diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-07 15:49:41 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-07 15:49:41 -0600 |
| commit | fa214052891a8d54121b216879cad8a761608c92 (patch) | |
| tree | 95120f07050262adcf09d9bccf45e0b8c8f78256 | |
| parent | 109dde4ec5ac144e9f74f1e3fedcd26fe8f3c753 (diff) | |
docs: add note about placeholder cedar policies
| -rw-r--r-- | share/man/README.md | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/share/man/README.md b/share/man/README.md index 1f6dad34..779b37d2 100644 --- a/share/man/README.md +++ b/share/man/README.md @@ -196,10 +196,10 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd +-----------------------------------------------------+ | Docker Container | | | -| +---------+ +--------------+ +----------+ | -| | Envoy |--->| Rust Authzd | | Sparkled | | -| | (local) | | (library) | | (App) | | -| +---------+ +------+-------+ +----------+ | +| +---------+ +--------------+ +----------+ | +| | Envoy |--->| Rust Authzd | | Sparkled | | +| | (local) | | (library) | | (App) | | +| +---------+ +------+-------+ +----------+ | | | | +------------------------|----------------------------+ | @@ -214,7 +214,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd ### Benefits: 1. **Local authzd** - Fast, no network latency, basic policies 2. **Remote authzd** - Centralized policy management, complex rules -3. **Future**: In-process library eliminates gRPC overhead +3. **Future**: In-process library reduces gRPC overhead --- @@ -339,19 +339,20 @@ message CheckResponse { } ``` -### **Key Feature: URT Token Injection** +### **Key Feature: URT Injection** Authzd can inject **URT (Unified Request Token)** headers: ``` x-urt-token: <downscoped_token> x-user-id: 123456 -x-user-groups: ["developers", "maintainers"] ``` --- ## Slide 11: Authzd Implementation -### Current Cedar Policy +### 🚧 **Current Cedar Policies (Placeholder)** + +**Note**: These are hard-coded placeholder policies to test the local <-> remote authzd interaction. Real policies are being developed next. ```cedar // Allow requests with valid bearer token @@ -379,6 +380,8 @@ when { }; ``` +**Next**: Replace with real authorization policies based on user roles and permissions. + --- ## Slide 12: How Authzd Makes Decisions |