2020-02-29 00:43:59 +00:00
|
|
|
---
|
|
|
|
layout: default
|
|
|
|
title: Access Control
|
|
|
|
parent: Configuration
|
2020-05-15 23:41:42 +00:00
|
|
|
nav_order: 1
|
2020-02-29 00:43:59 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Access Control
|
|
|
|
{: .no_toc }
|
|
|
|
|
|
|
|
## Access Control List
|
|
|
|
|
|
|
|
With **Authelia** you can define a list of rules that are going to be evaluated in
|
2020-03-09 22:37:46 +00:00
|
|
|
sequential order when authorization is delegated to Authelia.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2020-03-09 22:37:46 +00:00
|
|
|
The first matching rule of the list defines the policy applied to the resource, if
|
|
|
|
no rule matches the resource a customizable default policy is applied.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Access Control Rule
|
|
|
|
|
|
|
|
A rule defines two things:
|
|
|
|
|
2020-03-09 22:37:46 +00:00
|
|
|
* the matching criteria of the request presented to the reverse proxy
|
|
|
|
* the policy applied when all criteria match.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2020-03-09 22:37:46 +00:00
|
|
|
The criteria are:
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
* domain: domain targeted by the request.
|
|
|
|
* resources: list of patterns that the path should match (one is sufficient).
|
|
|
|
* subject: the user or group of users to define the policy for.
|
|
|
|
* networks: the network range from where should comes the request.
|
|
|
|
|
2020-03-09 22:37:46 +00:00
|
|
|
A rule is matched when all criteria of the rule match.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Policies
|
|
|
|
|
|
|
|
A policy represents the level of authentication the user needs to pass before
|
|
|
|
being authorized to request the resource.
|
|
|
|
|
|
|
|
There exist 4 policies:
|
|
|
|
|
|
|
|
* bypass: the resource is public as the user does not need any authentication to
|
|
|
|
get access to it.
|
|
|
|
* one_factor: the user needs to pass at least the first factor to get access to
|
|
|
|
the resource.
|
|
|
|
* two_factor: the user needs to pass two factors to get access to the resource.
|
|
|
|
* deny: the user does not have access to the resource.
|
|
|
|
|
|
|
|
## Domains
|
|
|
|
|
|
|
|
The domains defined in rules must obviously be either a subdomain of the domain
|
|
|
|
protected by Authelia or the protected domain itself. In order to match multiple
|
|
|
|
subdomains, the wildcard matcher character `*.` can be used as prefix of the domain.
|
|
|
|
For instance, to define a rule for all subdomains of *example.com*, one would use
|
2020-04-16 00:18:11 +00:00
|
|
|
`*.example.com` in the rule. A single rule can define multiple domains for matching.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
## Resources
|
|
|
|
|
|
|
|
A rule can define multiple regular expressions for matching the path of the resource. If
|
|
|
|
any one of them matches, the resource criteria of the rule matches.
|
|
|
|
|
|
|
|
|
|
|
|
## Subjects
|
|
|
|
|
|
|
|
A subject is a representation of a user or a group of user for who the rule should apply.
|
|
|
|
|
|
|
|
For a user with unique identifier `john`, the subject should be `user:john` and for a group
|
2020-04-16 00:18:11 +00:00
|
|
|
uniquely identified by `developers`, the subject should be `group:developers`. Similar to resources
|
|
|
|
and domains you can define multiple subjects in a single rule.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
## Networks
|
|
|
|
|
|
|
|
A list of network ranges can be specified in a rule in order to apply different policies when
|
|
|
|
requests come from different networks.
|
|
|
|
|
2020-03-09 22:37:46 +00:00
|
|
|
The main use case is when, lets say a resource should be exposed both on the Internet and from an
|
2020-02-29 00:43:59 +00:00
|
|
|
authenticated VPN for instance. Passing a second factor a first time to get access to the VPN and
|
2020-03-09 22:37:46 +00:00
|
|
|
a second time to get access to the application can sometimes be cumbersome if the endpoint is not
|
|
|
|
considered overly sensitive.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2020-03-09 22:37:46 +00:00
|
|
|
Even if Authelia provides this flexibility, you might prefer a higher level of security and avoid
|
2020-02-29 00:43:59 +00:00
|
|
|
this option entirely. You and only you can define your security policy and it's up to you to
|
|
|
|
configure Authelia accordingly.
|
|
|
|
|
|
|
|
|
|
|
|
## Complete example
|
|
|
|
|
|
|
|
Here is a complete example of complex access control list that can be defined in Authelia.
|
|
|
|
|
2020-04-11 04:46:07 +00:00
|
|
|
```yaml
|
|
|
|
access_control:
|
|
|
|
default_policy: deny
|
|
|
|
rules:
|
|
|
|
- domain: public.example.com
|
|
|
|
policy: bypass
|
|
|
|
|
|
|
|
- domain: secure.example.com
|
|
|
|
policy: one_factor
|
|
|
|
networks:
|
|
|
|
- 192.168.1.0/24
|
|
|
|
|
2020-04-16 00:18:11 +00:00
|
|
|
- domain:
|
|
|
|
- secure.example.com
|
|
|
|
- private.example.com
|
2020-04-11 04:46:07 +00:00
|
|
|
policy: two_factor
|
|
|
|
|
|
|
|
- domain: singlefactor.example.com
|
|
|
|
policy: one_factor
|
|
|
|
|
|
|
|
- domain: "mx2.mail.example.com"
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: deny
|
|
|
|
|
|
|
|
- domain: "*.example.com"
|
2020-04-16 00:18:11 +00:00
|
|
|
subject:
|
|
|
|
- "group:admins"
|
|
|
|
- "group:moderators"
|
2020-04-11 04:46:07 +00:00
|
|
|
policy: two_factor
|
|
|
|
|
|
|
|
- domain: dev.example.com
|
|
|
|
resources:
|
|
|
|
- "^/groups/dev/.*$"
|
|
|
|
subject: "group:dev"
|
|
|
|
policy: two_factor
|
|
|
|
|
|
|
|
- domain: dev.example.com
|
|
|
|
resources:
|
|
|
|
- "^/users/john/.*$"
|
|
|
|
subject: "user:john"
|
|
|
|
policy: two_factor
|
2020-04-16 00:18:11 +00:00
|
|
|
```
|