This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Authorization

These sections show you how to configure the authorization of Axoflow Console with different authentication backends.

You can configure authorization in the spec.pomerium.policy section of the Axoflow Console manifest. In on-premise deployments, the manifest is in the /var/lib/rancher/k3s/server/manifests/axoflow.yaml file.

You can list individual email addresses and user groups to have read and write (using the keys under spec.pomerium.policy) and read-only (using the keys under spec.pomerium.policy.readOnly) access to Axoflow Console. Which key to use depends on the authentication backend configured for Axoflow Console:

  • emails: Email addresses used with static passwords and GitHub authentication.

    With GitHub authentication, use the primary GitHub email addresses of your users, otherwise the authorization will fail.

  • claim/groups: LDAP groups used with LDAP authentication. For example:

      policy:
    emails: []
    domains: []
    groups: []
    claim/groups:
      - managers
    readOnly:
      emails: []
      domains: []
      groups: []
      claim/groups:
        - employee