Closed elprans closed 2 years ago
Honestly, I find it hard to comprehend interactions between
WHEN
,PERMIT
andRESTRICT TO
. I'm not sure if this is better than just writing a single policy with manually writing a filter with all neededAND
andOR
.
Not sure I understand. How are you going to specify the way inherited policies should combine?
Honestly, I find it hard to comprehend interactions between
WHEN
,PERMIT
andRESTRICT TO
. I'm not sure if this is better than just writing a single policy with manually writing a filter with all neededAND
andOR
.Not sure I understand. How are you going to specify the way inherited policies should combine?
Yes I did not realize that there will be inherited policies. This can easily become security nightmare, though.
Not for my "single policy" proposal. But one option to resolve inheritance nightmare, would be naming policies and specifying inherited names:
abstract type Shareable {
# permit read access to friends
policy "permit_friends" on select permit (global user in .owner.friends);
}
# Post inherits policies from Owned and Shareable
# which allow access to either owner or friends initially...
type Post extending Owned, Shareable {
inherits policy "permit_friends";
# ... other policies
}
This will make it easier to read policies for specific objects. And will make less cases for restrict to
policy.
This could also create a new pattern where base type is kinda a "library" for the policies, that different inherited types can pick from (not sure if it's a good or bad, though)
But one option to resolve inheritance nightmare, would be naming policies and specifying inherited names:
I don't think it's a good idea at all. First of all, everything else in the schema is inherited, so there will be reasonable expectation that policies do as well. Second, even if you are aware of the need to manually propagate policies, it's still very error prone, as you will have to trace the inheritance hierarchy manually, and it's easy to overlook some types and fail to inherit a "restrict".
But one option to resolve inheritance nightmare, would be naming policies and specifying inherited names:
I don't think it's a good idea at all. First of all, everything else in the schema is inherited, so there will be reasonable expectation that policies do as well. Second, even if you are aware of the need to manually propagate policies, it's still very error prone, as you will have to trace the inheritance hierarchy manually, and it's easy to overlook some types and fail to inherit a "restrict".
RESTRICT
in inherited types is a huge footgun, I think. Here is the scenario:
PERMIT
rule, it doesn't workRESTRICT
rule isRESTRICT TO
rule, and add an exception to it.I can predict that in 90% of the cases nobody will do the step (5), or just pretend that they did (5a). But we can't even write a good guide on how to do (5a).
This RFC has been superseded by #54 (object-level security), and a separate future triggers RFC.
A couple of open questions:
The downside is that with this formulation we will likely need to specify or expose policy names to address them in
alter
ordrop
, which brings us to: