Didmos only has ALLOW/DENY abilities, but not unset. This means the rules system that is used in crust (org, team, channel), needs to be implemented with a few work-arounds in mind:
internal/rules
The package needs to be pluggable to change the underlying permissions storage from SQL to Didmos PDP (configurable). Both RBAC and SQL should eventually conform to a single interface. If OIDC is enabled, the PDP rules should be used.
didmos structure
As roles in didmos can only be ALLOW or DENY, the resources need to be duplicated there to enable INHERIT/UNSET rules. For example:
In SQL:
resource=channel:1,
operation=manage.webhooks,
access=allow,deny or inherit
In PDP:
We will duplicate resource IDs based on the access rule we need (prefix with allow, deny):
allow-channel:1
deny-channel:1
resulting access
not granted
not granted
INHERIT/UNSET
granted
not granted
ALLOW
granted
granted
DENY
not granted
granted
DENY
This allows us to implement a 3-state permission in PDP.
flatten SQL structure
There are only two relevant, flat structures needed in Didmos: Organisation and Channel (for Messaging). If we rely on SQL for storage here, we can flatten the multi-level structure into a flat check.
For example: manage.roles is only defined for organisations (should check organisation resource), while message.send is only relevant to the channel, but defined on organisation and channels as well (inheritance). To simplify PDP usage, we can evaluate the rules for each channel in SQL and issue simpler queries against the PDP that will not need inheritance at all.
Didmos only has ALLOW/DENY abilities, but not unset. This means the rules system that is used in crust (org, team, channel), needs to be implemented with a few work-arounds in mind:
The package needs to be pluggable to change the underlying permissions storage from SQL to Didmos PDP (configurable). Both RBAC and SQL should eventually conform to a single interface. If OIDC is enabled, the PDP rules should be used.
As roles in didmos can only be ALLOW or DENY, the resources need to be duplicated there to enable INHERIT/UNSET rules. For example:
In SQL:
In PDP:
We will duplicate resource IDs based on the access rule we need (prefix with allow, deny):
This allows us to implement a 3-state permission in PDP.
There are only two relevant, flat structures needed in Didmos: Organisation and Channel (for Messaging). If we rely on SQL for storage here, we can flatten the multi-level structure into a flat check.
For example:
manage.roles
is only defined for organisations (should check organisation resource), whilemessage.send
is only relevant to the channel, but defined on organisation and channels as well (inheritance). To simplify PDP usage, we can evaluate the rules for each channel in SQL and issue simpler queries against the PDP that will not need inheritance at all.