Add external Policy Decision Point for Authorization #1170
Conversation
ZohebShaikh
changed the title
| "saml-user-attribute-mapper", | ||
| "oidc-usermodel-attribute-mapper", | ||
| "oidc-usermodel-property-mapper", | ||
| "oidc-address-mapper", |
There was a problem hiding this comment.
nit: This and other changes to this file that aren't related (e.g. the list being re-order, the config being re-generated with a new UUID) makes it harder to see exactly what config is new to allow AuthZ config to work with keycloak
There was a problem hiding this comment.
The changes to the realm-export.json can be ignored. It is only changing some small configs in the keycloak client
I can make another PR for it if it helps ?
| if not decision.result: | ||
| raise ValueError("Permission denied not able to add the node") |
There was a problem hiding this comment.
retur
| if not decision.result: | |
| raise ValueError("Permission denied not able to add the node") | |
| if not decision.result: | |
| return False, None |
?
| if self.client_id: | ||
| client.headers = {"Content-Type": "application/x-www-form-urlencoded"} |
There was a problem hiding this comment.
Was this something we added?
There was a problem hiding this comment.
Yes, I added this..I think this might have slipped when I was doing testing to see if it was working because this header are added where it is necessary to have them
| "Not enough permissions. " | ||
| f"Requires scopes {settings.authenticator.scopes}. " | ||
| f"Request had scopes {list(scopes)}" |
There was a problem hiding this comment.
Something about the scopes in the passed token to be more explicit?
There was a problem hiding this comment.
It felt sufficient to me as it is the same as the one below.Plus the scopes in the token are not checked here
We will need to add scopes in keycloak client which is not the way we want our authZ to work
I scopes are coming from authZ(OPA)
|
We're aiming to try this out on our test beamline today 🤞 |
danielballan
left a comment
danielballan
left a comment
There was a problem hiding this comment.
How did your local test go?
@nmaytan took a look at this and have some quick comments.
| "read:data", | ||
| "write:data", | ||
| "read:metadata", | ||
| "write:metadata", |
There was a problem hiding this comment.
Is the intent here to make public nodes world-writable? Generally I would expect world-readable, but not world-writable.
| ], | ||
| "public": [ | ||
| "read:data", | ||
| "write:data", |
There was a problem hiding this comment.
This tag configures what unauthenticated requests can do. Generally I would expect those would never be allowed to write (or create, register, delete).
| result: Union[List[str], bool] | ||
|
|
||
|
|
||
| class ExternalPolicyDecisionPoint(AccessPolicy): |
There was a problem hiding this comment.
@nmaytan and I wonder if the TagBasedAccessPolicy could be reused, using the tag_parser argument to inject OPA-specific integration (_get_external_decision). Most of the AccessPolicy interface will be the same across our local solution, OPA, OpenFGA, and others. The TagParser abstraction might be a more tightly-scoped way of injecting framework-specific integration.
Nate will aim to find the bandwidth to implement this suggestion as a PR into your PR. But I mention this now in case you have any immediate thoughts on this.
Checklist