Does warden groups work with internal Hydra APIs?

[bdudelsack]

I'm trying to create a group of superadmins which members can access the Hydra API but it does not work.

Am i understanding right that the internal Access Controll of Hydra API does not support subjects like "groups:..." and only work with user IDs?

Sample policy:

{
    "id": "group-superadmins",
    "description": "Allow everyhting for members of the superadmin group",
    "subjects": [
        "groups:superadmins"
    ],
    "effect": "allow",
    "resources": [
        "rn:hydra:<.*>"
    ],
    "actions": [
        "<.*>"
    ],
    "conditions": {}
}

[aeneasr]

Hi, this has been an issue elsewhere too, the groups: prefix is not fixed! You have to literally name your group groups:my-group. If the ID of your group is my-group, than it is not prefixed with groups:.

[bdudelsack]

That works. Thank you!

[aeneasr]

Reopening, because you're the third or fourth person having that misconception. Should be fixed in the docs.

[aeneasr]

Ok, so this has changed significantly over the past few weeks as access control is now optional and configured via oathkeeper and keto. I'll update the docs before the release.