https://www.ory.sh/ logo
Join Slack
Powered by
Hey everyone, I’m evaluating oathkeeper for my lat...
# talk-oathkeeper
m
Hey everyone, I’m evaluating oathkeeper for my latest project and I’m pretty new to ory in general. So please excuse the stupid questions. I’m aiming to use oathkeeper as a proxy and pass the request to whichever service on the backend that is the most appropriate, but I’m running into some issues with the rules engine. It’s likely me doing something odd, but I figured I’d ask here to see how other have solved this. I have a very simple setup with kratos, a golang web server and oathkeeper. I’d like to have a catchall allow rule for 
hostname:port/<**>
and then have more specific rules for things that a user needs to be authenticated for, e.g. 
hostname:port/admin/<**>
When trying a very simple test ruleset I end up with a 
Expected exactly one rule but found multiple rules
error test rule set
Copy code
---
- id: "test-rule"
  version: v0.40.6
  upstream:
    preserve_host: false
    url: "<http://localhost:8081>"
  match:
    url: "<http://localhost:9100/><**>"
    methods:
      - GET
  authenticators:
    - handler: noop
  mutators:
    - handler: noop
  authorizer:
    handler: allow
  # errors:
  #   - handler: redirect
  #     config:
  #       to: <http://localhost:4455/login>

- id: "test-rule2"
  version: v0.40.6
  upstream:
    preserve_host: false
    url: "<http://localhost:8081/ping>"
  match:
    url: "<http://localhost:9100/ping>"
    methods:
      - GET
  authenticators:
    - handler: noop
  mutators:
    - handler: noop
  authorizer:
    handler: deny
  errors:
    - handler: redirect
      config:
        to: <http://localhost:9100/login>
Has anyone been able to solve this?
w
Do you really not see the overlap? 🙂 id: "test-rule":
Copy code
match:
    url: "<http://localhost:9100/><**>"
    methods:
      - GET
and id: "test-rule2"
Copy code
match:
    url: "<http://localhost:9100/ping>"
    methods:
      - GET
**
will, of course, overlap with 
ping
.
m
Hey, yeah, test case was to specifically figure out how oathkeeper deals with overlaps, I couldn’t find it in the doco. In a lot of systems this is handled by either having the more specific rule take precedence, e.g. traefik routing rules does this. Or explicit denies take precedence, e.g. AWS security rules Routing can get quite complex, and I don’t want to explicitly define every route in a config file as well as in other places. I’d rather have a catchall and ship that to the system that knows more about it to deal with the details. This doesn’t seem to be a usecase that matches oathkeeper, which is fine, just not the right tool for the task at hand for me right now
12 Views
Open in Slack
PreviousNext
Powered by