search

crusttech / crust-server

Apache License 2.0
87 stars 21 forks source link

Didmos PDP implementation of internal/rules #33

Closed titpetric closed 5 years ago

titpetric commented 5 years ago

Didmos only has ALLOW/DENY abilities, but not unset. This means the rules system that is used in crust (org, team, channel), needs to be implemented with a few work-arounds in mind:

  1. internal/rules

The package needs to be pluggable to change the underlying permissions storage from SQL to Didmos PDP (configurable). Both RBAC and SQL should eventually conform to a single interface. If OIDC is enabled, the PDP rules should be used.

  1. didmos structure

As roles in didmos can only be ALLOW or DENY, the resources need to be duplicated there to enable INHERIT/UNSET rules. For example:

In SQL:

In PDP:

We will duplicate resource IDs based on the access rule we need (prefix with allow, deny):

allow-channel:1 deny-channel:1 resulting access
not granted not granted INHERIT/UNSET
granted not granted ALLOW
granted granted DENY
not granted granted DENY

This allows us to implement a 3-state permission in PDP.

  1. flatten SQL structure

There are only two relevant, flat structures needed in Didmos: Organisation and Channel (for Messaging). If we rely on SQL for storage here, we can flatten the multi-level structure into a flat check.

For example: manage.roles is only defined for organisations (should check organisation resource), while message.send is only relevant to the channel, but defined on organisation and channels as well (inheritance). To simplify PDP usage, we can evaluate the rules for each channel in SQL and issue simpler queries against the PDP that will not need inheritance at all.

darh commented 5 years ago

On hold for now.

darh commented 5 years ago

Obsolete.