I think we should land a custom authorization class to explicitly support:
1. *local* access for components inside the same deployment, established via juju-relation (think Lander or GK)
2. *internal* access for components outside the deployment but inside the DC with the appropriate fw rules, established via juju-config (think ci-train jenkins or any other crack-of-the-day subsystem)
External access, coming via webui-apache proxy (host preserved) would be submitted to openid or oauth2 authentication (request.user is setup), at this point, specifically we say 'yes, for now ...' to anonymous request.
Later, when the CLI is able to grab a oauth token and use it, we just patch the custom Authorization class and we are done.
I think we should land a custom authorization class to explicitly support:
1. *local* access for components inside the same deployment, established via juju-relation (think Lander or GK)
2. *internal* access for components outside the deployment but inside the DC with the appropriate fw rules, established via juju-config (think ci-train jenkins or any other crack-of-the-day subsystem)
External access, coming via webui-apache proxy (host preserved) would be submitted to openid or oauth2 authentication (request.user is setup), at this point, specifically we say 'yes, for now ...' to anonymous request.
Later, when the CLI is able to grab a oauth token and use it, we just patch the custom Authorization class and we are done.