Implement identity-aware routing RFC with route policies terminology#3758
Draft
Implement identity-aware routing RFC with route policies terminology#3758
Conversation
Author
|
Don't worry about this PR just yet, just doing some more POC work on the RFC: cloudfoundry/community#1438 |
rkoster
changed the title
This commit improves the user experience for the add-access-rule command by replacing the positional GUID-based SELECTOR argument with intuitive flags that accept human-readable names and support cross-space/org resolution. Changes: **Command Interface:** - Remove positional SELECTOR argument (breaking change, acceptable for unreleased feature) - Add new flags: --source-app, --source-space, --source-org, --source-any, --selector - Support hierarchical name resolution: - --source-app APP_NAME (looks in current space) - --source-app APP_NAME --source-space SPACE (cross-space in current org) - --source-app APP_NAME --source-space SPACE --source-org ORG (cross-org) - --source-space SPACE (space-level rule) - --source-org ORG (org-level rule) - --source-any (allow any authenticated app) - --selector SELECTOR (raw GUID-based selector for advanced users) - Validate exactly one primary source is specified - Display verbose output showing resolved selector for transparency **Terminology Update:** - Rename all "target" terminology to "source" throughout codebase - Access rules specify the source (who can access), not the target - Update AccessRuleWithRoute.TargetName → SourceName - Update resolveAccessRuleTarget() → resolveAccessRuleSource() - Update access-rules list command table header: "target" → "source" **Error Handling:** - Provide helpful error messages when app not found in current space - Suggest using --source-space and --source-org flags for cross-space/org access - Follow CF CLI patterns from add-network-policy command **Testing:** - Add 17 comprehensive test cases for add-access-rule command - Update 19 actor tests to use new SourceName field - All tests passing (36/36) **Domain Integration:** - Add enforce_access_rules support to create-shared-domain and create-private-domain - Add --enforce-access-rules and --access-rules-scope flags - Update domain resource with new fields Examples: # Simple case - app in current space cf add-access-rule allow-frontend apps.identity --source-app frontend-app --hostname backend # Cross-space access cf add-access-rule allow-other apps.identity --source-app api-client --source-space other-space --hostname backend # Cross-org access cf add-access-rule allow-prod apps.identity --source-app client --source-space prod-space --source-org prod-org --hostname api # Space-level rule cf add-access-rule allow-monitoring apps.identity --source-space monitoring --hostname api # Org-level rule cf add-access-rule allow-platform apps.identity --source-org platform --hostname shared-api # Any authenticated app cf add-access-rule allow-all apps.identity --source-any --hostname public-api Related to: cloudfoundry/community#1438
Per RFC commits 882b69a and 11752f2, access rules no longer have user-provided names. They are identified by their selector only, with labels/annotations used for metadata instead. Changes: - Removed RULE_NAME argument from add-access-rule command - Removed Name field from AccessRule API resource - Updated access-rules list to show 4 columns (route, selector, scope, source) - SourceName now represents resolved app/space/org name from selector - Updated remove-access-rule to use --selector flag instead of rule name - Renamed DeleteAccessRule() to DeleteAccessRuleBySelector() - Updated all tests to remove Name field references All tests passing.
…lumns Changed table format from: route selector scope source backend.apps.identity ... app frontend-app To: host domain path selector scope source backend apps.identity ... app frontend-app api apps.identity /metrics ... space monitoring This provides better clarity by separating the route components into individual columns, making it easier to scan and filter visually.
