Closed baboulebou closed 1 month ago
davidjbrossard
commented
2 months ago I think the reasoning is we want to be able to ask:
ogazitt
commented
2 months ago The scenario @davidjbrossard outlined is why we didn't treat it as mandatory.
In the interop scenario, there are two such queries:
To be sure, these could be modeled differently. You could model a resource of type "todo-creator" with a singleton instance - { "type": "todo-creator", "id": "todo-creators" } and then the access check would be check("user:rick", "member", "todo-creator:todo-creators").
I am not against this. In fact, we would achieve MORE interoperability with OpenFGA, SpiceDB, and Topaz (ReBAC mode) if we decided to enforce this opinion.
Before we do this, I would want to know - how hard would it be for ReBAC implementations to support "type" but not "id" for the resource context?
baboulebou
commented
2 months ago A question with no resource type, in my world, boild down to: find me all the Resources that are related in some way to the subject. I.e., what you guys call a search (and I call pattern matching or path finding).
I don't see how you can answer @davidjbrossard 's question btw: Can Alice view records as a whole, what does it mean? She can view SOME but not ALL records. What's the answer then, true or false?? And how is that useful?
And @ogazitt indeed the singleton instance is how we had to implement Todo's in 3Edges for the interop. It's OK and it works, but a bit of a hack in my world.
To be honest, for clarity, imho draft 1.0 should enforce the simple question as we discussed: can subject X access resource Y. Simple and clear. We can tackle the rest when we get to the Search API topic... Hence make Resource ID mandatory.
davidjbrossard
commented
2 months ago That type of question is mainly used when building UI or getting a set of claims but I do agree that in theory you should tackle that through search not through a PDP request.
On Thu, Jun 20, 2024, 3:46 PM Alex Babeanu @.***> wrote:
A question with no resource type, in my world, boild down to: find me all the that are related in some way to the subject. I.e., what you guys call a search (and I call pattern matching or path finding).
I don't see how you can answer @davidjbrossard https://github.com/davidjbrossard 's question btw: Can Alice view records as a whole, what does it mean? She can view SOME but not ALL records. What's the answer then, or ?? And how is that useful?
And @ogazitt https://github.com/ogazitt indeed the singleton instance is how we had to implement Todo's in 3Edges for the interop. It's OK and it works, but a bit of a hack in my world.
To be honest, for clarity, imho draft 1.0 should enforce the simple question as we discussed: can subject X access resource Y. Simple and clear. We can tackle the rest when we get to the Search API topic...
— Reply to this email directly, view it on GitHub https://github.com/openid/authzen/issues/116#issuecomment-2181669435, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPRFP2Y3JRGG3JL6ZHFRFLZINLTDAVCNFSM6AAAAABJULGQKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBRGY3DSNBTGU . You are receiving this because you were mentioned.Message ID: @.***>
ogazitt
commented
2 months ago To close the loop, we agreed in the June 25 2024 meeting to make resource ID mandatory. This is addressed by https://github.com/openid/authzen/pull/117
davidjbrossard
commented
1 month ago I replied with a comment. Other than that comment/question, we're good to go.
On Wed, Jun 26, 2024 at 10:19 PM Omri Gazitt @.***> wrote:
To close the loop, we agreed in the June 25 2024 meeting to make resource ID mandatory. This is addressed by #117 https://github.com/openid/authzen/pull/117
— Reply to this email directly, view it on GitHub https://github.com/openid/authzen/issues/116#issuecomment-2193723270, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPRFP5A5GHSOQHYBQIGPD3ZJOOETAVCNFSM6AAAAABJULGQKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJTG4ZDGMRXGA . You are receiving this because you were mentioned.Message ID: @.***>
Stay safe on the Internet: IC3 Prevention Tips https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf Prenez vos précautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html
1.4.2 Resources: --> if
idis OPTIONAL, and not provided in a request, then this makes the request a search, doesn't it? Or what are the semantics in this case? Seems to me that this should be MANDATORY for this v1.0