 2019-Nov-13 this is not yet how Arborist _actually_ behaves.)
## Context
Arborist always has 2 default groups:
Expand DownExpand Up
@@ -29,6 +31,8 @@ These endpoints return everything the user has access to, including anonymous an
- Username is specified but it is not in Arborist's database: return anonymous and logged-in policies.
- No username can be found: return the anonymous policies.
>Background: Originally `auth/mapping` only took the username from a query parameter. Then the revproxy needed to expose the endpoint so that Windmill could hit it. But we couldn't allow users to hit `auth/mapping` with arbitrary usernames. So the revproxy does not forward any query parameters, and we added the JWT fallback in Arborist.
## GET user/{username} and GET user/{username}/... endpoints
These endpoints have the username as a mandatory query parameter.
