vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard

Published 20 hours ago verified publisher icon vouch

Feature request: "allow by" for other claims (such as groups) and general RBAC/ACL functionality

Open lifeofguenter opened this issue 6 years ago • 7 comments

Would be great if one could whitelist users by something other than their username?

lifeofguenter avatar Nov 11 '19 13:11 lifeofguenter

You can do advanced whitelisting based on any claim you want using the openresty examples.

artagel avatar Nov 11 '19 13:11 artagel

I really don't like the idea of switching my whole ingress controller just to be able to do this. Is there a reasoning why this does not belong to vouch's core functionality?

toxuin avatar May 26 '20 18:05 toxuin

Nope, the issue is still open. I think this would be a good feature.

@toxuin is this something you are interested in working on?

bnfinet avatar May 26 '20 18:05 bnfinet

It's good to know it's on the roadmap! 👍 I wish I would know go at a level that would be worthy of this project. I'll see what I can do, but don't get your hopes up 😄

toxuin avatar May 26 '20 19:05 toxuin

FYI - wrt configuration parameter naming we would like to use allow and deny in place of whitelist and blacklist going forward

bnfinet avatar Jul 07 '20 22:07 bnfinet

I think having more options to verify access directly with VP is a great idea.

Implementing an access list like feature might be a very flexible way. Please have a look at the example below.

vouch:
  access:
    - name: groups
      action: allow
      match: group
    - name: username
      action: deny
      match: "^.*@guest.example.org$"
      is_regex: true
    - name: username
      action: allow
      match: "^.*@.*example.org$"
      is_regex: true

The rules are processed from top to bottom and first match wins. If no rule matches the access is denied. In the future this could also replace the whitelist, teamWhitelist and #251

We could replace this ...

  whiteList:
  - [email protected]
  - [email protected]
  - [email protected]

... with this ...

vouch:
  access:
    - name: username
      action: allow
      matches:
        - [email protected]
        - [email protected]
        - [email protected]

At the moment I don't know if we should make multiple access lists and use the requestedURL to choose witch one to use. With this we could also implement the feature requested in #114.

phibos avatar Dec 17 '20 07:12 phibos

(follow on discussion from #504)

@tboerger when I think of this feature it probably...

  • lives in pkg/rbac/rbac.go (or maybe pkg/acl/acl.go)
  • follows most of the design that @phibos lays out above
  • allows us to rename vouch.whitelist to vouch.allow (with backward compatibility for now)
  • is subordinate to the existing vouch.whitelist (vouch.allow) list (must clear that first if present)
    • perhaps that logic lives in pkg/rbac/allow.go
  • might be able to replace the checking portion of vouch.domains as well (maybe)

I'd welcome a PR but I have to warn you that I am horribly behind on integrating PRs on my projects and VP work in general. Please bear with me, this work is on my radar.

bnfinet avatar Oct 27 '22 18:10 bnfinet