Token role policy list wildcard matching

[azenk]

Feature Request:
It would be great if token roles allowed wildcard matching in the allowed/disallowed policy lists.

For example:
I want to programmatically generate policies per node on my system, each node policy prefixed with a namespace identifier.

If I created these policies:

• prefix-foo
• prefix-bar
• prefix-baz

I'd like to be able to write a role with allowed_policies = [ "prefix-*"] to cover them all.

Currently I'd need to enumerate all of them and update the role every time a new policy is added. This works, but the policy list gets rather large and unwieldy.

[nickwales]

I had a similar idea but in reverse:

• policy_name-read
• policy_name-write
• policy_name-delete

and the allowed policies:

• policies=["*-read"]

[daveadams]

Yes, this would be great. I'd love to be able to easily manage this. As it is I'm probably going to have to do a two-step whenever I update our policies and scan the existing policies, and then rebuild the whitelist to configure the role.

[jefferai]

Might I suggest you spend that effort on a PR instead :-D

[daveadams]

Heh. So, I actually took a whack at it, and I think I got it working (see #5815). But in the process I realized that * is currently a legal character in policy names. So that sort of breaks the idea. Or at least prevents it from being straightforward to implement safely.

I'm now wondering if it would be possible to restrict what policies can be requested for a token using globs in the policy on the auth/token/create/<role> endpoint...

[pmmukh]

Closed by #7277