Impersonation
Last updated
Was this helpful?
1.2
Last updated
Was this helpful?
The Impersonation Filter (also known as the Access Control List (ACL) Filter) gives specified server distinguished names (DNs) the privilege to impersonate on behalf of users. The incoming headers EXTERNAL_SYS_DN and SSL_CLIENT_S_DN are validated against this list to make sure both servers wanting to impersonate a user are valid and have proper permissions to do so.
The Impersonation/ACL filter allows system administrators to specify a list of DNs which are allowed to access a service. If a DN is not in this approved list, that request is rejected with a . In typical installations of Grey Matter, sidecars are set up to only accept communication from the edge and a global DN for inter-mesh communication:
This ensures that services refuse any communication that does not pass through edge and is not using a valid sidecar DN.
A Service may need to impersonate users in order to access user information (e.g. email addresses, phone numbers) or validate that a user exists in the system. To set this up, a User Service sidecar could have the following impersonation filter configuration:
This will give user-service the ability to send any USER_DN to the User Service in order to access information on any user.
USER_DN - The effective (possibly impersonated) Distinguished Name of requesting application
SSL_CLIENT_S_DN - The Distinguished Name taken from the system certificate
EXTERNAL_SYS_DN - The Distinguished Name taken from the external system certificate (originally inside s_client_s_dn)
Name
Type
Default
Description
servers
String
""
Pipe (|) delimited string of server DNs that will be validated against the incoming request.
caseInsensitive
Boolean
false
If set to true, does not validate case for each server DN specified.
