Authorisation will allow app systems to create rules, when enable_auth_for_cloud=true

[eudyptula]

Unless I'm reading this code wrong (which seems to happen alot today), setting enable_auth_for_cloud=true would not only allow application systems to check if clouds/systems are authorised, but also add new authorisation rules themselves (AuthACF.java):

    if (AuthorizationMain.enableAuthForCloud) {
      if (!requestTarget.contains("mgmt") || (requestTarget.endsWith("intracloud") && method.equalsIgnoreCase("post"))) {
        String[] clientFields = clientCN.split("\\.", 2);
        return serverFields[1].equalsIgnoreCase(clientFields[1]);
      } else {
        return clientCN.equalsIgnoreCase("sysop." + serverFields[1]);
      }
    } else {

[hegeduscs]

Yes. The intention is that there should be two modes in the LC regarding who can add authorization rules.

1. Only operators, i.e. humans, through the management UI and API with the proper certs should be able to add authorization rules.

2. Service Provider systems could, in some cases, give authorization to potential consumers on their own.

[eudyptula]

Hmm, think this calls for split into two settings then. The enable_auth_for_cloud is described as (in the AUTH configuration file):

#Allow querying access to the authorization tables for application systems (true/false - only has effect in secure mode)

I saw the enable_auth_for_cloud setting as the one to enable the older certificate based security option, where app. systems could query the AUTH directly - and without allowing providers to create their own rules.

Was actually considering whether this could be an option for allowing a non-Arrowhead system to push data into an Arrowhead Provider...