RFC: Rename "disallow" key to "deny" in plugin rules

[javierbrea]

Status

Request for Comments - Open for community feedback

Summary

This RFC proposes to rename the key "disallow" used in plugin rules to "deny", aligning with the more widely accepted and standard terminology in security and access control policies. In version 6.0, the plugin will support both keys but emit a warning at startup if any rules use "disallow". In a future version (likely 7.0 or later with at least 6 months after deprecation), support for "disallow" will be removed entirely.

Motivation

The current use of "disallow" to deny access or actions in rules is not aligned with the common standard. The key "deny" is more widely recognized and used in numerous policy frameworks such as AWS IAM, KMS, and standard software restriction policies. Aligning with this standard improves clarity and consistency.

Detailed Design

Version 6.0 Changes

• Support both "disallow" and "deny" keys interchangeably.
• Emit a clear, non-blocking warning during plugin startup if "disallow" is detected.
• Internally treat "disallow" as equivalent to "deny" to avoid breaking existing configurations.
• Update all documentation to mention only "deny" as the rules key.

Future Version (7.0 or Later)

• Remove support for the "disallow" key entirely.
• Only "deny" will be accepted in plugin rules.
• Ensure at least a 6-month period between the initial warning and removal to give users enough time to migrate.

Request for Feedback

Community feedback is requested on:

• The length of the coexistence period.
• Warning message clarity.
• Any concerns about backward compatibility or migration.

---

Thank you for reviewing this proposal. Your feedback is essential for a smooth transition.