Kbs/Admin: modularize admin authentication and authorization#1239
Draft
Xynnn007 wants to merge 6 commits intoconfidential-containers:mainfrom
Draft
Kbs/Admin: modularize admin authentication and authorization#1239Xynnn007 wants to merge 6 commits intoconfidential-containers:mainfrom
Xynnn007 wants to merge 6 commits intoconfidential-containers:mainfrom
Conversation
Xynnn007
force-pushed
the
kbs/modulize-admin
branch
from
be3e37e to
22eccb9
Compare
Refactor the admin module from simple monolithic implementations to a modular architecture that separates token verification from authorization decisions. Key changes: - Split admin functionality into two independent modules: * token_verifier: Handles token parsing and verification (BearerJwt) * authorization: Handles access control decisions (RegexAcl) - Replace simple backend types (allow_all, deny_all, simple) with trait-based architecture for better extensibility - Update AdminConfig to use "mode" enum (InsecureAllowAll, DenyAll, Enforce) instead of "type" for clearer semantics - Enforce mode requires both token_verifier and authorizer configuration - Improve error handling with detailed reason messages in AdminAccessDenied This refactoring improves code organization, maintainability, and makes it easier to add new token verifiers or authorization strategies in the future. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Admin authorization internals were refactored, but deployment and test configs still encoded the old model, which risks silent policy drift during upgrades. This change keeps existing operator intent and environment behavior stable while adopting the new schema, so users can move forward without changing trust assumptions. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
…ver-side JWT enforcement KBS admin auth moved to explicit bearer-token verification, so having the client mint JWTs from private keys caused local tooling and integration tests to diverge from real deployment boundaries. This switches config operations to consume admin tokens directly (with sensible local fallback), keeping test coverage aligned with production trust assumptions while preserving developer ergonomics. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
… enforced admin mode As admin configuration shifted to explicit token verification, first-run local environments became easy to misconfigure even when keys were present. Generating a reusable admin token from configured signer material keeps `trustee run` secure-by-default for development and reduces setup footguns without weakening production guidance. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
… dedicated config scope Shared config paths made compose-only generated credentials easy to mix with other environments, which increases accidental leakage and brittle automation in CI/local runs. This moves compose materials into a dedicated subtree and centralizes key/token bootstrapping in one script so test and deployment flows consume the same predictable artifacts. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
…act to prevent stale operator guidance After the admin model moved from persona-key signing to token verification, legacy examples would silently teach flows that no longer represent expected behavior and increase onboarding failures. This updates operational docs and test fixtures together so local validation, CI expectations, and user-facing instructions all reinforce the same security model. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007
force-pushed
the
kbs/modulize-admin
branch
from
22eccb9 to
2c2ede2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refactor the admin module from simple monolithic implementations to a modular architecture that separates token verification from authorization decisions.
This work will decouple the token provisioning to outer services. And the inner logic inside KBS will be only
subjectclaim of the token