you can configure the proxy to inject headers like “x-forwarded-user” and “x-forwarded-groups” so that ReadonlyREST can use that for authentication purposes.
What I thought you meant was that GRP would get populated with x-forwarded-groups in the same way that USR does for x-forwarded-user. But this seems not to be case. Indeed I can find no trace of x-forwarded-groups in the code.
Where you referring to a possible future capability?
Even if I extended the rule to support x-forwarded-groups it would have very different behavior than it currently does – ie, the user is not needed. ProxyAuthRuleSettings would not even accept that.
- name: PLANT-OPERATOR
headers:
- x-forwarded-group:operator # requiring a header value here, technically counts as authorization
proxy_auth: "*" # allow any value for x-forwarded-user, which will be recognised as username (will read on the bottom left button)