* [Galene] Hierarchical tokens
@ 2025-08-01 13:38 Juliusz Chroboczek
[not found] ` <98770135-CFC2-4582-A6CA-9B672797F279@webweaving.org>
0 siblings, 1 reply; 3+ messages in thread
From: Juliusz Chroboczek @ 2025-08-01 13:38 UTC (permalink / raw)
To: galene
I've just implemented hierarchical tokens, that apply to a whole
subtree.
So now, if you do
galenectl create-token -group public -include-subgroups
you'll get a token that works in the whole public/* hierarchy.
Next step is adding support for tokens at the root of the hierarchy, so
that you can have global tokens.
-- Juliusz
^ permalink raw reply [flat|nested] 3+ messages in thread[parent not found: <98770135-CFC2-4582-A6CA-9B672797F279@webweaving.org>]
* [Galene] Re: Hierarchical tokens [not found] ` <98770135-CFC2-4582-A6CA-9B672797F279@webweaving.org> @ 2025-08-01 15:55 ` Juliusz Chroboczek [not found] ` <B0530B2D-7B87-4947-8E86-5795156606FC@webweaving.org> 0 siblings, 1 reply; 3+ messages in thread From: Juliusz Chroboczek @ 2025-08-01 15:55 UTC (permalink / raw) To: Dirk-Willem van Gulik; +Cc: galene >> Next step is adding support for tokens at the root of the hierarchy, so >> that you can have global tokens. > > Wonderful for corporate setups. I'd expect our tie-wearing friends to prefer using an authentication server and stateless tokens. This way, there's no user data in Galene itself, all the authorisation data sits in a small authorisation server that the system admins fully understand. I assume that most system admins are more familiar with Python than Go, which is why I wrote the sample at https://github.com/jech/galene-sample-auth-server -- Juliusz ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <B0530B2D-7B87-4947-8E86-5795156606FC@webweaving.org>]
* [Galene] Re: Hierarchical tokens [not found] ` <B0530B2D-7B87-4947-8E86-5795156606FC@webweaving.org> @ 2025-08-01 17:21 ` Juliusz Chroboczek 0 siblings, 0 replies; 3+ messages in thread From: Juliusz Chroboczek @ 2025-08-01 17:21 UTC (permalink / raw) To: Dirk-Willem van Gulik; +Cc: galene >> I'd expect our tie-wearing friends to prefer using an authentication >> server and stateless tokens. This way, there's no user data in Galene >> itself, all the authorisation data sits in a small authorisation server >> that the system admins fully understand. > Agreed for 'real' users - the scenario I was trying to make simpler is > transient setups where you easily want to delegate actions 'top down'; > e.g. for a short lived projects and were your users are at peer > organisations. Uh-huh. I'd rather be doing global tokens than global usernames. -- Juliusz ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-08-01 17:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-08-01 13:38 [Galene] Hierarchical tokens Juliusz Chroboczek
[not found] ` <98770135-CFC2-4582-A6CA-9B672797F279@webweaving.org>
2025-08-01 15:55 ` [Galene] " Juliusz Chroboczek
[not found] ` <B0530B2D-7B87-4947-8E86-5795156606FC@webweaving.org>
2025-08-01 17:21 ` Juliusz Chroboczek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox