Set Initial Pod Clients Allow List#
The default ACP policies for a new Pod states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.
Starting in 2.1, Authorization Service uses its
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST configration to
initialize the client matcher portion of the initial policies. 
only affects the initial policies during Pod creation. Once the
initial policies have been created, any change to the list has no
effect on existing policies.
The following customization updates
Go to your ESS installation directory:
authz-default-acr-client-id-allow-list.yamlfile with the following content:
apiVersion: apps/v1 kind: Deployment metadata: name: ess-authorization-acp spec: template: spec: containers: - env: - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST value: https://myPodApp.example.com/appid,https://podbrowser.inrupt.com/api/app name: ess-authorization-acp
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure) to use
Specifically, add the highlighted content to the
kustomization.yamlfile to the
patcheskey does not exist in
kustomization.yaml, add the key
# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - path: authz-default-acr-client-id-allow-list.yaml
Continue with the rest of the Applying Your Customizations procedure.