Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate Authorization From Token (which should be purely authentication) #691

Closed
4 of 6 tasks
BruceMacD opened this issue Nov 25, 2021 · 2 comments
Closed
4 of 6 tasks

Separate Authorization From Token (which should be purely authentication) #691

BruceMacD opened this issue Nov 25, 2021 · 2 comments
Assignees
@BruceMacD
Labels
area/api Issue or PR related to the Infra API.

Comments

@BruceMacD
Copy link
Collaborator

BruceMacD commented Nov 25, 2021
edited
Loading

  • Create simple infrahq kind internal roles (admin and user) with permissions
  • Add users to these roles on registration
  • Add permissions directly to API tokens (they are more dynamic than roles for the time being)
  • Tokens inherit permissions from users
  • Updates to the authorization flow:
    1. Validate token (validates authentication), actual validation of comparing hash does not change
    2. Add token permissions to context (this is pulled from the user/api-key the token was assigned to in the database)
    3. In access validate that the permissions from a user's role (now as a infrahq role assigned to the user) are what is needed
    4. Do any function specific access checks
  • Updates to the authentication flow:
    1. Issue token to valid credentials, no scopes/permissions

Might need to re-evaluate API tokens, these could be specific user kinds.
@BruceMacD BruceMacD added area/api Issue or PR related to the Infra API. authentication labels Nov 25, 2021
@BruceMacD
Copy link
Collaborator Author

Related:
#652

@BruceMacD BruceMacD self-assigned this Nov 29, 2021
@BruceMacD BruceMacD mentioned this issue Dec 2, 2021
Merged
6 tasks
BruceMacD added a commit that referenced this issue Dec 3, 2021
@BruceMacD
Separate authn authz (#691)
1ec9afb 
- Add token validation to middleware
- Remove token validation from permissions check
- Get authentication from context rather than authz check
- Add permissions to user
- Set token permissions from user it is issued for
@ssoroka
Copy link
Contributor

ssoroka commented Dec 7, 2021

moving the last two items to #642

@ssoroka ssoroka closed this as completed Dec 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BruceMacD BruceMacD

Labels
area/api Issue or PR related to the Infra API.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ssoroka @BruceMacD