Summary
Improve naming and configuration surface for CPEX authz configuration.
Details
Currently, we have two fields in an authz configuration flow in CPEX: policy and post_policy. We also have identity to signify authentication requirements, and define authorization flows as sequences of args, policy, post_policy, results groups:
global: # for global authz flows, applied to any targets
identity: [...]
args: [...]
policy: [...]
...
routes: # for per-entity authz flows
- tool: get_employee
authentication:
- jwt-user
- jwt-client
args:
employee_id: "str"
policy:
- "require(authenticated)"
- "delegation.depth > 2: deny"
result:
ssn: "str | redact(!perm.view_ssn)"
salary: "int | redact(!role.hr)"
employee_id: "str | mask(4)"
post_policy:
- run(...)
We would like to improve naming and organization of this configuration. A proposal:
global:
authentication:
- jwt-user
- jwt-client
authorization:
pre_invocation: [...]
post_invocation: [...]
routes:
- tool: get_compensation
identity: [...]
args:
employee_id: "str"
authorization:
pre_invocation:
- "require(authenticated)"
- "delegation.depth > 2: deny"
post_invocation:
- "run(...)"
result:
ssn: "str | redact(!perm.view_ssn)"
salary: "int | redact(!role.hr)"
employee_id: "str | mask(4)"
Note: args and result are not recognized under global group.
Acceptance Criteria
- Unit tests
- Regression testing with Praxis
Summary
Improve naming and configuration surface for CPEX authz configuration.
Details
Currently, we have two fields in an authz configuration flow in CPEX:
policyandpost_policy. We also haveidentityto signify authentication requirements, and define authorization flows as sequences ofargs,policy,post_policy,resultsgroups:We would like to improve naming and organization of this configuration. A proposal:
Note:
argsandresultare not recognized underglobalgroup.Acceptance Criteria