search

logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
7.89k stars 389 forks source link

feature request: add provisioning capabilities for permissions and resources creation #5966

Open LBF38 opened 1 month ago

LBF38 commented 1 month ago

What problem did you meet?

I have tried to create new resources and scopes (permissions) from the Admin console in Logto (OSS version). And it is really heavy to define a lot of resources or permissions via UI or Management API. Therefore, I was thinking about a more efficient way to sync configurations between the project repo and the Logto instance.

Describe what you'd like Logto to have

To have a single source of truth for all permissions and resources definitions in Logto, it will be great if we could do provisioning from a configuration file that we define in our repo. Using the Management API or other methods, we can then update all configurations in a single request or update (w/ appropriate security checks: Auth headers, ...).

As an example, it could be a yaml, toml or json config file with the following patterns:

resources:
  - baseUrl: https://api.store.io
    /orders:
      - read:order
      - write:order
      - delete:order
    /products:
      - read:product
      - write:product
      - delete:product
roles:
  order_admin:
    # the resources/permissions attributions are autocompleted from above definition in resources.
    https://api.store.io/orders: 
      - read:order 
      - write:order
      - delete:order
    https://api.store.io/products:
      - read:product
  product_admin:
    https://api.store.io/products:
      - read:product
      - write:product
      - delete:product

An idea of a workflow could be to update it using the logto CLI with a command similar to logto cli permissions update <config_file.yml>.

What do you think ?

fleuraly commented 1 month ago

Hi @LBF38 this is a really good point. We are proposing similar product ideas. An additional idea, do you have similar needs for organization set up? Because in organization level it also have role-based access control

LBF38 commented 1 month ago

Thanks for your reply @fleuraly , I haven't used yet the organisations and associated RBAC. Therefore, I don't have enough experience with it to provide insightful feedbacks.

I would imagine a similar config file with specific keys and helpers for defining it.

fleuraly commented 1 month ago

@LBF38 Thanks for providing some context! Your suggestion makes total sense. Navigating through the UI or management API isn’t efficient when you already have an RBAC design or need bulk management. I’m currently working on this feature, so please stay tuned. :)

david1542 commented 1 month ago

I'm looking to migrate to Logto from auth0 and this feature is a game changer! @fleuraly do you have an ETA maybe?

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.