Add ACL Policy for Debug service. This will enable the support of#244
Add ACL Policy for Debug service. This will enable the support of#244marcushines wants to merge 1 commit into
Conversation
per user per command ACL for the service. this will allow the service to act as a grpc based replacement for ssh access that was previously acl'ed via username to tacacs
Pull Request Test Coverage Report for Build 12638036985Details
💛 - Coveralls |
| repeated google.protobuf.Any details = 3; | ||
| } | ||
|
|
||
| // Policy defines a set of commands a list of users are allowed to execute |
There was a problem hiding this comment.
How is this provided to the device?
It seems a little odd that we don't have this in gNSI -- is there some opportunity to express this there akin to pathz?
There was a problem hiding this comment.
I can move it into gnsi as far as providing the gnsi.Debug.Rotate it just kinda feels a bit odd if that is really going to be a pattern we follow for all services
There was a problem hiding this comment.
are you also suggesting trying to make pathz support other services? I am not sure it is worth trying to fit that - "role based access control" generally is tailored to the service implementation conversely the definition of Authz is generic only to grpc itself
|
I don't really understand what is happening with gNOI debug here -- it's not aligned with what I was understanding to need this kind of auth. Let's discuss. |
3 participants
per user per command ACL for the service.
this will allow the service to act as a grpc based replacement for ssh access that was previously acl'ed via username to tacacs