search

authzed / spicedb

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications
https://authzed.com/docs
Apache License 2.0
4.94k stars 266 forks source link

Envoy external auth integration #185

Open jzelinskie opened 2 years ago

jzelinskie commented 2 years ago

This would be an external project from SpiceDB, but I'm creating this issue to gauge interest.

sjvanrossum commented 2 years ago

I've got an adapter service for this, which takes a user provided CEL expression to convert Envoy's CheckRequest into an Authzed CheckPermissionRequest with some limited customization. e.g.

CheckPermissionRequest{
  consistency: has(request.attributes.metadata_context.filter_metadata["my.namespace"].zookie) ? Consistency{
    at_least_as_fresh: ZedToken {
      token: request.attributes.metadata_context.filter_metadata["my.namespace"].zookie
    }
  } : Consistency{
    fully_consistent: true
  },
  resource: ObjectReference{
    object_type: "resource",
    object_id: request.attributes.metadata_context.filter_metadata["my.namespace"].resource_id
  },
  permission: request.attributes.request.http.method,
  subject: SubjectReference{
    object: ObjectReference{
      object_type: "user",
      object_id: request.attributes.metadata_context.filter_metadata["envoy.filters.http.jwt_authn"].provider.sub
    }
  }
}

Ended up realizing it's likely better for our purposes to modify some of our application code instead, but this might still be useful if you've got binary-only applications running.