Skip to content

Add authorization via central OPA instance#1

Merged
tpoliaw merged 20 commits into
mainfrom
auth
Dec 16, 2024
Merged

Add authorization via central OPA instance#1
tpoliaw merged 20 commits into
mainfrom
auth

Conversation

@tpoliaw

@tpoliaw tpoliaw commented Nov 4, 2024

Copy link
Copy Markdown
Collaborator

No description provided.

@tpoliaw tpoliaw force-pushed the auth branch 3 times, most recently from e17909d to 6673f21 Compare December 4, 2024 12:01
callumforrester
callumforrester previously approved these changes Dec 9, 2024
View reviewed changes

@callumforrester callumforrester left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me, it would be good if we could add tests and/or prescribe a way to test it offline

Comment thread src/graphql.rs Outdated
@callumforrester

callumforrester commented Dec 10, 2024

Copy link
Copy Markdown
Contributor

@tpoliaw I suggest we get this merged before #13 and then I'll adjust that

@tpoliaw

tpoliaw commented Dec 10, 2024

Copy link
Copy Markdown
Collaborator Author

@tpoliaw I suggest we get this merged before #13 and then I'll adjust that

Sure, I'm still scattering tests over it but it should be good to go in soon

tpoliaw
tpoliaw commented Dec 10, 2024
View reviewed changes
Comment thread src/graphql/auth.rs
callumforrester
callumforrester previously approved these changes Dec 13, 2024
View reviewed changes

@callumforrester callumforrester left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy I understand these changes although my understanding of OPA et al. is still limited

tpoliaw and others added 14 commits December 16, 2024 10:41
@tpoliaw
Add very basic proof of concept auth query
980b57c
@tpoliaw
Add auth checks using new central policy rules
b02437b
@tpoliaw
Wrap policy check into struct
d6392d4 
Allows the host to be configurable via CLI/env
@tpoliaw
Make OPA endpoint configurable
cd2673b
@tpoliaw
Update auth request to use token instead of user
91fc68d
@tpoliaw
Remove previous auth check method
e672aca
@tpoliaw
Make token optional when no policy endpoint is configured
6dba8d1
@tpoliaw
Extend authorization policy check to admin access
e5fc57f 
As the central admin rules do not provide a convenient single endpoint,
we're now using the 'ad-hoc query' endpoint and taking the required
queries as user provided configuration.
@tpoliaw
Delegate all auth logic to OPA
4fc38e6 
Requires new rules on central OPA instance but allows all logic to be
reduced to a single yes/no response.
@tpoliaw
Move auth requests back to root of auth module
d0ab7c4 
Now there are no return types to handle there is no need to separate
the admin and access versions.
@tpoliaw
Remove explicit auth lifetime
37a0d12
@tpoliaw
Fix context token retrieval
2a1146e
@tpoliaw
Extrace auth check into function
a96d91a
@tpoliaw
Add auth tests
a62aa6a
@tpoliaw tpoliaw merged commit cd9df8c into main Dec 16, 2024
@tpoliaw tpoliaw deleted the auth branch December 16, 2024 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garryod garryod Awaiting requested review from garryod

2 more reviewers

@stan-dot stan-dot stan-dot left review comments

@callumforrester callumforrester callumforrester left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tpoliaw @callumforrester @stan-dot