summaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-05-02 14:29:41 -0600
committermo khan <mo@mokhan.ca>2025-05-02 14:29:41 -0600
commitc583bcd1473205104a1e1af812ed4976d30c7baa (patch)
tree933edf78a4ac8aea55256e42641e56bbb4c58834 /README.md
parent91defaefca47e9cebbe92c6abf33c4423df9bc7d (diff)
refactor: remove anything unrelated to the authz daemon
Diffstat (limited to 'README.md')
-rw-r--r--README.md107
1 files changed, 36 insertions, 71 deletions
diff --git a/README.md b/README.md
index a8da10cc..32a926d2 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,7 @@
-# Authx - Proof of Concept
+# authzd - Authorization Daemon
-This repository explores various authentication and authorization workflows by introducing a separate authn/authz service.
-It serves as a proof of concept to illustrate potential workflows, not a production ready implementation.
-
-To keep the implementation accessible, external dependencies have been minimized, ensuring a clear reference for understanding key concepts, including:
-
-* SAML based authentication including IdP chaining to external identity providers
-* OIDC based authentication
-* OAuth endpoints with links to relevant RFCs for proper usage guidance
+This repository host a minimal PDP service used for making authorization
+decisions via a gRPC endpoint.
## Architecture
@@ -17,84 +11,57 @@ To keep the implementation accessible, external dependencies have been minimized
-------------
|
V
-----|:8080|-----------------------------------------------
+----|:443|-------------------------------------------------------------
|
V
- ---------------
- | API Gateway | (use casbin to evict early, reverse proxy, inject context headers)
- ---------------
- |
- | --------------------
- |--->| IdP (saml, oidc) |
- | --------------------
- | | :http | :grpc | (use declarative_policy)
- | --------------------
- | A A
- ----------- | |
- | | | |
- V V | |
- ------ ------------ |
- | UI | | REST API |----|
- ------ ------------
-
-[UI]: ui.example.com
-[REST API]: api.example.com
-[IdP]: idp.example.com
+ | ----------------------------------------
+ | | ______________________ |
+ |-->(:443)| envoy ->(:80)| /var/run/sparkled | |
+ | | ---------------------- |
+ | ----------------------------------------
+ |
+ | -------------------
+ | | IdP / IAM |
+ | |-------- |
+ |--->| :http | |---- pub membership change ---|
+ | |-------- | |
+ | ------------------- |
+ | ( nats.io)
+ | |
+ | |---- sub membership change ---
+ | |
+ | V (update acls)
+ | -------------------------------------
+ | | ___________________ |
+ |-->(:443)| envoy ->(:80)| /var/run/authzd | |
+ | ------------------| |
+ -------------------------------------
+ |
+ |----> cron reconciliation process >---->-------|
+ A |
+ |- audit, validate list, notify, remediate --|
```
-I have ommitted TLS, RS256 from the prototype to offload the decision of key
-management and rotation. See [smallstep](https://smallstep.com/docs/step-cli/)
-for PKI management.
-
-CSV files are used instead of a database to simulate different types of
-scenarios. The following organizational hierarchy is demonstrated here:
+## Getting Started
-```
-Organization(name: "default")
- * Group(name: "A")
- * Project(name: "A1")
- * Group(name: "B")
- * Project(name: "B1")
-Organization(name: "gitlab")
- * Group(name: "gitlab-org")
- * Project(name: "gitlab")
- * Group(name: "gitlab-com")
- * Group(name: "gl-security")
- * Group(name: "test-projects")
- * Project(name: "eicar-test-project")
- * Project(name: "disclosures")
- * Group(name: "support")
- * Group(name: "toolbox")
- * Project(name: "changelog-parser")
- * Project(name: "handbook")
- * Project(name: "www-gitlab-com")
-```
+### Prerequisites
-## Getting Started
+- [mise](https://mise.jdx.dev/)
+- [make](https://www.gnu.org/software/make/)
1. Install tools:
```sh
$ mise install
- ```
-
-1. Add entries to `/etc/hosts`:
-
- ```sh
- $ tail -n3 /etc/hosts
- 127.0.0.1 api.example.com
- 127.0.0.1 idp.example.com
- 127.0.0.1 ui.example.com
+ $ make install-tools
```
1. Start servers:
```sh
- $ mage
+ $ mage servers
```
-1. Open a browser to `http://ui.example.com:8080/`.
-
## Questions
See the [FAQ][9]
@@ -106,9 +73,7 @@ See the [FAQ][9]
* [protocol buffers][7]
* [twirp][8]
-[2]: https://gitlab.com/gitlab-org/gitlab/-/tree/master/app/policies
[5]: https://tip.golang.org/doc/modules/managing-dependencies#tools
[6]: https://grpc.io/docs/
[7]: https://protobuf.dev/programming-guides/proto3/
[8]: https://github.com/arthurnn/twirp-ruby/wiki/Code-Generation
-[9]: ./doc/share/authz/FAQ.md
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 02:45:49 +0000