8000 Support validating host annotations for authentication while loading a policy · Issue #1863 · cyberark/conjur · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Support validating host annotations for authentication while loading a policy #1863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
InbalZilberman opened this issue Oct 4, 2020 · 1 comment
Open

Support validating host annotations for authentication while loading a policy #1863

InbalZilberman opened this issue Oct 4, 2020 · 1 comment
Labels
component/conjur Epic kind/enhancement

Comments

@InbalZilberman
Copy link
Contributor
InbalZilberman commented Oct 4, 2020
edited
Loading

Is your feature request related to a problem? Please describe.

As a Conjur user I would like to fail in loading policy if I load a policy with wrong host annotations per authentication rules so that I will be able to fix them in advance and not in runtime (while trying to authenticate)

Describe the solution you would like

This applies to all authenticators that support host annotations :

Each authenticator has its own constraints and rules.
If the mandatory host annotations are not provided then we should provide the user with a proper message like "host annotation subscription-id is missing. In order for the host to be authenticated with authn-azure please add this annotation." Similarly to errors we provide while authenticating with host with no mandatory host annotation.

Another use case: If the host annotations does not exists we need to raise it with a proper user message

please take into account host with several authenticators type
@moticless
Copy link
Contributor
moticless commented Oct 8, 2020
edited
Loading

Time estimation

  • General notes:

    • During policy loading we don’t know today which authenticator is supported. This is because our authenticator are not treated as true plugins components.

    • As part of this effort, we might find ourself trying refactor authenticators to become more pluggable. Such step will increase the effort.

  • Design - 4

    • There is a long pending PR by Ofira that that suggest a generic infra-hook for validating policy: adding verification and default calculation infra to policy #1794
    • Define the set of rules for each authenticator
    • Add infrastructure to enforce the set of rules over the loaded policy.
    • Need to verify that our design is aligned with architectural planning for pluggable/factory authenticator. To decide how far we want to go forward with it.
    • know how to catch partial configuration; conflicts; invalid-values

Hear-under we assume that no special refactor/factory is required.

  • Implementation – 3

  • Testing - 6

  • Doc - 1

    • Changing behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/conjur Epic kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moticless @InbalZilberman
0