You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
With the creation of group authorization, the default is fail open when a client doesn't have a group defined. It's been suggested that we should look into an environment flag that allows clients to opt into or out of group authz. This would manage the fail open / close behavior.
Further discussion to follow.
The text was updated successfully, but these errors were encountered:
@bburky@rjferguson21@mjnagel Want to open the discussion for this issue. Does anyone have strong feelings for the use case of creating an env flag for clients to opt in and out of group authz?
Currently the behavior is that when a client has an empty groups or anyOf definition or no groups defined at all, the client will not require any group auth membership by users. Essentially meaning this is opt in group authz.
IMO this seems like an interesting feature but it would require a few other steps for this to be workable and/or not frustrating for users.
My assumption would be that auto-generated clients would need either a "global group" to exist in order for them to be added to, or a group specifically created for that client to designate access. I think the latter makes more sense but it would depend on us having a fleshed how story of how users create groups in the first place, or doing it as part of the operator (which would require us to start using the Admin API).
Is your feature request related to a problem? Please describe.
With the creation of group authorization, the default is fail open when a client doesn't have a group defined. It's been suggested that we should look into an environment flag that allows clients to opt into or out of group authz. This would manage the fail open / close behavior.
Further discussion to follow.
The text was updated successfully, but these errors were encountered: