openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Henke <>
Subject Extending Authentication and Entitlement - Heads up
Date Tue, 12 Jun 2018 14:38:20 GMT

as some of you might have noticed with my last commit so please take this mail as a heads-up.
I am on the road to introduce extensibility for the authentication and entitlement in Openwhisk.

The changes are motivated by the need to integrate Openwhisk tighter into
an existing (but unfortunately partly proprietary) identity and management
system used in the IBM cloud.

The first change will be to introduce an SPI to exchange the existing EntitlementProvider
with an alternative
implementation. Since the EntitlementProvider already is implemented like a SPI-like interface

this change is very straightforward.

The authentication changes will address two areas.
First the REST API will be enabled to read other authentication formats and tokens
(e.g. bearer tokens), second there has to be the ability added to pass different authentication
to the user actions.
I plan to address this with introducing an SPI to swap the AuthorizationDirective in the RestApi
and adding a mechanism to transport variant information in the authentication key to the invoker.

All changes are designed to be transparent to the existing authentication and entitlement
implementations using the subject db.

I will open pull request for all these changes in the next days.
Feel free to comment now to this mail or later to the pull requests.

Kind regards,
View raw message