Rework authorization to support per-instance ACLs
Before raising this MR, consider whether the following are required, and complete if so:
-
Unit tests -
Metrics -
Documentation update(s)
If not required, please explain in brief why not.
Description
We need a way to restrict access to requests on a per-instance basis, based on the client identity obtained from a JWT or the client identity request headers we already support.
This MR reworks the existing authorization implementation into something which can support that, via a configurable set of ACLs.
Changes proposed in this merge request
- Add support for configuring per-instance and per-request ACLs
- This uses a new configuration file with keys for each instance name containing a list of conditions under which to allow requests.
- In order to support this on an instance level, we need to do auth after we know the instance name the request is for. To facilitate that the
@authorize
decorator is replaced by a contextmanager which does a similar job
- Add support for a new
headers
authorization mode- This is a basic authorization implementation which naively trusts the claimed identity is valid
- That identity is checked against a configured ACL
- When there is no ACL configured, this does no authz and just allows every request
- Rework the authorization code to not be a gRPC interceptor
- The gRPC interceptor wasn't actually being used as an interceptor, since there was not enough request context available at that time. As such this seemed a good time to get rid of that interceptor-based approach completely, which makes the code a bit easier to understand.
- As part of this, the authorization code is restructured into a subpackage rather than a single module containing many bits and pieces.
Validation
TODO
Edited by Adam Coldrick