Feature request: "allow by" for other claims (such as groups) and general RBAC/ACL functionality

[lifeofguenter]

Would be great if one could whitelist users by something other than their username?

[artagel]

You can do advanced whitelisting based on any claim you want using the openresty examples.

[toxuin]

I really don't like the idea of switching my whole ingress controller just to be able to do this. Is there a reasoning why this does not belong to vouch's core functionality?

[bnfinet]

Nope, the issue is still open. I think this would be a good feature.

@toxuin is this something you are interested in working on?

[toxuin]

It's good to know it's on the roadmap! 👍
I wish I would know go at a level that would be worthy of this project. I'll see what I can do, but don't get your hopes up 😄

[bnfinet]

FYI - wrt configuration parameter naming we would like to use allow and deny in place of whitelist and blacklist going forward

[phibos]

I think having more options to verify access directly with VP is a great idea.

Implementing an access list like feature might be a very flexible way. Please have a look at the example below.

vouch:
  access:
    - name: groups
      action: allow
      match: group
    - name: username
      action: deny
      match: "^.*@guest.example.org$"
      is_regex: true
    - name: username
      action: allow
      match: "^.*@.*example.org$"
      is_regex: true

The rules are processed from top to bottom and first match wins. If no rule matches the access is denied. In the future this could also replace the whitelist, teamWhitelist and #251

We could replace this ...

  whiteList:
  - [email protected]
  - [email protected]
  - [email protected]

... with this ...

vouch:
  access:
    - name: username
      action: allow
      matches:
        - [email protected]
        - [email protected]
        - [email protected]

At the moment I don't know if we should make multiple access lists and use the requestedURL to choose witch one to use. With this we could also implement the feature requested in #114.

[bnfinet]

(follow on discussion from #504)

@tboerger when I think of this feature it probably...

• lives in pkg/rbac/rbac.go (or maybe pkg/acl/acl.go)
• follows most of the design that @phibos lays out above
• allows us to rename vouch.whitelist to vouch.allow (with backward compatibility for now)
• is subordinate to the existing vouch.whitelist (vouch.allow) list (must clear that first if present)
  • perhaps that logic lives in pkg/rbac/allow.go
• might be able to replace the checking portion of vouch.domains as well (maybe)

I'd welcome a PR but I have to warn you that I am horribly behind on integrating PRs on my projects and VP work in general. Please bear with me, this work is on my radar.