`jwt-authz` auth policy doesn't specify an `action` so it defaults to being `ALLOW`
Bug
Description
While testing a monitoring renovate with SSO enabled, I noticed that Grafana dashboards had an "RBAC: permission denied" pop-up.
After some troubleshooting, I believe it is because the jwt-authz
authorization policy doesn't list an action
. Per the documentation, the default action
is ALLOW
. As a result, I believe this turns on the default deny behavior I am observing.
BigBang Version
What version of BigBang were you running?
I'm running this umbrella chart big-bang/bigbang!4667 (merged) as I originally thought it would solve the problem.
These are the overrides I'm supplying:
---
istio:
enabled: true
istioOperator:
enabled: true
monitoring:
enabled: true
git:
tag: null
branch: "renovate/ironbank"
sso:
enabled: true
prometheus:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-prometheus
alertmanager:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-alertmanager
grafana:
sso:
enabled: true
grafana:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-grafana
scopes: "openid Grafana"
jaeger:
enabled: true
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-jaeger
kiali:
enabled: true
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
addons:
authservice:
enabled: true
For completeness, I also use the ./docs/assets/configs/example/policy-overrides-k3d.yaml
and ./chart/ingress-certs.yaml
files as well.