Authentication rules configuration
All authentication providers support rules configuration
A rule takes parameters and set a label to the user's pod and to the user's jwt.
- All labels are stored inside the JWT user token.
- All labels are set to the user's pods
The labels are use to define a container execution context, and next usage, like
- allow an application only for members of a group
- apply some network policies
The rule object
A rule is a dictionary object with :
- a name (the entry of the rules)
- one or more conditions
- an expected boolean result
TrueorFalse - a label to set if the conditions are equal to the expected boolean value
Example :
To test if the user source IP address is equal to 192.168.2.3/32
'rule-home': {
'conditions' : [ { 'network': '192.168.2.3/32', 'expected' : True } ],
'expected' : True,
'label': 'allowipsource' }
If the source IP address is equal to 192.168.2.3 then the pods gets then label allowipsource
The conditions object
The conditions are a list of condition. All conditions are always tested, as a logical AND operator.
The result must be equal to the expected value.
Examples:
Example (True and True) expected True:
To test if the user source ip address is in the subnet to 80.0.0.0/8 and is memberOf ldap group DN 'cn=ship_crew,ou=people,dc=planetexpress,dc=com'
'rule-sample': {
'conditions': [
{ 'network': '80.0.0.0/8', 'expected' : True },
{ 'memberOf': 'cn=ship_crew,ou=people,dc=planetexpress,dc=com', 'expected' : True }
],
'expected' : True,
'label': 'shipcrewandnet80' }
This rule adds the labels 'shipcrewandnet80', if the 'expected' value is True
Example (True and True) expected False:
To test if the user source IP address is NOT in the subnet to 80.0.0.0/8 AND is NOT a memberOf ldap group DN 'cn=ship_crew,ou=people,dc=planetexpress,dc=com'
'rule-sample': {
'conditions': [
{ 'network': '80.0.0.0/8', 'expected' : True },
{ 'memberOf': 'cn=ship_crew,ou=people,dc=planetexpress,dc=com', 'expected' : True }
],
'expected' : False,
'label': 'noshipcrewandnet80' }
Add the labels 'noshipcrewandnonet80', if the 'expected' value is False
Example (True and False) expected True:
To test if the user source IP address is in the subnet to 80.0.0.0/8 AND is NOT a memberOf ldap group DN 'cn=ship_crew,ou=people,dc=planetexpress,dc=com'
'rule-sample': {
'conditions': [
{ 'network': '80.0.0.0/8', 'expected' : True },
{ 'memberOf': 'cn=ship_crew,ou=people,dc=planetexpress,dc=com', 'expected' : False }
],
'expected' : True,
'label': 'noshipcrewandnet80' }
adds the labels 'noshipcrewandnet80', if the 'expected' value is True
Example (False and True) expected True:
To test if the user's source IP address is NOT in the subnet to 80.0.0.0/8 AND is a memberOf ldap group DN 'cn=ship_crew,ou=people,dc=planetexpress,dc=com'
'rule-sample': {
'conditions': [
{ 'network': '80.0.0.0/8', 'expected' : False },
{ 'memberOf': 'cn=ship_crew,ou=people,dc=planetexpress,dc=com', 'expected' : True }
],
'expected' : True,
'label': 'shipcrewandnonet80' }
Add the labels 'shipcrewandnonet80', if the 'expected' value is True
The condition value
| name | description | example |
|---|---|---|
boolean |
always true or false | 'boolean' : 'true' |
existhttpheader |
test if a http header exists | |
httpheader |
test a HTTP header value is equal to | 'httpheader': { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36' } |
memberOf |
test if the LDAP user object is member of group | 'memberOf': [ 'cn=ship_crew,ou=people,dc=planetexpress,dc=com'] |
network |
test if the client user IP Address is in a network subnet | 'network': [ '1.2.3.4/24'] |
network-x-forwarded-for |
read the X-Forwarded-For http attribut, then test if it is in a network subnet |
|
network-x-real-ip |
read the X-Real-IP http attribut, then test if it is in a network subnet |
|
attribut |
test a HTTP header value is equal to | 'httpheader': { 'User-Agent': 'Mozilla/5.0 |
primarygroupid |
test if the LDAP user object has a attibute primaryGroupID and is equal to value | 'primarygroupid': '513' |
asnumber |
test if a source IP address is in an AS number | 'asnumber': [ '3215', '12807'] |
geolocation |
test if a user is geolocalised in a particular region. The geolocation's data comes from the web browser, this can be spoofed | 'geolocation': {'accuracy': 14.884, 'latitude': 48.8555131, 'longitude': 2.3752174 } |
condition boolean
This condition is a dummy condition.
The usage forces a label or to disable a test.
'boolean': boolean
The common usage is
'rule-dummy': {
'conditions': [ { 'boolean': True, 'expected' : True } ],
'expected' : True,
'label': 'dummy' }
or always False
'rule-dummy': {
'conditions': [ { 'boolean': True, 'expected' : True } ],
'expected': False,
'label': 'dummy' }
condition httpheader
This condition is test if a HTTP Header value is equal to a string.
