Feature/regexp policy matcher #77
Conversation
Should preserve existing behaviour.
|
Some thoughts/considerations:
E.g: Is equivalent to: Is equivalent to: Can't honestly say whether this is a feature or a bug, but generally would lean that if we want to enforce one set of rules then no wildcards at all at the key level - either a an exact matching path and no
Of course this in current state would make the rules even more "non-intuitive". |
|
Thanks for the contribution! When I first saw #76 I was a bit perplexed on how I would design this feature. I think your approach is a bit more powerful, but also more "optional" and has resulted in a cleaner design than what I was thinking.
I thought about this, while I don't like the fact that there are multiple ways to specify a rule and I prefer prefix matching, I understand that the regex matching is necessary and that we should prefer one way of doing things. However, to your point about leaning towards regex, I would argue the other way. Introducing regex also means introducing a couple more footguns; an improper regex can mean you accidentally make a policy too broad. If someone wants to be conservative, it's easier to do that with prefix matching. I prefer how you've currently implemented things - use prefix matching where appropriate (which I believe is most cases), and dropdown to regex if you need something more powerful and opt into the footguns. If your problem isn't solved by prefix-matching, then falldown into regex - hopefully you don't need to, but if you do it's there and if you don't there's a more straightforward, less powerful to accomplish a more general task. |
Maybe at first. But after you do a few, then it's straightforward.
I definitely see this concerns as a feature. You can achieve the same outcome in multiple ways, so you can choose the one that suits your case the most.
Definitely. In addition to #76 I already have a few other use cases that require either wildcard/glob inside the rule or regular expression to work, like giving a set of policies to all services inside a group.
I think you shouldn't be too protective for the users. It's they decision on what and how they want to use. Vault policies could be abused on their own - one can just allow anything and then just match |
|
@nemosupremo Well put argument for "explicit path match, then wildcard, and only then if really needed use a regexp". Thought it over and it is indeed saner than "explicit path match or regexp". So 👍 on this point. With the above said I don't see any straightforward way to "enforce" "either this way or that way", so I'm personally OK with "you can do the same in (at least) three ways, if you wish". I was a bit surprised that you've already merged :) I still see as outstanding:
I think I should be able to find time to do a PR for 1 and/or 2 if there is a consensus. As from the POV of our business needs the current state is already good enough though. |
Addresses directly this issue.
Reworked from prefix matching to regexp matching, while trying to preserve the current behavior.
Our motivation is due to Metronome prefixing
task_namewith a unique id, hence breaking the simple prefix matching.2019-08-28: Run full tests and all pass.