Authorization¶
This section covers the authorization mechanisms used in Platform-Mesh, including Relationship-Based Access Control (ReBAC) powered by OpenFGA.
kcp Authorizer Order¶
The authorization webhook runs after kcp's built-in authorizers. Since no --authorization-order flag is set in the platform-mesh configuration, kcp uses its default authorizer order:
- AlwaysAllowGroups
- AlwaysAllowPaths
- RBAC chain
- RequiredGroupsAuthorizer
- WorkspaceContentAuthorizer
- SystemCRDAuthorizer
- MaximalPermissionPolicyAuthorizer
- RBAC union
- BootstrapPolicyAuthorizer
- LocalRBACAuthorizer
- GlobalRBACAuthorizer
- Webhook ← ReBAC authorization happens here
The ReBAC Authorization Webhook is the final authorizer in the chain. If a request is not allowed by any of the preceding authorizers, it will be evaluated by the webhook against OpenFGA.