ADR: Partition API Access authorization modification

ADR

Title

Restricted Partition API's

Context

Currently partition-service APIs permissions check is identical for all operation. For CREATE/UPDATE/DETELE or GET/LIST operations same access permissions are applicable.

Screenshot 2024-01-15 190925.pngcreate.pngdelete.png

patch.png

list.png

While checking for authorization there's no differentiation can be made on the basis of what endpoint is under consideration.

Decision

Therefore, it is being proposed that, hasPermissions method used in PreAuthorize annotation can be provided with PartitionOperation parameter to distinguish different API endpoints while checking their permissions.

operation.pnge.g.

create2.pngWhen needed to onboard this authorization change there is a new application configuration variable {enable.crud.based.authorization} need to be enabled (set as True) for enabling the check.

config.pngBy-default the config is set to false

The partitionOperation parameter can be passed to overridden implementation of isDomainAdminServiceAccount and then used for providing access by different CSP's.

implementataion.png

Conclusion

The default implementation for non-azure CSP's is modified accordingly by azure team, to adapt this change from code perspective but with no change in logic of access.

For Azure its been decided when flag {enable.crud.based.authorization} is enabled the CREATE/UPDATE/DETELE operations are restricted and API returns with 403 Forbidden.

Edited by Himanshu Kumrawat