On 12/05/16 19:50, Justin Ross wrote:
Do we want to be able to apply policy to operator tools? These would be tools for inspecting a router or router network as a whole, not a particular vhost.
I would think you would just authenticate as an administrator (or a user in an administrator group). That would apply even for tools users built for themselves.
These tools would (under certain configurations) connect from anywhere to anywhere on the router network. Even for a single router there would be multiple sensible connection interfaces. Without a distinct way to specify the application (baked into the tools, in this scenario), I think you would need to use a special-case vhost, a la "x-operator-tools". This seems like an abuse of the vhost concept. But I'd be fine with it if you all say it works for you. Another way perhaps would be to have policy for addresses.
I think you would have different permissions for different addresses. i.e. in a given application policy you would define which sources/targets users in a given group could link to.
The only case I see where it would be sensible to have the same source/target addresses used in different application policies would be if those addresses referred to different paths. I.e. a full multi-tenant solution. Otherwise it just seems like a liability.
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
