diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-06-22 15:44:57 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-06-29 11:20:24 +0000 |
commit | cc44b799f0d78a5e26f12ecb8b868301095570c4 (patch) | |
tree | 374f50996663fbdfa85d529202c0e7cccb99648d /vespalib/CMakeLists.txt | |
parent | cbe98d69506bf60f7fcf7681eb99a79589300882 (diff) |
Support mTLS connection-level capabilities and RPC access filtering in C++
Adds the following:
* Named capabilities and capability sets that represent (respectively)
a single Vespa access API (such as Document API, search API etc)
or a concrete subset of individual capabilities that make up a
particular Vespa service (such as a content node).
* A new `capabilities` array field to the mTLS authorization policies
that allows for constraining what requests sent over a particular
connection are allowed to actually do. Capabilities are referenced
by name and may include any combination of capability sets and
individual capabilities. If multiple capabilities/sets are configured,
the resulting set of capabilities is the union set of all of them.
* An FRT RPC-level access filter that can be set up as part of RPC
method definitions. If set, filters are invoked prior to RPC methods.
* A new `PERMISSION_DENIED` error code to FRT RPC that is invoked if
an access filter denies a request.
This also GCs the unused `AssumedRoles` concept which is now deprecated
in favor of capabilities.
Note: this is **not yet** a public or stable API, and capability
names/semantics may change at any time.
Diffstat (limited to 'vespalib/CMakeLists.txt')
-rw-r--r-- | vespalib/CMakeLists.txt | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/vespalib/CMakeLists.txt b/vespalib/CMakeLists.txt index 69bd709c613..609c825dafa 100644 --- a/vespalib/CMakeLists.txt +++ b/vespalib/CMakeLists.txt @@ -101,6 +101,7 @@ vespa_define_module( src/tests/net/socket_spec src/tests/net/sync_crypto_socket src/tests/net/tls/auto_reloading_tls_crypto_engine + src/tests/net/tls/capabilities src/tests/net/tls/direct_buffer_bio src/tests/net/tls/openssl_impl src/tests/net/tls/policy_checking_certificate_verifier |