Details

    • Type: Story
    • Status: Resolved (View workflow)
    • Priority: Medium
    • Resolution: Done
    • Affects versions: None
    • Fix versions: 8.7.3.0
    • Components: None
    • Labels:
      None
    • Sprint:
      Sprint 155
    • Story Points:
      5
    • Capitalizable:
      True

      Description

      The Simple RBAC filter is not simple enough. The filter's configuration gets converted into a WADL which puts some limits on what it can support and forces the user to think about how the configuration will be converted which really takes away from the "simple" aspect.

      We should create a new Super Simple RBAC filter (Simpler RBAC? SRBAC? Simple Simple RBAC?) that doesn't go through a WADL.

      What does it need to support?

      • It should support regex in the configured URL.
      • Formatting of config will look the same as the Simple RBAC filter.
        • URL will be a regex string.
        • List of roles and methods should be comma separated.
        • Support role names with spaces through the use of a   character.
        • Values in each row will be separated by some amount of whitespace (number of spaces does not matter).
      • Rules for config
        • All applicable (URL regexes)/methods/roles must pass for the request to go through
          • That is, order does not matter.
        • If there is no match with the request, it is rejected.

      Questions:

      • Does it need to be released feature complete? Can anything be a fast-follow?
        • Configurable role header name? - Nope
        • Mask rax roles? - Sure, Should Be Easy (TM)
        • JMX Metrics (api coverage metrics)? - Nope
        • Delegation? - Sure
      • Performance testing? - Obviously
      • Impersonator roles? - Yes, plz? We'll put it in another story since it would be an optional 4th column.
        • It would add an additional requirement to the request that someone have an impersonation header with the configured role.

      Acceptance Criteria:

      • We create a new Regex RBAC filter.
      • The filter supports RBAC on requests against a regex configured URLs.
      • The filter supports specifying HTTP methods including an "ANY" and "ALL".
      • The filter supports specifying a list of allowed roles including an "ANY" and "ALL".
      • The filter supports roles with spaces by having them specified as a non-breaking space character.
      • The filter supports a Mask Rax Roles option (return 404 instead of 403) but it can be called something else.
      • The filter supports Delegation.
      • The filter will only allow a request if it contains one or more roles associated with each matching URL regex and method pair.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                wdschei Bill Scheidegger
                Reporter:
                mario.lopez Mario Lopez
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: