Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authorization via central OPA instance #1

Merged
merged 20 commits into from
Dec 16, 2024
Merged

Add authorization via central OPA instance #1

merged 20 commits into from
Dec 16, 2024

Conversation

tpoliaw
Copy link
Collaborator

@tpoliaw tpoliaw commented Nov 4, 2024

No description provided.

@tpoliaw tpoliaw force-pushed the auth branch 3 times, most recently from e17909d to 6673f21 Compare December 4, 2024 12:01
callumforrester
callumforrester previously approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@callumforrester callumforrester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me, it would be good if we could add tests and/or prescribe a way to test it offline

src/graphql.rs Outdated Show resolved Hide resolved
@callumforrester
Copy link
Contributor

@tpoliaw I suggest we get this merged before #13 and then I'll adjust that

@tpoliaw
Copy link
Collaborator Author

tpoliaw commented Dec 10, 2024

@tpoliaw I suggest we get this merged before #13 and then I'll adjust that

Sure, I'm still scattering tests over it but it should be good to go in soon

tpoliaw
tpoliaw commented Dec 10, 2024
View reviewed changes
src/graphql/auth.rs Outdated Show resolved Hide resolved
callumforrester
callumforrester previously approved these changes Dec 13, 2024
View reviewed changes
Copy link
Contributor

@callumforrester callumforrester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy I understand these changes although my understanding of OPA et al. is still limited

tpoliaw and others added 14 commits December 16, 2024 10:41
@tpoliaw
Add very basic proof of concept auth query
980b57c
@tpoliaw
Add auth checks using new central policy rules
b02437b
@tpoliaw
Wrap policy check into struct
d6392d4 
Allows the host to be configurable via CLI/env
@tpoliaw
Make OPA endpoint configurable
cd2673b
@tpoliaw
Update auth request to use token instead of user
91fc68d
@tpoliaw
Remove previous auth check method
e672aca
@tpoliaw
Make token optional when no policy endpoint is configured
6dba8d1
@tpoliaw
Extend authorization policy check to admin access
e5fc57f 
As the central admin rules do not provide a convenient single endpoint,
we're now using the 'ad-hoc query' endpoint and taking the required
queries as user provided configuration.
@tpoliaw
Delegate all auth logic to OPA
4fc38e6 
Requires new rules on central OPA instance but allows all logic to be
reduced to a single yes/no response.
@tpoliaw
Move auth requests back to root of auth module
d0ab7c4 
Now there are no return types to handle there is no need to separate
the admin and access versions.
@tpoliaw
Remove explicit auth lifetime
37a0d12
@tpoliaw
Fix context token retrieval
2a1146e
@tpoliaw
Extrace auth check into function
a96d91a
@tpoliaw
Add auth tests
a62aa6a
@tpoliaw tpoliaw merged commit cd9df8c into main Dec 16, 2024
4 checks passed
@tpoliaw tpoliaw deleted the auth branch December 16, 2024 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stan-dot stan-dot stan-dot left review comments

@callumforrester callumforrester callumforrester left review comments

@garryod garryod Awaiting requested review from garryod

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tpoliaw @callumforrester @stan-dot