Document RBAC client implementation #1363
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JiriPapousek
approved these changes
Oct 29, 2024
juandspy
reviewed
Oct 31, 2024
|
|
||
| ### Authentication Middleware | ||
|
|
||
| The authentication middleware is responsible for verifying that the request has been made by a known party, and that said party's identity token has all the information necessary for identification of the concrete requester. It is implemented in the `auth` module and the `Authentication` function within the `auth_middleware.go` file. If enabled, authentication always happens before the authorization process. |
There was a problem hiding this comment.
maybe wen can use a link to this file instead of just mentioning it
juandspy
reviewed
Oct 31, 2024
|
|
||
| ### Authorization Middleware | ||
|
|
||
| The authorization middleware is responsible for enforcing role-based access control (RBAC) for incoming requests. It is implemented in the `auth` module and the `Authorization` function within the `auth_middleware.go` file. The authorization middleware is set up in the `setupAuthMiddleware` function, which configures the router to use the `Authorization` middleware for routes that require RBAC checks. |
There was a problem hiding this comment.
I’ve just realized auth_middleware may be misleading as it could refer to authorization or authentication, but I guess it’s not a big deal
juandspy
reviewed
Oct 31, 2024
| #### Key Features: | ||
| - **RBAC Enforcement**: The middleware checks if the user has the necessary permissions to access the requested resource. A configuration option, `enforce`, was added to the RBAC configuration in order to enforce or bypass RBAC. | ||
| - **Bypass for Specific URLs**: Certain URLs can be configured to bypass authorization checks, allowing public access. | ||
| - **User Agent Handling**: Requests from specific user agents (e.g. ACM) can bypass RBAC checks for now. This is a temporary solution that was agreed upon with them, as there is a lot more work related to service accounts configurations and RBAC roles definitions to do in order to ensure that this new functionality doesn't affect our internal API consumers. |
There was a problem hiding this comment.
as we are keeping the user access as it is, is this AMS specific configuration still needed?
juandspy
reviewed
Oct 31, 2024
|
|
||
| For the authorization middleware to take action when access is not authorized, the RBAC enforcement must be enabled. This is done by setting the `enforce` flag in the RBAC client configuration. | ||
| - If enforcement is not enabled, the middleware will not block access even if the user is not authorized. | ||
| - For now, anything decision taken by the authorization middleware is logged, with the hope to get more information on customers' readiness and make future development easier. |
juandspy
approved these changes
Oct 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Document for RBAC client implementation
Part of CCXDEV-12884
Type of change
Testing steps
N/A
Checklist
make before_commitpasses