Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move policy merged #830

Merged
merged 11 commits into from
Apr 29, 2018
Merged

Move policy merged #830

merged 11 commits into from
Apr 29, 2018

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Apr 29, 2018

see #813

euank and others added 10 commits April 19, 2018 18:06
@euank
readme: correct docker exec wording
1a647a3 
`exec` is an nsenter, not an ssh

Signed-off-by: Euan Kemp <euank@euank.com>
@euank
cmd: use existing alpha-lower sequence
395ace9 
Signed-off-by: Euan Kemp <euank@euank.com>
@euank
oauth2: remove unused named returns
44c0efd 
Signed-off-by: Euan Kemp <euank@euank.com>
@euank
pkg: remove unused code
60a2f10 
This code was meant to be deleted in
9592a00 I believe.

Signed-off-by: Euan Kemp <euank@euank.com>
@monkeywithacupcake
docs: Activating Open Collective (#805)
b153352
Removes policy, warden and groups from this project
d60eec6 
We have learned a lot over the last year in terms of how ORY Hydra is being used. Initially, we wanted to avoid the problems facing popular databases like MongoDB or others, which did not include authentication for their management APIs.

For this reason, the Warden API was born and primarily used internally and exposed via HTTP. We learned that access control policies are well received, but also add additional complexity to understanding the software. While we firmly believe that these policies implement best practices for access control in complex systems, we do understand that they add a barrier to getting started with ORY Hydra.

For this reason we are planning on moving the Warden API from this project to ORY Oathkeeper or potentially it's own server. We would add a migration path for existing policy definitions to the new service. The default docker image would combine the services in such a way, that ORY Hydra is protected. We would additionally have an (insecure) docker image without authentication which can be used for testing.

This also opens up the possibility of having more access control mechanisms than access control policies. For example, we can add ACL and RBAC and other mechanisms too.

First I think it makes good sense to move this functionality into a separate service and remove the warden calls internally completely. The reason being that not everyone wants to rely on Hydra's access control. Sometimes it's enough to use a gateway in front and require e.g. an API key for management or whatever. New adopters are always baffled by complexity involved with policies and scopes. Removing that from the core could really help. The user survey has also shown that this stuff is quite complex to grasp.

The idea is to have a separate service which is basically ladon as a HTTP API. I think it makes sense to add some functionality to resolve access tokens so it would basically be very similar to the current warden API - probably even equal. There would definitely be some backup mode where hydra's database tables and migrations are used as to make migration as easy as possible.

Then, we would ship docker images and example set ups where different configurations are shown. One of the configurations would be the current one, so basically what we have now in hydra but with the three services combined in one image.

Closes #807
client: Add experimental detection of SQL error
934581c 
Returns a human-readable error for SQL errors.
cmd/server: Shortens long banner message
620a26f 
The original banner message was way to big and cluttered logs a lot. This patch reduces the banner's size significantly.
sdk: Removes the forced hydra.* scope in the SDK
71caa74
all: Removes unused code and updates go dep
083073f
@aeneasr aeneasr merged commit 73762c6 into 1.0.x Apr 29, 2018
@aeneasr aeneasr deleted the move-policy-merged branch April 29, 2018 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aeneasr @euank @monkeywithacupcake