dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Documentation on ACL support for wildcards (#2249) 

* acl support wildcard

Signed-off-by: crazyhzm <crazyhzm@apache.org>

* change description

Signed-off-by: crazyhzm <crazyhzm@apache.org>
This commit is contained in:
huazhongming 2022-03-15 06:46:37 +08:00 committed by GitHub
parent b04691e8fc
commit f2c70d2eae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
daprdocs/content/en/operations/configuration/invoke-allowlist.md
View File

@ -41,10 +41,10 @@ The following tables lists the different properties for access control, policies
### Operations ### Operations
| Property | Type | Description | | Property | Type | Description |
|----------|--------|-------------| | -------- | ------ | ------------------------------------------------------------ |
| name | string | Path name of the operations allowed on the called app. Wildcard "\*" can be used to under a path to match | name | string | Path name of the operations allowed on the called app. Wildcard "\*" can be used in a path to match. Wildcard "\**" can be used to match under multiple paths. |
| httpVerb | list | List specific http verbs that can be used by the calling app. Wildcard "\*" can be used to match any http verb. Unused for grpc invocation | httpVerb | list | List specific http verbs that can be used by the calling app. Wildcard "\*" can be used to match any http verb. Unused for grpc invocation. |
| action | string | Access modifier. Accepted values "allow" (default) or "deny" | action | string | Access modifier. Accepted values "allow" (default) or "deny" |
## Policy rules ## Policy rules
@ -189,7 +189,30 @@ spec:
namespace: "ns2" namespace: "ns2"
``` ```
<font size=5>Scenario 6: Allow access to all methods except trustDomain = public, namespace = default, appId = app1, operation = /op1/**/a, all http verbs</font>
```yaml
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: appconfig
spec:
accessControl:
defaultAction: allow
trustDomain: "public"
policies:
- appId: app1
defaultAction: allow
trustDomain: 'public'
namespace: "default"
operations:
- name: /op1/**/a
httpVerb: ['*']
action: deny
```
## Hello world examples ## Hello world examples
These examples show how to apply access control to the [hello world](https://github.com/dapr/quickstarts#quickstarts) quickstart samples where a python app invokes a node.js app. These examples show how to apply access control to the [hello world](https://github.com/dapr/quickstarts#quickstarts) quickstart samples where a python app invokes a node.js app.
Access control lists rely on the Dapr [Sentry service]({{< ref "security-concept.md" >}}) to generate the TLS certificates with a SPIFFE id for authentication, which means the Sentry service either has to be running locally or deployed to your hosting environment such as a Kubernetes cluster. Access control lists rely on the Dapr [Sentry service]({{< ref "security-concept.md" >}}) to generate the TLS certificates with a SPIFFE id for authentication, which means the Sentry service either has to be running locally or deployed to your hosting environment such as a Kubernetes cluster.
@ -350,7 +373,7 @@ spec:
containers: containers:
- name: python - name: python
image: dapriosamples/hello-k8s-python:edge image: dapriosamples/hello-k8s-python:edge
``` ```
## Community call demo ## Community call demo
Watch this [video](https://youtu.be/j99RN_nxExA?t=1108) on how to apply access control list for service invocation. Watch this [video](https://youtu.be/j99RN_nxExA?t=1108) on how to apply access control list for service invocation.