Access Control Configuration
Access control in Develocity Provenance Governor is configured using Access Control policies, which are YAML documents formatted like the other Develocity Provenance Governor policies.
They assign access rights to identities and resources that the application has been configured with.
Develocity Provenance Governor uses a single YAML file for access control policies, but it can include multiple policies by using YAML’s --- document separator.
apiVersion: policy.gradle.com/v1
kind: AccessControl
metadata:
name: admin
spec:
identityMatchingStrategy: (1)
withBasicIdentity:
- withName: "admin" (2)
withOidc:
- withIssuerUri: "https://my-oidc-issuer.example.com" (3)
withClaims: (4)
organization: "my-org"
canPerform:
- publish-attestations (5)
- publish-policy-scans (6)
- read-attestations (7)
withResources: (8)
- pkg:maven/* (9)
- dv:my-develocity (10)
- af:my-artifactory/* (11)
- s3:my-s3-store/* (12)
| 1 | Matchers for identities to apply this policy to. May match OIDC (OpenID Connect) identities using HTTP Bearer auth with OIDC access tokens, or basic identities using HTTP Basic auth. |
| 2 | Matches a basic identity with the username admin. |
| 3 | Matches an OIDC identity issued by the specified issuer. |
| 4 | Restricts the OIDC matches to tokens with the specified claims. |
| 5 | Grants the ability to publish attestations. |
| 6 | Grants the ability to perform policy evaluation. |
| 7 | Grants the ability to read attestations (e.g., via Fetch Attestation by ID API). |
| 8 | Resource matchers. |
| 9 | Resource matcher that matches all maven packages. |
| 10 | Resource matcher that matches a Develocity instance named my-develocity. |
| 11 | Resource matcher that matches all repositories in the Artifactory instance named my-artifactory. |
| 12 | Resource matcher that matches all resources in the S3 instance named my-s3-store. |
While Develocity Provenance Governor uses a single YAML file for access control policies, you can include multiple policies in that file using YAML’s --- document separator.
Resources and matches
Access to resources is controlled by using resource matchers in access control policies. Matchers may match one or more resources. They are string matchers that support wildcards. The resources used are:
| Resource Type | Resource specifier |
|---|---|
Packages |
The pURL of the package.
Supports wildcards (e.g., |
Artifactory instance |
|
Develocity instance |
|
S3 instance |
|
<instance-name> matches the name you configured for the instance (e.g. my-artifactory in artifactory.instances.my-artifactory.uri).
The portion after the instance name represents the resource path relative to that instance.
For Artifactory, you can restrict access to specific repositories.
For Develocity and S3, only the wildcard /* is currently supported for the resource path.
Basic identities
Basic identities may be configured by specifying the following sensitive application property:
basic.identities.<username>=<password><password> uses Spring Security’s password encoder format, so you can use {noop}password for plaintext passwords, or use a password encoder such as bcrypt.
Actuator Basic Identities
To secure the Spring Boot Actuator endpoints, you can configure separate basic identities:
actuator.basic.identities.<username>=<password><password> uses Spring Boot’s password format, so you can use {noop}password for plaintext passwords, or use a password encoder such as bcrypt.
Password Values
The password value uses Spring Security’s format with a prefix indicating the encoding:
-
{bcrypt}$2a$10$…- Bcrypt-hashed (recommended for production) -
{noop}mypassword- Plain text (only for testing, not recommended)
To generate a bcrypt password, use:
htpasswd -bnBC 10 "" password | tr -d ':\n'