Skip to content
GitLab
Open
Issue created by Jason@jsangiamoReporter

Partition Service Authorization

Overview: Currently, there is some ambiguity about how calls to partition service should be authorized. At a high level, there are two approaches being taken right now:

  1. Authorizing all calls that come to partition service from a service account. Currently only Azure takes the approach where it authorizes all requests to partition service from a service principal.
  2. Authorizing calls where the caller has the entitlements service.partition.admin. Currently IBM, GCP, and AWS seem to take this approach.

My understanding from reading the relevant issue in this repo here was that the Azure-style implementation was correct for partition service since it is an internal service that is needed before Entitlements is online in the system. Is this my misunderstanding? If not, could someone provide clarity about the correct approach to authorizing calls to partition service?

Reference:

AWS Auth Code

Azure Auth Code

IBM Auth Code

GCP Auth Code

Edited by Jason