…urce Complete terminology shift for identity-aware routing RFC implementation: **Access Rules → Route Policies** - API: /v3/access_rules → /v3/route_policies - CLI commands: - cf access-rules → cf route-policies - cf add-access-rule → cf add-route-policy - cf remove-access-rule → cf remove-route-policy - Domain flags: --enforce-access-rules → --enforce-route-policies - Domain fields: enforce_access_rules → enforce_route_policies, access_rules_scope → route_policies_scope **Selector → Source** - API field: "selector" → "source" - CLI flag: --selector → --source - Query params: selectors → sources, selector_resource_guids → source_guids - Table column headers: "selector/source" → "source/name" - Internal types: AccessRule → RoutePolicy, AccessRuleWithRoute → RoutePolicyWithRoute - Error types: AccessRuleNotFoundError → RoutePolicyNotFoundError **Rationale (per RFC)** - "Route policies" aligns with existing CF "network policies" terminology - "Source" matches C2C network policy convention (source → destination) - Improves clarity: policies define allowed sources that can reach routes - Better mental model for users familiar with CF networking concepts This is a breaking change but acceptable since RFC is pre-GA with only POC/lab implementations. Clean terminology is preferred over backward compatibility at this stage. Co-authored-by: RFC Community <cloudfoundry/community#1438> Aligns-with: cloudfoundry/community@be8d74c1
rkoster
force-pushed
the
enhance-add-access-rule-ux
branch
from
a0ffff8 to
9409dbb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the identity-aware routing RFC (cloudfoundry/community#1438) in the CF CLI, including the complete terminology rebrand from "access rules" to "route policies" and "selector" to "source".
Terminology Update (Breaking Change):
access-rules→route-policies,add-access-rule→add-route-policy,remove-access-rule→remove-route-policy--enforce-access-rules→--enforce-route-policies,--selector→--source/v3/access_rules→/v3/route_policiesAccessRule→RoutePolicyThis is an acceptable breaking change since the feature has not been GA-released.
Motivation
The original POC implementation used "access rules" terminology, but the RFC was updated to use "route policies" for better alignment with existing CF concepts. Additionally, the commands required users to manually construct GUID-based selectors (e.g.,
cf:app:d76446a1-f429-4444-8797-be2f78b75b08), which was cumbersome and error-prone.This PR follows CF CLI conventions from commands like
add-network-policyto provide a user-friendly interface with name-based flags.Changes
1. Terminology Rebrand (Commit: a0ffff8)
Complete rebrand across 95 files:
route-policies,add-route-policy,remove-route-policy--enforce-route-policies,--source,--source-app,--source-space,--source-org,--source-any/v3/route_policiessources,source_guidsRoutePolicy.Source,Domain.EnforceRoutePolicies,Domain.RoutePoliciesScopeRationale (per RFC commit be8d74c):
2. Command Interface Improvements
Before:
After:
3. New Flags
add-route-policy:
--source-app APP_NAME- Specify source app by name (resolves to GUID)--source-space SPACE_NAME- Specify space context for app lookup or create space-level policy--source-org ORG_NAME- Specify org context for space/app lookup or create org-level policy--source-any- Allow any authenticated app--source SOURCE- Raw GUID-based source for advanced usersremove-route-policy:
--source SOURCE- Required. Specify the source to removecreate-shared-domain / create-private-domain:
--enforce-route-policies- Require route policies for all routes on domain--route-policies-scope [app|space|org]- Minimum granularity for policies4. RFC Alignment: No User-Provided Names
Per RFC commits 882b69a and 11752f2, route policies no longer have user-provided names. They are identified by their source only, with labels/annotations available for metadata.
Key Changes:
RULE_NAMEpositional argument fromadd-route-policycommandNamefield from RoutePolicy API resourceroute-policieslist command to show 4 columns: route, source, scope, source/namesource/namecolumn shows the resolved name of the app/space/org from the sourceremove-route-policyto use--sourceflag instead of nameDeleteAccessRule()→DeleteRoutePolicyBySource()5. Enhanced Output
add-route-policy:
route-policies:
6. Validation & Error Handling
--source-spaceand--source-orgflags for cross-space/org accessadd-network-policycommandTesting
./out/cf)Breaking Changes
This is a complete rebrand with no backward compatibility:
This is acceptable since:
Files Changed
route_policy_resource.goroute_policy.go,api_routes.go,query.goroute_policy.go, error types, interfacesroute_policies_command.go,add_route_policy_command.go,remove_route_policy_command.gocreate_shared_domainandcreate_private_domainChecklist
Next Steps
This PR is marked as draft pending:
Related
Co-authored-by: Ruben Koster rkoster@starkandwayne.com