You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We need to verify in the job-sink, that an request is authorized. Therefor we should do the following in the job sink handler:
Get the OIDC identity of the sender
In case the JobSinks .status.policies is set:
check, if the senders identity is subject of any of the linked EventPolicies (in their .status.from[]).
If it is present: continue with the request
If not: reject the request with a 403 status code
In case the JobSinks .status.policies is empty:
Check the default-authorization-mode and do the following depending on its value:
allow-all: Continue with the request
deny-all: reject the request with a 403 status code
allow-same-namespace: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a 403
For this we can reuse the existing VerifyRequest method from the TokenVerifier and switch from VerifyJWTFromRequest to VerifyRequest (similar as done in #8105).
We should also add an e2e test for the above scenarios
When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.
The text was updated successfully, but these errors were encountered:
We need to verify in the job-sink, that an request is authorized. Therefor we should do the following in the job sink handler:
.status.policies
is set:EventPolicies
(in their.status.from[]
).403
status code.status.policies
is empty:default-authorization-mode
and do the following depending on its value:allow-all
: Continue with the requestdeny-all
: reject the request with a403
status codeallow-same-namespace
: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a403
For this we can reuse the existing
VerifyRequest
method from the TokenVerifier and switch fromVerifyJWTFromRequest
toVerifyRequest
(similar as done in #8105).We should also add an e2e test for the above scenarios
Prerequisites:
default-authorization-mode
feature flag #7974.status.policies
#8062Additional context:
Additional hints for new contributors before starting with this issue:
Draft
status, the issue is subject to change and thus should not be started to be worked on/assign
). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.The text was updated successfully, but these errors were encountered: