Refactor server auth #1021
Comments
|
What about plugins from go1.8? I had to do some not-really-upstreamable wrapping to get auth working with our implementation of registry auth. Would've been nice to be able to load it into vanilla notary without wrapping it. |
|
I think there's two components here. This issue was to address the organizational aspect of the code and where/how authz is applied. I think we'd want to address that either way. Happy for there to be an additional issue to discuss the best way of adding alternative authz methods, and I'm tentatively excited about Go 1.8 plugins so IMO it should definitely be in consideration. |
|
p.s. the big problem I was having with the changefeed was basically the location in the call graph that we invoke the authz checks, and how we bypass or allow an alternate authz mechanism for some endpoints vs others. The use case for that is imagine we had a way to point a downstream notary mirror at the upstream changefeed with say, mtls based authz, while still requiring token authz on the normal TUF endpoints. |
I've had to implement some slightly messy functionality to handle auth for the changefeed. We should to take another look at how we've implemented auth and come up with a cleaner implementation.
The text was updated successfully, but these errors were encountered: