Implement redacting of fields for MPA, apply it to httpoverrpc#562
Implement redacting of fields for MPA, apply it to httpoverrpc#562sfc-gh-mwalas wants to merge 6 commits intomainfrom
Conversation
sfc-gh-mwalas
requested review from
sfc-gh-elinardi,
sfc-gh-ikryvanos and
sfc-gh-psmolenski
|
|
||
| # Allow MPA setting when not sending a proxied identity. The proxy is allowed above. | ||
| allow { | ||
| not input.metadata["proxied-sansshell-identity"] |
There was a problem hiding this comment.
could you also update
sansshell/services/mpa/README.md
Line 81 in 4777f2e
Another q: after this change, the MPA approval will be valid for any requests to the same {hostname, port, tlsconfig, and protocol} correct?
There was a problem hiding this comment.
Sorry, I got this just for testing purposes in place, we shouldn't merge this change to default policy.
Re the second point, indeed the MPA for httpoverrpc will become valid after this change for all combination of {hostname, port, tlsconfig, and protocol}, after a debate on what are meaningful levels of authz policy for MPA here we ended up saying that for httpoverrpc current MPA of each request does not make much sense.
| @@ -0,0 +1,27 @@ | |||
| /* Copyright (c) 2019 Snowflake Inc. All rights reserved. | |||
There was a problem hiding this comment.
update copyright year
4 participants
Currently httpoverrpc is unusable with MPA as every single request need to be separately approved. This change ignores requests to the server while constructing MPA.