-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resource ownership in Athenz #2573
Comments
This was referenced Mar 26, 2024
This was referenced Mar 31, 2024
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following are the use cases that we’re trying to solve with the introduction of resource ownership in Athenz:
The domain administrator is using TF to manage domain data (could be using a personal account or some service identity).
The administrator wants to block access to those resources to be modified using Athenz UI and/or zms-cli since that will create a drift in TF state.
The administrator should have the capability to override the ownership and make changes in case of emergency situations (e.g. TF deleted a service identity from a role but it needs to be re-added asap).
This capability must be available using zms-cli and preferably from Athenz UI as well.
In Athenz UI I should be prompted that the user should not proceed with the move unless explicitly specified.
The roles/policies are created and managed by another service built on-top of Athenz.
Resource ownership should support partial ownership. For example, with roles and groups, TF can manage either members or meta so the server must support and enforce ownership at that level and not just at the object level.
The text was updated successfully, but these errors were encountered: