Set Initial Pod Clients Allow List#

The default ACP policies for a new Pod states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.

Starting in 2.1, Authorization Service uses its INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST configration to initialize the client matcher portion of the initial policies. [1]

Note

INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST only affects the initial policies during Pod creation. Once the initial policies have been created, any change to the list has no effect on existing policies.

Example Customization#

The following customization updates INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST.

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Create a authz-default-acr-client-id-allow-list.yaml file with the following content:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ess-authorization-acp
    spec:
      template:
        spec:
          containers:
          - env:
            - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
              value: https://myPodApp.example.com/appid
            name: ess-authorization-acp
    
  3. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-default-acr-client-id-allow-list.

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    Tip

    If the patches key does not exist in kustomization.yaml, add the key patches as well.

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - path: authz-default-acr-client-id-allow-list.yaml
    
  4. Continue with the rest of the Applying Your Customizations procedure.