Comments (5)
Is it assumed that the jwt format of athenz conf will be distributed by sia?
athenz/libs/go/sia/agent/agent.go
Lines 342 to 347 in f9f1240
from athenz.
I understand that sia acquires the information via postInstanceRegisterInformation and postInstanceRefreshInformation.
Would it be feasible to expose the jwkConfig utilized by the two methods mentioned above as an API of ZTS?
athenz/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
Lines 411 to 414 in f9f1240
Or should this be implemented in sia instead?
from athenz.
I'm slowly moving away from athenz.conf since that was a proprietary format and instead I prefer to use the jwk format as defined in rfc7517.
the initial implementation relies on SIA to automatically fetch the conf file and keep it updated periodically. This eliminates the need for the client to worry about how to refresh and whenever it sees an unknown key, all it needs to do is to reload the latest file from disk which should be updated.
So I would strongly recommend if you're implement your own SIA, then make this part of the agent so it automatically gets updated daily. The server logic only returns the data if there are changes so you don't waste network resources by sending the data every time.
As far as separate APIs, we already have /oauth2/keys API which returns the ZTS keys in this format. If you want to get the zms keys, we can extend this api to specify an optional query element to specify the service name (e.g. /oauth2/keys?rfc=true is default and returns ZTS keys but if you specify /oauth2/keys?rfc=true&service=zms then it can return the ZMS keys - this way we don't need yet another API
from athenz.
Thank you for your proposal. We will consider how we can implement this in our environment.
By the way, regarding the use of JWS policy, I believe that the verification key for ZMS is not inherently necessary. However, is it correct to understand that the current ZTS provides the ZMS verification key in postInstanceRegisterInformation and postInstanceRefreshInformation for backward compatibility?
Specifically, the PublicKeyStore interface used by ZPE has a method named getZmsKey. While the verification of JWS Policy only requires the ZTS verification key, ensuring the principle of Java interface contracts mandates the implementation of this method.
I believe that in the future, the ZMS verification key will become unnecessary for ZPE's PublicKeyStore. Is there any difference in understanding?
from athenz.
ZTS does not just cater ZPE use cases. It's possible that you have an application that fetches full domain jws files from ZMS and needs the public keys for verification of the signature. So we provide both ZMS and ZTS public keys for all clients.
So while ZPE will eventually no longer need ZMS public keys (most likely we'll remove it from the 1.12.x release scheduled sometime in Q3), ZTS will continue to provide the ZMS and ZTS keys.
from athenz.
Related Issues (20)
- do not allow deletion of domain is it's associated with aws/gcp/azure
- review enabled roles/groups - role/group Review api does not force another admin approval
- Cannot update RoleMeta with blank SignAlgorithm HOT 4
- Are there any plans to implement a mechanism to restrict the principals to be added to a group of tenants based on specific conditions? HOT 4
- Does Athenz supports SAML ? HOT 1
- resource ownership in Athenz HOT 1
- questions regarding ZTS's readOnlyMode HOT 2
- No way to exit PolicyLoader
- Support spiffe trust domain in role certificates
- extend update_members action for role/group review api
- Question Regarding the Specifications of Principal Group HOT 2
- Provide support to enable/disable principals in Athenz
- Support simple domain based filtering for role/group principals.
- Error logs output when loading JWS Policy HOT 2
- extend the logic to set the preferred expiry time for service certificates
- provide the capability for system admins to specify host/ssh cert signing key per domain
- option to reject id token request if all roles/groups are not authorized
- postSubDomain supports templates without params HOT 1
- Extend support for authority filter for roles/groups to skip unnecessary checks
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from athenz.