Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Create Regex RBAC filter

Description

The Simple RBAC filter is not simple enough. The filter's configuration gets converted into a WADL which puts some limits on what it can support and forces the user to think about how the configuration will be converted which really takes away from the "simple" aspect.

We should create a new Super Simple RBAC filter (Simpler RBAC? SRBAC? Simple Simple RBAC?) that doesn't go through a WADL.

What does it need to support?

  • It should support regex in the configured URL.

  • Formatting of config will look the same as the Simple RBAC filter.

    • URL will be a regex string.

    • List of roles and methods should be comma separated.

    • Support role names with spaces through the use of a   character.

    • Values in each row will be separated by some amount of whitespace (number of spaces does not matter).

  • Rules for config

    • All applicable (URL regexes)/methods/roles must pass for the request to go through

      • That is, order does not matter.

    • If there is no match with the request, it is rejected.

Questions:

  • Does it need to be released feature complete? Can anything be a fast-follow?

    • Configurable role header name? - Nope

    • Mask rax roles? - Sure, Should Be Easy (TM)

    • JMX Metrics (api coverage metrics)? - Nope

    • Delegation? - Sure

  • Performance testing? - Obviously

  • Impersonator roles? - Yes, plz? We'll put it in another story since it would be an optional 4th column.

    • It would add an additional requirement to the request that someone have an impersonation header with the configured role.

Acceptance Criteria:

  • We create a new Regex RBAC filter.

  • The filter supports RBAC on requests against a regex configured URLs.

  • The filter supports specifying HTTP methods including an "ANY" and "ALL".

  • The filter supports specifying a list of allowed roles including an "ANY" and "ALL".

  • The filter supports roles with spaces by having them specified as a non-breaking space character.

  • The filter supports a Mask Rax Roles option (return 404 instead of 403) but it can be called something else.

  • The filter supports Delegation.

  • The filter will only allow a request if it contains one or more roles associated with each matching URL regex and method pair.

Environment

None
100% Done
Loading...

Activity

Done
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Capitalizable

True

Story Points

Time remaining

0h

Sprint

Fix versions

Priority

Created October 3, 2017 at 8:20 PM
Updated November 17, 2017 at 6:47 PM
Resolved November 9, 2017 at 2:55 PM