diff options
Diffstat (limited to 'share/man')
| -rw-r--r-- | share/man/README.md | 24 | ||||
| -rw-r--r-- | share/man/cedar/README.md | 125 |
2 files changed, 12 insertions, 137 deletions
diff --git a/share/man/README.md b/share/man/README.md index 72c52028..02d7630e 100644 --- a/share/man/README.md +++ b/share/man/README.md @@ -77,7 +77,7 @@ This is different from Rails where authorization typically happens inside the ap | | | | | v v | | +-------------+ +----------+ | -| | Sparkled | | Go Authzd| | +| | Sparkled | | Authzd | | | | (App) | | (sidecar)| | | +-------------+ +----+-----+ | +==============================|==========+ @@ -94,7 +94,7 @@ This is different from Rails where authorization typically happens inside the ap | | | | v | | +---------------+ | -| | Rust Authzd | | +| | Authzd | | | | (remote) | | | +---------------+ | +========================================+ @@ -141,7 +141,7 @@ User-Agent Envoy(Sparkle) Sparkled GitLab ## Slide 6: Request Flow - Authenticated User ``` -User-Agent Envoy(Sparkle) Go Authzd Rust Authzd +User-Agent Envoy(Sparkle) Sidecar Authzd Remote Authzd | | | | | GET /dashboard | | | | (with cookies) | | | @@ -177,14 +177,14 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd ## Slide 7: The Dual Authzd Architecture -### Current: Go Sidecar + Rust Remote +### Current: Sidecar + Remote ``` +-----------------------------------------------------+ | Docker Container | | | | +---------+ +--------------+ +----------+ | -| | Envoy |--->| Go Authzd | | Sparkled | | +| | Envoy |--->| Authzd | | Sparkled | | | | (local) | | (sidecar) | | (App) | | | +---------+ +------+-------+ +----------+ | | | | @@ -193,13 +193,13 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd | gRPC call (fallback) v +---------------+ - | ENVOY PROXY | + | ENVOY PROXY | | (remote) | +-------+-------+ | v +---------------+ - | Rust Authzd | + | Authzd | | (remote) | +---------------+ ``` @@ -211,7 +211,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd | Docker Container | | | | +---------+ +--------------+ +----------+ | -| | Envoy |--->| Rust Authzd | | Sparkled | | +| | Envoy |--->| Authzd | | Sparkled | | | | (local) | | (library) | | (App) | | | +---------+ +------+-------+ +----------+ | | | | @@ -220,7 +220,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd | HTTP call (fallback) v +---------------+ - | Rust Authzd | + | Authzd | | (remote) | +---------------+ ``` @@ -239,8 +239,8 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd The OAuth2 and JWT filters shown below may be removed in future versions: -- **Option 1**: Move to Rust authzd's Envoy configuration -- **Option 2**: Implement as code inside Rust authzd +- **Option 1**: Move to Remote authzd's Envoy configuration +- **Option 2**: Implement as code inside Remote authzd - **Goal**: Replace JWT with URT (Unified Request Token) via `ext_authz` ### Current Filter Chain (order matters!) @@ -265,7 +265,7 @@ Each filter processes the request and can: ### **Future Architecture** -This OIDC authentication may move to Rust authzd for centralized token management. +This OIDC authentication may move to Remote authzd for centralized token management. ### Configuration diff --git a/share/man/cedar/README.md b/share/man/cedar/README.md deleted file mode 100644 index ec665d69..00000000 --- a/share/man/cedar/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# Cedar Authorization Guide - -Cedar provides policy-based authorization using Amazon's Cedar policy -language. This service handles request authorization through Envoy's -`ext_authz` filter. - -## Architecture - -``` -+---------------------------------------------------------------------+ -| Client Request | -+---------------------------------------------------------------------+ - │ - V -+---------------------------------------------------------------------+ -│ Envoy Proxy (:20000) | -│ | -│ * JWT Filter extracts x-jwt-claim-sub header | -│ * ext_authz sends CheckRequest to authzd | -+---------------------------------------------------------------------+ - | ext_authz - V - +---------------------+ - | authzd (:50052) | - | | - | +-----------------+ | - | | Cedar Policies | | - | | * Static Assets | | - | | * JWT Claims | | - | | * Path Rules | | - | +-----------------+ | - +---------------------+ -``` - -## Authorization Flow - -``` - Client Envoy authzd - | | | - | HTTP Request + JWT | | - |---------------------->| | - | | Extract JWT claims | - | | Add x-jwt-claim-sub | - | | | - | | ext_authz CheckRequest | - | |----------------------->| - | | | - | | | Evaluate - | | | Cedar - | | | policies - | | Allow/Deny | - | |<-----------------------| - | | | - | Forward request | | - | or 403 Forbidden | | - |<----------------------| | -``` - -## Cedar Policies - -### Policy Structure - -Policies are stored in `etc/authzd/*.cedar` files using Cedar's policy language: - -```cedar -permit ( - principal == User::"1", - action == Action::"GET", - resource == Resource::"/sparkle/" -) -when -{ - context has host && - context.host == "sparkle.staging.runway.gitlab.net" && - principal has username -}; -``` - -## JWT Integration - -### JWT Header Extraction - -Envoy's JWT filter extracts claims and adds them as headers: - -- `x-jwt-claim-sub` - User ID (subject) - -## Policy Development - -### Adding New Policies - -1. Create or edit `.cedar` files in `etc/authzd/` -2. Use Cedar policy syntax for rules -3. Test with `make test` -4. Validate with `make lint` - -### Policy Validation - -```bash -# Check policy syntax -cedar check-parse --policies etc/authzd/policy1.cedar - -# Format policies -cedar format --policies etc/authzd/policy1.cedar --check -``` - -### Testing Policies - -```bash -# Run Cedar authorization tests -cargo test authorization::cedar_authorizer_test - -# Test specific scenarios -cargo test test_sparkle_homepage -``` - -## Make Targets - -- `make test` - Run all tests including Cedar policy tests -- `make lint` - Validate Cedar policy syntax and formatting - -## References - -- [Cedar Policy Language](https://docs.cedarpolicy.com/) -- [Cedar Language Guide](https://docs.cedarpolicy.com/policies/syntax.html) -- [Envoy JWT Authentication](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter) |