desec-stack icon indicating copy to clipboard operation
desec-stack copied to clipboard

Published 20 hours ago verified publisher icon desec-io

Auto-scoped tokens

Open peterthomassen opened this issue 1 year ago • 0 comments

  • Add a boolean attribute Token.perm_create_domain (default: false; migration: true if token has no policies).
  • Add a boolean attribute Token.perm_delete_domain (default: false; migration: true if token has no policies).
  • Add an boolean attribute Token.auto_policy (default: false). (Must also have a restrictive default policy)

Tokens can create domains iff perm_create_domain == True.

Tokens can delete domains iff perm_delete_domain == True && they have a permissive policy for the domain in question (or no policies at all).

When a domain is created and auto_policy == True, the token is assigned a permissive policy for this domain.

This allows provisioning of domains and maintaining/de-provisioning the same domains, within an account, without granting access to other parts of the account.

peterthomassen avatar Feb 06 '24 19:02 peterthomassen