external CA roles based on SPIFFE ID

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti

https://openziti.io

Apache License 2.0

2.79k stars 157 forks source link

external CA roles based on SPIFFE ID #1148

Closed qrkourier closed 2 months ago

qrkourier commented 1 year ago

There's one set of default roles added to all auto-enrolled identities from an external CA. This means I need a separate CA for each distinct set of identity roles.

A hypothetical feature of Ziti external CAs is parsing roles from the SPIFFE ID.

A simplistic implementation could treat a particular position in the SPIFFE ID as a Ziti identity role, e.g., spiffe://{{trust domain}}/workloads/{{ entity name }}/role/{{ role name }}. A more sophisticated implementation could introduce a new type of identity role which is an SVID match pattern.

qrkourier commented 1 year ago

Found this relevant doc: https://docs.openziti.io/docs/learn/core-concepts/security/authentication/third-party-cas/#external-id--x509-claims

qrkourier commented 1 year ago

One solution is to use the external CA enrollment method ottca to pre-create identities with particular attributes, then match (re-use) that identity by externalId. Put another way, the SPIFFE ID can be automatically matched to a persistent OpenZiti Identity. That way, there's no need to garbage collect a proliferation of auto-enrolled identities from each run of a SPIFFE-enabled pod.

smilindave26 commented 2 months ago

Similar requests have come up for roles based on OIDC claims property that we will implement, will revisit this if future external demand