Set Authorization Client Allow List

The Authorization Service uses its INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST option to specify which applications can access Access Control Resources (ACRs) . Only the clients associated with the Client IDs in the list can modify the ACRs (i.e., modify access policies for resources).

Disambiguation Both Authorization Service and Pod Storage Service have an INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST setting.

Only the Authorization Service setting affects which clients are allowed.

The Pod Storage Service is for Discovery purposes only. As such, the setting in Pod Storage Service should reflect the values set in the Authorization Service’s.

ESS also uses the Authorization Service's INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST to create the initial ACP policies for a new Pod .

ESS uses the Authorization Service's INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST , if set, for the initial policies. But if INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST is unset, ESS uses the Authorization Service's INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST instead.

To set INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST, see Set Initial Pod Clients Allow List.

Example Customization

The following customization updates:

INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST for Authorization Service and
the corresponding INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST for Pod Storage Service (for Discovery only).

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Create a authz-client-id-allow-list.yaml file with the following content:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ess-authorization-acp
spec:
  template:
    spec:
      containers:
      - env:
        - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
          value: https://myApp.example.com/appid
        name: ess-authorization-acp

Create a podconfig-client-id-allow-list.yaml file with the following content:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ess-pod-storage
spec:
  template:
    spec:
      containers:
      - env:
        - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
          value: https://myApp.example.com/appid
        name: ess-pod-storage

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-client-id-allow-list.yaml and podconfig-client-id-allow-list.yaml . Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

Tip

If the patches key does not exist in kustomization.yaml , add the key patches as well.

<pre class="language-yaml"><code class="lang-yaml">
# kustomization.yaml in your ESS installation directory
# ...  Preceding content omitted for brevity 
# ...
patches:
<strong>  - path: authz-client-id-allow-list.yaml
  - path: podconfig-client-id-allow-list.yaml
</strong>
</code></pre>

Continue with the rest of the Applying Your Customizations procedure.

PreviousSecurity Customization NextSet Initial Pod Clients Allow List

Last updated 9 days ago