search

absmach / magistrala

Industrial IoT Messaging and Device Management Platform
https://www.abstractmachines.fr/magistrala.html
Apache License 2.0
2.46k stars 668 forks source link

Feature: Multi-State Domain Management for Varied User Permissions and Actions #1994

Open arvindh123 opened 9 months ago

arvindh123 commented 9 months ago

Is your feature request related to a problem? Please describe.

No

Describe the feature you are requesting, as well as the possible use case(s) for it.

Request for Domain States and Associated Actions:

Enable State: In this state, both domain admins and users have the authorization to perform various actions including adding/removing things, channels, groups, users, connecting, disconnecting, and messaging.

Disable State: In this state, domain admins and users can remove things, channels, groups, users, and disconnect. However, they are restricted from adding things, channels, groups, users, connecting and messaging. or Disable State: All actions are restricted for all users except domain admin and super admin.

Freeze State: All actions are restricted for both domain admins and users. Only the SuperAdmin retains the capability to execute any action within this state.

Delete State: The domain becomes invisible to both domain admins and users. Actions are only accessible to the SuperAdmin for maintenance purposes or further actions.

Indicate the importance of this feature to you.

Must-have

Anything else?

No response

arvindh123 commented 9 months ago

Q 1. How to Identify an authorization request is belongs to domain or not belongs to a domain ?

Authorization request consist of domain, subject, subject type, subject relation, subject kind, permission, object, object type, object kind

A 1. Check object type is user or thing or group

A 2. Check sub != user && obj != Platform

A 3. Check for domain in authorization request

Q 2. How to find request belongs to which domain ?

A 1. Add domain ID in each authorization request ( which already implemented in most of the other requests)

Q 2.1. How to add domain ID to each authorization request in service ?**

A 2.1. (This approach is not possible as of now) Get domain ID from JWT Subject field which is combination of domain id + user id , but this is not possible because super admin JWT subject filed will be only user id, there will be no combination domain + user id.

Details: In spicedb user subject can have admin , editor, etc. relation with a domain

For Normal user (non super admin), all relation to spicedb are added with domain prefix in user id For Example: If user id user_1 is admin of domain id domain_1 Then in spicedb relation will be stored as user:domain_1_user_1 (instead of user:user_1) as admin relation with domain_1 This helps us to filter only domain_1 related object from spicedb

For Super Admin there will not such domain id prefix is needed This because super admin user id (with out any prefix) is directly added as Platform admin relation in spicedb. Platform admin will get admin permission of all domains

A 2.2. Use domain id field from JWT token

Domain id is not sufficient , we need additional information , who is sending request (i.e domain user, domain admin, super admin) for this we required subject field of JWT token, So better have token along with authorization will solve the problem