Learn about OpenTestFactory Orchestrator authorization, including details about creating policies using the supported authorization modules.
With the OpenTestFactory orchestrator, you must be authenticated (logged in) before your request can be authorized (granted permission to access). For information about authentication, see Authenticating.
The OpenTestFactory orchestrator expects attributes that are common to REST API requests. This means that the orchestrator authorization works with existing organization-wide or cloud-provider-wide access control systems which may handle other APIs besides the OpenTestFactory orchestrator API.
Determine Whether a Request is Allowed or Denied¶
The orchestrator evaluates all the request attributes against all policies and allows or denies the request. All parts of an API request must be allowed by some policy to proceed. This means that permissions are denied by default.
When multiple authorization modules are configured, each is checked in sequence. If any authorizer approves or denies a request, that decision is immediately returned, and no other authorizer is consulted. If all modules have no opinion on the request, then the request is denied. A denial returns an HTTP status code 403.
The OpenTestFactory orchestrator may authorize a request using one of several authorization modes:
- JWT signature - A special-purpose authorization mode that grants permissions to namespaces based on the key used to sign the token. To learn more about using JWT signature authorization mode, see “Signature-based Access Control.”
- ABAC - Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies that combine attributes together. The policies can use any type of attribute (user attributes, resource attributes, objects, etc.). To learn more about using the ABAC mode, see “Attribute-based Access Control.”
Using Flags for Your Authorization Module¶
You must include a flag to indicate which authorization module your policies include.
The following flags can be used:
If you are using one of the provided Docker images, use the
variable instead. The setting will apply to every service launched
by the image.
If you only want to use the JWT authorization module (the default), you can define the following environment variable or leave it undefined.
If you want to use the ABAC and JWT authorization modules, you can define the following environment variable.
Some legacy services require the JWT signature authorization mode. The
current orchestrator implementation adds
JWT to the authorization mode
if not already specified. So, specifying
ABAC is interpreted as
and specifying nothing is interpreted as
JWT. This may change in a future
You can choose more than one authorization module. Modules are checked in order, so an earlier module has higher priority to allow or deny a request.