k32
commented
3 years ago LGTM, let's wait what my colleagues who worked on the enhanced authentication think about this.
Closed 1995parham closed 2 years ago
k32
commented
3 years ago LGTM, let's wait what my colleagues who worked on the enhanced authentication think about this.
zmstone
commented
3 years ago Hi. Thank you for the proposal.
We are still iterating on the authn (authentication) and authz (authorization, previously ACL) implementations quite a bit, we have recently decided to make some adjustments in configuration layout. to summarise at very high level.
elaborating more in the changes for authn and authz:
authn is quite coupled with access endpoint and protocol (listeners), hence not suitable to use a generic authn instance for all kinds of different accesses. e.g. SSL listener may have certificate based authn, but not plaintext TCP.
authz has its scope on the entire routing table (topics), that is, no matter from which listener or zone the client is connected, they see the routing table equally.
We understand the requirement of having different rule-sets for internal / external though, an alternative is to have the zone (and maybe even user properties in the future) to be parameterised for rules.
in file based rules, we currently support filtering on auth principals. e.g.
{ principal: {"and" : [{username: "^test?", clientid: "^test?"}]}
topics: [test1, test2],
action: publish
permission: allow
}if we want to allow clients authenticated to access internal zone to publish to any topic, we may add zone as a auth principal like below.
{ principal: {zone: internal}}
topics: ["#"],
action: publish
permission: allow
}for db-backend based authz checks, we can add a ${zone} place holder in the queries.
zmstone
commented
3 years ago ping @Rory-Z for comments
Rory-Z
commented
3 years ago principal: {zone: internal}} is good idea, we are still having a heated discussion about authz, I will update later for more details
zmstone
commented
2 years ago 5.0 implemented per-listener authentication.
Based on discussion