Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add endpoint.values equivalent for payload of remote authorizer #686

Closed
3 tasks done
netthier opened this issue Jun 19, 2023 · 0 comments · Fixed by #749
Closed
3 tasks done

Add endpoint.values equivalent for payload of remote authorizer #686

netthier opened this issue Jun 19, 2023 · 0 comments · Fixed by #749
Labels
feature Used for new features
Milestone
v0.11.0-alpha

Comments

@netthier
Copy link
Contributor

Preflight checklist

Describe the background of your feature request

Currently, when wanting to change the payload of a remote authorizer on a per-pipeline basis, one needs to override the full payload string.
For an authorization API like OpenFGA's, this means that pipelines have to be defined as follows:

- authorizer: openfga
  config:
    payload: |
      {
        "user": "user:{{ .Subject.ID }}",
        "relation": "read",
        "resource": "endpoint:foo"
      }

which is error-prone and repetitive.

Describe your idea

The remote authorizer already has a feature that allows substituting values into the URL, like so:

- id: foo
  config:
    endpoint:
      url: https://opa.local/v1/data/{{ .Values.namespace }}/{{ .Values.policy }}
      values:
        namespace: myapi/policy
        policy: allow_write

where the pipeline can then contain

- authorizer: foo
  config:
    endpoint:
      values:
        policy: something_else

making it easier to replace parts of the URL without having to fully retype it each time.
I propose a similar mechanism for substituting values into the payload, where the above mentioned openfga authorizer could for example be defined as such:

- id: openfga
  config:
    endpoint: # etc.
    payload: |
      {
        "user": "user:{{ .Subject.ID }}",
        "relation": {{ quote .Values.relation }},
        "resource": {{ quote .Values.resource }}
      }
    values: # default values

and then used in a pipeline like

- authorizer: openfga
  config:
    values:
      relation: read
      resource: "endpoint:foo"

making it more difficult to accidentally mess up the payload.

Are there any workarounds or alternatives?

Currently the workaround is what I described in the problem, i.e. always specifying the full payload.

A different way of implementing the solution I mentioned would be to use the same values object for both substituting into the URL and into the payload, as I don't really see a reason why they should be separated. In that case I'd remove the values key from the endpoint object and just have one directly in config.

Version

n/a

Additional Context

This feature was discussed in this Discord thread: https://discord.com/channels/1100447190796742698/1120438467411857558
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Used for new features
Projects
None yet
Milestone
v0.11.0-alpha
2 participants
@dadrus @netthier