Set Authorization Client Allow List#

The Authorization Service uses its INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST option to specify which applications can access Access Control Resources (ACRs). Only the clients associated with the Client IDs in the list can modify the ACRs (i.e., modify access policies for resources).

Disambiguation

Both Authorization Service and Pod Storage Service have an INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST setting.

Only the Authorization Service setting affects which clients are allowed.

The Pod Storage Service is for Discovery purposes only. As such, the setting in Pod Storage Service should reflect the values set in the Authorization Service’s.

Note

In ESS 2.0, ESS also uses the Authorization Service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST to create the initial ACP policies for a new Pod.

Starting in ESS 2.1, ESS uses the Authorization Service’s INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST, if set, for the initial policies. But if INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST is unset, ESS uses the Authorization Service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST instead (same as in ESS 2.0).

To set INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST, see Set Initial Pod Clients Allow List.

Example Customization#

The following customization updates:

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Create a authz-client-id-allow-list.yaml file with the following content:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ess-authorization-acp
    spec:
      template:
        spec:
          containers:
          - env:
            - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
              value: https://myApp.example.com/appid
            name: ess-authorization-acp
    
  3. Create a podconfig-client-id-allow-list.yaml file with the following content:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ess-pod-storage
    spec:
      template:
        spec:
          containers:
          - env:
            - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
              value: https://myApp.example.com/appid
            name: ess-pod-storage
    
  4. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-client-id-allow-list.yaml and podconfig-client-id-allow-list.yaml.

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    Tip

    If the patches key does not exist in kustomization.yaml, add the key patches as well.

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - path: authz-client-id-allow-list.yaml
      - path: podconfig-client-id-allow-list.yaml
    
  5. Continue with the rest of the Applying Your Customizations procedure.