This repository has been archived by the owner on Dec 22, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
configmap.yaml
57 lines (53 loc) · 1.62 KB
/
configmap.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
apiVersion: v1
kind: ConfigMap
metadata:
name: authorino
labels:
app: authorino
data:
config.yml: |
echo-api.authorino.apps.dev-eng-ocp4-5.dev.3sca.net:
enabled: true
keycloak: &keycloak
endpoint: http://keycloak-discovery.redhat-sso.svc.cluster.local:8080/auth/realms/ostia
identity:
- oidc:
name: keycloak
<<: *keycloak
metadata:
- userinfo:
oidc: keycloak
client_id: authorino
client_secret: 2e5246f2-f4ef-4d55-8225-36e725071dee
- uma:
<<: *keycloak
client_id: pets-api
client_secret: 523b92b6-625d-4e1e-a313-77e7a8ae4e88
authorization:
- opa:
uuid: 40f5976b-edf9-42f5-8c85-010d4a9992b3
rego: |
allow {
http_request.method == "GET"
path = ["pets"]
}
allow {
http_request.method == "GET"
own_resource
}
allow {
http_request.method == "GET"
path = ["stats"]
is_admin
}
own_resource {
some petid
path = ["pets", petid]
resource := object.get(metadata, "uma", [])[0]
owner := object.get(object.get(resource, "owner", {}), "id", "")
subject := object.get(identity, "sub", object.get(identity, "username", ""))
owner == subject
}
is_admin {
identity.realm_access.roles[_] == "admin"
}