Closed ivandov closed 2 years ago
Any update here? Or suggestion on a different direction to take?
I'm interested in this as well
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen
.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Exclude this issue from closing again by commenting /lifecycle frozen
.
/close
@openshift-bot: Closing this issue.
I believe this question is similar to the problems referenced in #107 and #111.
I have a frontend/backend application that is interfacing directly with OCP
CustomResources
that we manage through our application. We have backend APIs that manage these CRs based on user actions.I want to secure these APIs using the
oauth-proxy
and only allowing users with certain RBACs to be able to perform appropriate CRUD actions based on their RBAC settings for our various CRs. I also want to restrict portions of our frontend based on a user's authorizations (i.e. if they're not what we consider our "app admin persona", then they shouldn't be able to use certain UIs).Since we have a slew of APIs, I would need to craft some pretty dynamic
SubjectAccessReview
requests in order to properly secure my API. For example, I want to have a frontend UI that can only be displayed if a user has RBAC permissions toget
on aCustomInstance
(example CRkind
) withresourceName: foo
.As far as I can tell, the
SAR
that I'd have to write in theoauth-proxy
config wouldn't be able to easily set the dynamic values for theresourceName
for various users and various APIs, and therefore I wouldn't be able to craft unique SARs for individual users.Wouldn't I need the authenticated user's Bearer Token on our backend? Then I'd be able to call the
apis/authorization.openshift.io/v1/subjectaccessreviews
API directly with the user's token and identify if they have the proper permissions needed for our a specific API.Am I missing something? Is there some other way that this can be done? Only other solution I'm considering is making our backend act as a full oauth client, but, that seems like redundant implementations when the
oauth-proxy
already handles all of this for me.