Open jzelinskie opened 2 years ago
I've got an adapter service for this, which takes a user provided CEL expression to convert Envoy's CheckRequest into an Authzed CheckPermissionRequest with some limited customization. e.g.
CheckPermissionRequest{
consistency: has(request.attributes.metadata_context.filter_metadata["my.namespace"].zookie) ? Consistency{
at_least_as_fresh: ZedToken {
token: request.attributes.metadata_context.filter_metadata["my.namespace"].zookie
}
} : Consistency{
fully_consistent: true
},
resource: ObjectReference{
object_type: "resource",
object_id: request.attributes.metadata_context.filter_metadata["my.namespace"].resource_id
},
permission: request.attributes.request.http.method,
subject: SubjectReference{
object: ObjectReference{
object_type: "user",
object_id: request.attributes.metadata_context.filter_metadata["envoy.filters.http.jwt_authn"].provider.sub
}
}
}
Ended up realizing it's likely better for our purposes to modify some of our application code instead, but this might still be useful if you've got binary-only applications running.
This would be an external project from SpiceDB, but I'm creating this issue to gauge interest.