Set Authorization Client Allow List#
The Authorization Service uses its
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
option to specify which
applications can access Access Control Resources (ACRs). Only the clients associated with the Client IDs in the list can modify the ACRs (i.e.,
modify access policies for resources).
Disambiguation
Both Authorization Service and
Pod Storage Service have an
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
setting.
Only the Authorization Service setting affects which clients are allowed.
The Pod Storage Service is for
Discovery purposes only. As such, the
setting
in
Pod Storage Service should reflect the values set in the
Authorization Service’s.
Note
In ESS 2.0, ESS also uses the Authorization Service’s
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
to create the
initial ACP policies for a new Pod.
Starting in ESS 2.1, ESS uses the Authorization Service’s
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
, if set, for
the initial policies. But if
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
is unset, ESS uses the Authorization Service’s
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
instead (same as in ESS
2.0).
To set
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
, see
Set Initial Pod Clients Allow List.
Example Customization#
The following customization updates:
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
for Authorization Service andthe corresponding
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
for Pod Storage Service (for Discovery only).
Go to your ESS installation directory:
cd ${HOME}/ess
Create a
authz-client-id-allow-list.yaml
file with the following content:apiVersion: apps/v1 kind: Deployment metadata: name: ess-authorization-acp spec: template: spec: containers: - env: - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST value: https://myApp.example.com/appid,https://podbrowser.inrupt.com/api/app name: ess-authorization-acp
Create a
podconfig-client-id-allow-list.yaml
file with the following content:apiVersion: apps/v1 kind: Deployment metadata: name: ess-pod-storage spec: template: spec: containers: - env: - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST value: https://myApp.example.com/appid,https://podbrowser.inrupt.com/api/app name: ess-pod-storage
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure) to useauthz-client-id-allow-list.yaml
andpodconfig-client-id-allow-list.yaml
.Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:Tip
If the
patches
key does not exist inkustomization.yaml
, add the keypatches
as well.# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - path: authz-client-id-allow-list.yaml - path: podconfig-client-id-allow-list.yaml
Continue with the rest of the Applying Your Customizations procedure.