You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Athenz allows any valid principal to be added a role and/or group and relies on the administrator to make the right decision who to add to the role.
However, it is desirable to have a simple domain name based filter for role/group members. For example, I have a self-serve role and I want only users to be added to the role. So it'll be great to have a filter to say only principals from domain "user" are allowed in this domain. Similar use case would I want to allow all principals except home domains - these should never be used as members in a given role.
Added a new meta field for roles and groups called principalDomainFilter.
The value of the filter is a comma separated list of domain names - e.g. sports,+weather,-weather.north
If the domain name has no prefix - all principals from this domain will be allowed - e.g. sports.api is valid, sports.nhl.api is not
If the domain has + then domain + all subdomains are allowed - e.g. weather.api is valid, weather.losangeles.api is valid
if the domain has - then principals from this domain + all subdomains are not allowed - e.g. weather.north.api is not valid
Some use cases:
I want the role/group only contain human users: principalDomainFilter: user
I don't want any home domain principals in the role/group: principalDomainFilter: -home
The text was updated successfully, but these errors were encountered:
havetisyan
changed the title
Support simple domain based filtering for user/group principals.
Support simple domain based filtering for role/group principals.
May 26, 2024
Currently Athenz allows any valid principal to be added a role and/or group and relies on the administrator to make the right decision who to add to the role.
However, it is desirable to have a simple domain name based filter for role/group members. For example, I have a self-serve role and I want only users to be added to the role. So it'll be great to have a filter to say only principals from domain "user" are allowed in this domain. Similar use case would I want to allow all principals except home domains - these should never be used as members in a given role.
Added a new meta field for roles and groups called principalDomainFilter.
The value of the filter is a comma separated list of domain names - e.g. sports,+weather,-weather.north
If the domain name has no prefix - all principals from this domain will be allowed - e.g. sports.api is valid, sports.nhl.api is not
If the domain has + then domain + all subdomains are allowed - e.g. weather.api is valid, weather.losangeles.api is valid
if the domain has - then principals from this domain + all subdomains are not allowed - e.g. weather.north.api is not valid
Some use cases:
I want the role/group only contain human users: principalDomainFilter: user
I don't want any home domain principals in the role/group: principalDomainFilter: -home
The text was updated successfully, but these errors were encountered: