Allow authn and authz methods to be configured #3299
Conversation
| a new **authorization policy**. You can download a policy that restricts | ||
| anonymous access and install it by using: | ||
|
|
||
| curl -sL https://raw.githubusercontent.com/bacalhau-project/bacalhau/main/pkg/authz/policies/policy_ns_anon.rego -o ~/.bacalhau/no-anon.rego |
There was a problem hiding this comment.
we'll need to be careful to never move or renaming policy_ns_anon.rego. Maybe it would be better to reference this via a commit or a version? I don't really have a good suggestion here, just worried that it would be easy for docs to become out of date with this reference.
There was a problem hiding this comment.
Or perhaps we could embed this rego policy in the binary? 🤔
There was a problem hiding this comment.
I guess with a specific commit we'd then need to remember to update this if we make fixes or improvements. Either way it's just a careful review that is needed. Perhaps we can introduce an automated test or something?
Yeah, I don't actually imagine this being the long term user experience for doing this – but I think it's appropriate right now for beta users. I can imagine in the future we'd have explicit commands to set up users and things, or at least a dedicated tool, but we need to know more about what auth types people commonly want to use.
Is there any value in having something like bacalhau auth install policy_ns_anon or something? Just seems to be a bit overkill for where we're at?
There was a problem hiding this comment.
Is there any value in having something like bacalhau auth install policy_ns_anon or something? Just seems to be a bit overkill for where we're at?
seems like a good thing to keep in our back pocket for later, I think you are right - overkill for now.
| specifying a new **authentication policy**. You can download a policy that | ||
| restricts key-based access and install it by using: | ||
|
|
||
| curl -sL https://raw.githubusercontent.com/bacalhau-project/bacalhau/main/pkg/authn/challenge/challenge_ns_no_anon.rego -o ~/.bacalhau/challenge_ns_no_anon.rego |
This PR exposes configuration options for controlling authn and authz. This actually makes the system usable for controlling access now!
It also includes some of the docs from the docs PR that are relevant for the work at this stage. From this point forward, the docs will track the delivered features.
Resolves https://github.com/bacalhau-project/expanso-planning/issues/341.