forked from opendatahub-io/models-as-a-service
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth-policy.yaml
More file actions
93 lines (93 loc) · 3.6 KB
/
auth-policy.yaml
File metadata and controls
93 lines (93 loc) · 3.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: maas-api-auth-policy
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: maas-api-route
rules:
authentication:
# API key authentication (for sk-oai-* tokens)
api-keys:
when:
- predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
plain:
selector: request.headers.authorization
priority: 0
# OpenShift token authentication (fallback for non-API-key tokens)
openshift-identities:
kubernetesTokenReview:
audiences:
- https://kubernetes.default.svc
- maas-default-gateway-sa
priority: 1
metadata:
# Validate API key via HTTP callback (only runs for API key auth)
apiKeyValidation:
when:
- predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
http:
# Placeholder URL - gets patched based on deployment mode:
# - Operator mode (ODH/RHOAI): ODH overlay replacement (app-namespace param)
# - Kustomize mode: deploy.sh script patches with $NAMESPACE via sed
url: https://maas-api.placehold.svc.cluster.local:8443/internal/v1/api-keys/validate
method: POST
contentType: application/json
body:
expression: '{"key": request.headers.authorization.replace("Bearer ", "")}'
priority: 0
authorization:
# Check API key is valid (only for API key auth)
api-key-valid:
when:
- predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
patternMatching:
patterns:
- selector: auth.metadata.apiKeyValidation.valid
operator: eq
value: "true"
priority: 0
response:
success:
headers:
# Username: from API key validation (when API key used)
X-MaaS-Username:
when:
- predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
plain:
selector: auth.metadata.apiKeyValidation.username
priority: 0
# Username: from OpenShift identity (when OC token used)
X-MaaS-Username-OC:
when:
- predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
plain:
selector: auth.identity.user.username
key: X-MaaS-Username
priority: 1
# Groups: from API key validation as JSON array (when API key used)
X-MaaS-Group:
when:
- predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
plain:
selector: auth.metadata.apiKeyValidation.groups.@tostr
priority: 0
# Groups: from OpenShift identity as JSON array (when OC token used)
X-MaaS-Group-OC:
when:
- predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
plain:
selector: auth.identity.user.groups.@tostr
key: X-MaaS-Group
priority: 1
# Subscription: from API key validation (when API key with subscription used)
# This header is used by /v1/models to determine which subscription's models to return
X-MaaS-Subscription:
when:
- predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
- predicate: auth.metadata.apiKeyValidation.subscription != ""
plain:
selector: auth.metadata.apiKeyValidation.subscription
priority: 0