✨ Support auth scopes declared on the addon CR. #590

jortel · 2024-01-05T16:14:21Z

For consideration.

Support auth scopes declared on the addon CR. The scopes included in the addon token are currently hard-coded in hub. The purpose of limiting the addon (role) scopes is safety. Addon's make changes to the inventory grammatically and, as such, are a much higher risk of malicious activity and accidental damage to the inventory at scale.

Pros:

Not hard coded.
Declaritive.
Tailored to each addon's needs.

Cons:

Addon writer needs to know the scopes.

Example with currently mapped scopes.

auth:
  scopes:
    - applications:get
    - applications:put
    - applications.tags:*
    - applications.facts:*
    - applications.bucket:*
    - applications.analyses:*
    - identities:get
    - identities:decrypt
    - proxies:get
    - settings:get
    - tags:*
    - tagcategories:*
    - tasks:get
    - tasks.report:*
    - tasks.bucket:get
    - files:get
    - files:post
    - files:put
    - files:patch
    - rulesets:get

The text was updated successfully, but these errors were encountered:

jortel changed the title ~~✨ Support auth scopes declared on the addon CR. This approach is better because:~~ ✨ Support auth scopes declared on the addon CR. Jan 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

✨ Support auth scopes declared on the addon CR. #590

✨ Support auth scopes declared on the addon CR. #590

jortel commented Jan 5, 2024 •

edited

Loading

✨ Support auth scopes declared on the addon CR. #590

✨ Support auth scopes declared on the addon CR. #590

Comments

jortel commented Jan 5, 2024 • edited Loading

jortel commented Jan 5, 2024 •

edited

Loading