Set Authorization Client Allow List

The Authorization Service uses its INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST option to specify which applications can access Access Control Resources (ACRs). Only the clients associated with the Client IDs in the list can modify the ACRs (i.e., modify access policies for resources).

Disambiguation

Both Authorization Service and Pod Storage Service have an INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST setting.

Only the Authorization Service setting affects which clients are allowed.

The Pod Storage Service is for Discovery purposes only. As such, the setting in Pod Storage Service should reflect the values set in the Authorization Service’s.

Note

In ESS 2.0, ESS also uses the Authorization Service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST to create the initial ACP policies for a new Pod.

Starting in ESS 2.1, ESS uses the Authorization Service’s INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST, if set, for the initial policies. But if INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST is unset, ESS uses the Authorization Service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST instead (same as in ESS 2.0).

To set INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST, see Set Initial Pod Clients Allow List.

Example Customization

The following customization updates:

• INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST for Authorization Service and

• the corresponding INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST for Pod Storage Service (for Discovery only).

1. Go to your ESS installation directory:

   cd ${HOME}/ess
   

2. Create a authz-client-id-allow-list.yaml file with the following content:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-authorization-acp
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
             value: https://myApp.example.com/appid
           name: ess-authorization-acp
   

3. Create a podconfig-client-id-allow-list.yaml file with the following content:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-pod-storage
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
             value: https://myApp.example.com/appid
           name: ess-pod-storage
   

4. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-client-id-allow-list.yaml and podconfig-client-id-allow-list.yaml.

   Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

   Tip

   If the patches key does not exist in kustomization.yaml, add the key patches as well.

   # kustomization.yaml in your ESS installation directory
   
   # ...  Preceding content omitted for brevity 
   # ...
   
   patches:
     - path: authz-client-id-allow-list.yaml
     - path: podconfig-client-id-allow-list.yaml
   

5. Continue with the rest of the Applying Your Customizations procedure.