Set Initial Pod Clients Allow List

The default ACP policies for a new Pod states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.

Authorization Service uses its INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST configuration to initialize the client matcher portion of the initial policies.

If INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST is unset, ESS uses the Authorization service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST instead. See Set Authorization Client Allow List for details on configuring.

Example Customization

The following customization updates INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST .

1. Go to your ESS installation directory:

   Copy

   cd ${HOME}/ess

2. Create a authz-default-acr-client-id-allow-list.yaml file with the following content:

   Copy

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-authorization-acp
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
             value: https://myPodApp.example.com/appid
           name: ess-authorization-acp

3. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-default-acr-client-id-allow-list . Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

# kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...

patches:
  - path: authz-default-acr-client-id-allow-list.yaml

4. Continue with the rest of the Applying Your Customizations procedure.