Hi,
Reading through the sg_config example file on github, I saw that host_auth_domain was deprecated in favour of the hosts key in roles_mappings.
Does that mean that in order to authorize somehost to do sg_role_foo it is enough to set up the role mapping the following way?
sg_role_foo:
hosts:
somehost
1.2.3.4
I tried, but the host is refused anyway. host_auth_domain is not set in my sg_config
Hi Fabien,
no, the user still needs to be authenticated before the mapping takes place. So you can implement usecases like: Give a user elevated permissions if the call comes from localhost. But, authentication always comes first, then the mapping is applied.
On Thursday, September 27, 2018 at 10:35:44 AM UTC+2, Fabien Wernli wrote:
Hi,
Reading through the sg_config example file on github, I saw that host_auth_domain was deprecated in favour of the hosts key in roles_mappings.
Does that mean that in order to authorize somehost to do sg_role_foo it is enough to set up the role mapping the following way?
sg_role_foo:
hosts:
- somehost
- 1.2.3.4
I tried, but the host is refused anyway. host_auth_domain is not set in my sg_config
thanks, so in one sentence, it is not possible to do host-based authentication. (which is good, from a security pov)
cheers
Yes, you can only use hostnames to assign roles to an already validated user. We deprecated host based auth because of security considerations.
On Friday, September 28, 2018 at 2:23:49 PM UTC+2, Fabien Wernli wrote:
thanks, so in one sentence, it is not possible to do host-based authentication. (which is good, from a security pov)
cheers