Re-evaluate SPIRE Server API authorization #3620
Labels
priority/backlog
Issue is approved and in the backlog
unscoped
The issue needs more design or understanding in order for the work to progress
Comments
evan2645
added
priority/backlog
|
This issue is stale because it has been open for 365 days with no activity. |
|
This issue was closed because it has been inactive for 30 days since being marked as stale. |
|
This is still relevant. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Many previous issues and PRs have taken attempts at solving a plethora of authorization pains that the SPIRE Server APIs currently face. These APIs tend to have a number of consumers, and the current authorization framework effectively provides an all-or-nothing authorization posture. This is particularly problematic for registrars which should have control over only a portion of the SPIFFE namespace, or for operators that should have the ability only to e.g. evict agents but not alter entries. These are two of many examples.
Initially, we tried to implement an OPA Rego-based authorization subsystem, which would allow users to provide their own authorization policies. This has been shipping as an experimental feature for quite some time now, however it suffers from many of its own unique challenges:
This past Tuesday, SPIRE contributors discussed this issue and concluded that there is no clear path forward in terms of graduating OPA Rego support out of experimental. Rather, the consensus was that the only suitable solution is likely to be a major re-think of the way that SPIRE Server performs API authorization, and that the likely answer is a first-class authorization system based on roles/capabilities/etc.
This is an unscoped issue meant to explore and capture the possible solutions. This issue is done when we've made a decision on the basic shape of a solution, at which point we can open further issues.
The text was updated successfully, but these errors were encountered: