Set Initial Pod Clients Allow List#
The default ACP policies for a new Pod states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.
Starting in 2.1, Authorization Service uses its
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
configration to
initialize the client matcher portion of the initial policies. [1]
Note
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
only affects the initial policies during Pod creation. Once the
initial policies have been created, any change to the list has no
effect on existing policies.
Example Customization#
The following customization updates
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
.
Go to your ESS installation directory:
cd ${HOME}/ess
Create a
authz-default-acr-client-id-allow-list.yaml
file with the following content:apiVersion: apps/v1 kind: Deployment metadata: name: ess-authorization-acp spec: template: spec: containers: - env: - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST value: https://myPodApp.example.com/appid name: ess-authorization-acp
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure) to useauthz-default-acr-client-id-allow-list
.Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:Tip
If the
patches
key does not exist inkustomization.yaml
, add the keypatches
as well.# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - path: authz-default-acr-client-id-allow-list.yaml
Continue with the rest of the Applying Your Customizations procedure.