-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group Authz Fail Close/Open #116
Comments
@bburky @rjferguson21 @mjnagel Want to open the discussion for this issue. Does anyone have strong feelings for the use case of creating an env flag for clients to opt in and out of group authz? Currently the behavior is that when a client has an empty |
IMO this seems like an interesting feature but it would require a few other steps for this to be workable and/or not frustrating for users. My assumption would be that auto-generated clients would need either a "global group" to exist in order for them to be added to, or a group specifically created for that client to designate access. I think the latter makes more sense but it would depend on us having a fleshed how story of how users create groups in the first place, or doing it as part of the operator (which would require us to start using the Admin API). For reference the existing groups that exist in our realm - https://uds.defenseunicorns.com/core/configuration/uds-user-groups/ |
Is your feature request related to a problem? Please describe.
With the creation of group authorization, the default is fail open when a client doesn't have a group defined. It's been suggested that we should look into an environment flag that allows clients to opt into or out of group authz. This would manage the fail open / close behavior.
Further discussion to follow.
The text was updated successfully, but these errors were encountered: