Stability: Authenticators #391
Labels
stability
Issues related to the stability of the service
Milestone
Comments
|
For the JWT-SVID authenticator, see spiffe/spiffe#144. The JWT-SVID profile is going to be integrated into the standard and should become stable henceforth. The current API that we use is the same as in the PR and is not expected to change. For testing, we should make sure that the authentication work on every PR, but we can also test it with different versions of Parsec, as part as other tests. |
|
The Rust SPIFFE implementation might be remplaced using this crate. The CI contains multi-tenancy tests which use all authenticators. In the CI, SPIRE is used for tests as SPIFFE implementation, on a specific version that is fixed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Definition: Authentication requests sent by future stable versions of Parsec should be understood by the same version of the authenticators present on the system.
Enforcement: Unix Peer Crendentials: based on top of stable C standard library APIs. JWT SVID: authentication is based on the SPIFFE Workload API which is a standard and should remain stable.
Enforcement Check
The Unix Peer Credential authenticator is directly used a specific feature of a libc API (
getsockopt) and that will remain stable.The JWT SVID authenticator is based on the SPIFFE Workload API. It seems to be standardised for the X509 part but not sure for the JWT part. We need to make sure it is. The
rust-spiffedependency uses the protobuf definitions at https://github.com/spiffe/go-spiffe/blob/master/proto/spiffe/workload/workload.protoTesting
The different authenticators should be tested with different versions of the service.
The text was updated successfully, but these errors were encountered: