Authorization/Access Control#

An authorization system determines whether an agent has access to perform a given action on a particular resource.

ACP#

ESS uses Access Control Policy (ACP) [2] to define the policies that determine access to Pod’s resources.

If
< allOf | anyOf > (Matcher(s)) evaluates to true, AND
< allOf | anyOf | noneOf > (Matcher(s)) evaluates to true, AND
Then

<allow (AccessMode(s)) | deny (AccessMode(s)) | allow (AccessMode(s)) AND deny (AccessMode(s)) >

For more information, see Access Control Policy (ACP).

Access Control Mechanisms#

ESS supports:

Authorization Services#

To support authorization, ESS provides the following services:

Authorization and Clients#

ESS supports the the use of Client IDs in client allow lists and access policies. [1]

Client Allow Lists#

Operators can use Client IDs in the following allow lists:

Client Matchers#

Client IDs can be used in Client Matcher statements in Access Control Policy (ACP) policies.

For example, if client allow list configuration for the initial policy is set, ESS creates default ACP policies of the form:

If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write).