Alexander Scheel
Alexander Scheel
@achetronic Approach 1 still requires strict superset permissioning for policies, right? In my [example above](https://github.com/openbao/openbao/issues/514#issuecomment-2336404960), my policies did not have a superset relation, and some common paths had completely different/non-overlapping...
\o hey @achetronic That approach works if there is such a role with all the relevant capabilities. But supposed you had these policies: ```hcl # Policy A -- reader path...
@JanMa said: > And if I'd want to replicate that with policy priorities, I can give both policies the same priority. Ah, you're exactly right. We'd need a more complex...
> Hey @cipherboy, > > so far you haven't managed to convince me yet 😄 Let's go through your recent examples: \o No worries, thanks @JanMa for keeping me honest...
\o hey @achetronic Both AWS's Cedar and Google's CEL language were also suggested as alternatives. The latter is more flexible and so would be more easy to fit onto the...
@achetronic It is not engine based but something that needs to be imemented in the core. See https://openbao.org/api-docs/system/policies/ as an overview of the API. This mostly exists in paths like...
@achetronic ah, no, the ACL system isn't pluggable in that way, though I suppose it could be... 🤔 @cognifloyd has been looking at what is required to get MFA to...
> Well, IMO they both ACL and External should be exclusive. I have thought about some parameter defined at engine level to decide whether to use one or another. And...
https://qdl-lang.org/ was also mentioned as an example of another policy language.
Hey @achetronic! I finally got around to publishing https://github.com/openbao/openbao/pull/1267 If you're free in 15 minutes, the OpenBao community call is happening and we can discuss then: https://openbao.org/docs/contributing/ -- if not,...