I note that custom auth policies were removed in #1232, released in version 0.15.0. I understand the reasons behind wanting to do this, but this has unfortunately proven a problematic change for one scenario in which I run krill.
I have previously used the custom auth policies with this fairly simple policy:
allow(_: Actor, action: Permission, _) if
action in [LOGIN, CA_LIST];
allow(actor: Actor, action: Permission, ca: Handle) if
ca.name in actor.attr("cas") and
action in [
CA_READ, CA_UPDATE,
ROUTES_READ, ROUTES_UPDATE, ROUTES_ANALYSIS,
ASPAS_READ, ASPAS_UPDATE,
BGPSEC_READ, BGPSEC_UPDATE
];
What this acheived was allowing OIDC to define which CAs a user has access to, rather than this being in the krill config. Each user has their own CA, with their own resources, on the same krill server.
Replicating this in the new system is impossible, as I'd have to know ahead of time (i.e. when writing the config), which user gets which CA. Updates to this also require a restart of Krill.
Thus, I'm asking for a way to have OIDC influence which CAs a role applies for.
I note that custom auth policies were removed in #1232, released in version 0.15.0. I understand the reasons behind wanting to do this, but this has unfortunately proven a problematic change for one scenario in which I run krill.
I have previously used the custom auth policies with this fairly simple policy:
What this acheived was allowing OIDC to define which CAs a user has access to, rather than this being in the krill config. Each user has their own CA, with their own resources, on the same krill server.
Replicating this in the new system is impossible, as I'd have to know ahead of time (i.e. when writing the config), which user gets which CA. Updates to this also require a restart of Krill.
Thus, I'm asking for a way to have OIDC influence which CAs a role applies for.