'httpheader': dict
example : if the 'User-Agent' is equal to 'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36' then add the label 'chromemaxosx112'
'rule-httpheader': {
'conditions' : [ { 'httpheader': { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36' }, 'expected' : True } ],
'expected' : True,
'label': 'chromemaxosx112' }
condition network
This condition is test if the client source ip address is in a subnet. IPv4 and IPv6 are supported.
'network': string or list of string, each string must be a subnet ipv4 or ipv6
To read the source IP adress, the service tries to read in order
X-Forwarded-Forhttp headerX-Real-IPhttp headerremoteipthe read socket IP source
For example
To test if the user source IP address is equal to 8.8.8.1/32
'rule-home': {
'conditions': [ { 'network': '8.8.8.1/32', 'expected' : True } ],
'expected': True,
'label': 'homeipsource' }
To test if the user source IP address is in the subnet 10.0.0.0/8
'rule-localnet': {
'conditions': [ { 'network': '10.0.0.0/8', 'expected' : True } ],
'expected': True,
'label': 'localnet' }
To test if the user source IP address is NOT in the subnet 192.168.0.0/24
'rule-localnet': {
'conditions': [ { 'network': '192.168.0.0/24', 'expected' : False } ],
'expected': True,
'label': 'no192168net' }
same as
'rule-localnet': {
'conditions' : [ { 'network': [ '192.168.0.0/24'] , 'expected' : True } ],
'expected' : False,
'label': 'no192168net' }
IPv4 and IPv6 subnets support
To support private ip addresses subnet in the rfc 1918 and rfc 3927, write separated rules. Both IPv4 and IPv6 addresses are supported.
You can share the same label privatenetwork a separated rule.
'policies': {
'acl' : {},
'rules' : {
'rule-privatenetwork-10': { 'conditions': [ { 'network': '10.0.0.0/8', 'expected' : True } ],
'expected': True,
'label': 'privatenetwork' },
'rule-privatenetwork-172': { 'conditions': [ { 'network': '172.16.0.0/12', 'expected' : True } ],
'expected': True,
'label': 'privatenetwork' },
'rule-privatenetwork-192': { 'conditions': [ { 'network': '192.168.0.0/16', 'expected' : True } ],
'expected': True,
'label': 'privatenetwork' },
'rule-privatenetwork-169': { 'conditions': [ { 'network': '169.254.0.0/16', 'expected' : True } ],
'expected': True,
'label': 'privatenetwork' },
'rule-privatenetwork-fe80':{ 'conditions': [ { 'network': 'fe80::/10', 'expected' : True } ],
'expected': True,
'label': 'privatenetwork' } } }
Multiple rules can set the same label
You can write the previous rules in one simplest rule
'policies': {
'acl' : {},
'rules' : {
'rule-privatenetwork': {
'conditions': [ { 'network': [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', '169.254.0.0/16', 'fe80::/10' ], 'expected' : True } ],
'expected': True,
'label': 'privatenetwork' } } }
condition memberof
This condition test if the user is a member of a LDAP Distinguished Name.
'memberOf': string
'rule-sample': {
'conditions': [ { 'memberOf': 'cn=ship_crew,ou=people,dc=planetexpress,dc=com', 'expected' : True } ],
'expected' : True,
'label': 'shipcrewgrp'
}
condition primarygroupid
This test is only used with Microsoft Active Directory.
primarygroupid test if the user attibute primaryGroupID is equal to a string.
'primarygroupid': string
To check is a user is memberof a DOMAIN\USER the primary group id is 513
'rule-domainuser': {
'conditions': [ { 'primarygroupid': '513', 'expected' : True } ],
'expected' : True,
'label': 'domainuser'
}
However, if the user needed to be seen as a Domain Admin for POSIX, the PrimaryGroupID is 512, the RID for that group.
'rule-posixdomainadmin': {
'conditions': [ { 'primarygroupid': '512', 'expected' : True } ],
'expected' : True,
'label': 'posixdomainadmin'
}
The Enterprise Admins group, 519, is also used to grant this level in POSIX.
'rule-enterpriseadmin': {
'conditions': [ { 'primarygroupid': '519', 'expected' : True } ],
'expected': True,
'label': 'enterpriseadmin'
}
condition asnumber
BGP public AS numbers are globally unique identifiers assigned by IANA for routing on the Internet, ranging from 1-64495 (16-bit) and extended to 32-bit for more availability. The public AS numbers have to be unique on the Internet and BGP uses the AS number for its loop prevention mechanism.
'rule-asnumber' : {
'conditions' : [ {'asnumber': [ '3215' ] , 'expected':True } ],
'expected' : True,
'label':'orangenetwork'
}
The source IP adress is in the AS number 3215 then the label orangenetwork is set.
You can build filter for your own AS to allow or denied access.