Closed baboulebou closed 1 month ago
I think the reasoning is we want to be able to ask:
The scenario @davidjbrossard outlined is why we didn't treat it as mandatory.
In the interop scenario, there are two such queries:
To be sure, these could be modeled differently. You could model a resource of type "todo-creator" with a singleton instance - { "type": "todo-creator", "id": "todo-creators" }
and then the access check would be check("user:rick", "member", "todo-creator:todo-creators")
.
I am not against this. In fact, we would achieve MORE interoperability with OpenFGA, SpiceDB, and Topaz (ReBAC mode) if we decided to enforce this opinion.
Before we do this, I would want to know - how hard would it be for ReBAC implementations to support "type" but not "id" for the resource context?
A question with no resource type, in my world, boild down to: find me all the Resources that are related in some way to the subject. I.e., what you guys call a search (and I call pattern matching or path finding).
I don't see how you can answer @davidjbrossard 's question btw: Can Alice view records as a whole, what does it mean? She can view SOME but not ALL records. What's the answer then, true
or false
?? And how is that useful?
And @ogazitt indeed the singleton instance is how we had to implement Todo's in 3Edges for the interop. It's OK and it works, but a bit of a hack in my world.
To be honest, for clarity, imho draft 1.0 should enforce the simple question as we discussed: can subject X access resource Y. Simple and clear. We can tackle the rest when we get to the Search API topic... Hence make Resource ID mandatory.
That type of question is mainly used when building UI or getting a set of claims but I do agree that in theory you should tackle that through search not through a PDP request.
On Thu, Jun 20, 2024, 3:46 PM Alex Babeanu @.***> wrote:
A question with no resource type, in my world, boild down to: find me all the that are related in some way to the subject. I.e., what you guys call a search (and I call pattern matching or path finding).
I don't see how you can answer @davidjbrossard https://github.com/davidjbrossard 's question btw: Can Alice view records as a whole, what does it mean? She can view SOME but not ALL records. What's the answer then, or ?? And how is that useful?
And @ogazitt https://github.com/ogazitt indeed the singleton instance is how we had to implement Todo's in 3Edges for the interop. It's OK and it works, but a bit of a hack in my world.
To be honest, for clarity, imho draft 1.0 should enforce the simple question as we discussed: can subject X access resource Y. Simple and clear. We can tackle the rest when we get to the Search API topic...
— Reply to this email directly, view it on GitHub https://github.com/openid/authzen/issues/116#issuecomment-2181669435, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPRFP2Y3JRGG3JL6ZHFRFLZINLTDAVCNFSM6AAAAABJULGQKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBRGY3DSNBTGU . You are receiving this because you were mentioned.Message ID: @.***>
To close the loop, we agreed in the June 25 2024 meeting to make resource ID mandatory. This is addressed by https://github.com/openid/authzen/pull/117
I replied with a comment. Other than that comment/question, we're good to go.
On Wed, Jun 26, 2024 at 10:19 PM Omri Gazitt @.***> wrote:
To close the loop, we agreed in the June 25 2024 meeting to make resource ID mandatory. This is addressed by #117 https://github.com/openid/authzen/pull/117
— Reply to this email directly, view it on GitHub https://github.com/openid/authzen/issues/116#issuecomment-2193723270, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPRFP5A5GHSOQHYBQIGPD3ZJOOETAVCNFSM6AAAAABJULGQKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJTG4ZDGMRXGA . You are receiving this because you were mentioned.Message ID: @.***>
Stay safe on the Internet: IC3 Prevention Tips https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf Prenez vos précautions sur Internet: http://www.securite-informatique.gouv.fr/gp_rubrique34.html
1.4.2 Resources: --> if
id
is OPTIONAL, and not provided in a request, then this makes the request a search, doesn't it? Or what are the semantics in this case? Seems to me that this should be MANDATORY for this v1.0