feature: Delegated Claimed Permissions

[stevekuznetsov]

Feature Description

As a service provider that owns multiple APIExports, if a user accepts a PermissionClaim on one of my exports, I should be able to delegate this permission to other exports I own.

Proposed Solution

Lots to design here. Specifically:

• We need some mechanism to determine shared ownership of multiple APIExports with potentially different identities (keep in mind that we might get per-resource identities as well in #2011 ).
• We need a mechanism for the service provider to show their intent to delegate these claimed permissions
• Once we have that, we can determine in the APIBinding reconciler that a new claim should be accepted on some delegate APIExport

Alternative Solutions

No response

Want to contribute?

• [ ] I would like to work on this issue.

Additional Context

No response

[hasheddan]

This would be extremely helpful for some of our use cases. I'd be happy to work on this -- I'm wondering if we would consider introducing something like an APIExportGroup?

[stevekuznetsov]

Would the group be solving the first bullet point in my list above? I think we were hoping for a cryptography-based approach given that we expect APIExports to have globally-unique identifiers via secret data.