Open jakedoublev opened 1 month ago
Option 1 makes sense to me especially if initial build cost is estimated to be the same between the two.
Is the obligation FQN naming convention what would be used to decipher the difference between data attribute and obligation if placed on a TDF data policy for purposes of access enforcement?
I think product should weigh in on whether a parent->child and obligation rule type would be necessary so this could be tackled in the initial API implementation and reduce API churn. It does seem like a handy way to do organization of "like" obligations and it seems like some obligations could be hierarchical
@ttschampel Agreed, the underlying assumptions would need to be revised if parent/child on obligations and rule variations are expected to be utilized within policy and enforced appropriately.
Table of Contents
Background
Relevant ADR: https://github.com/opentdf/platform/issues/874 Relevant implementation issue: https://github.com/opentdf/platform/issues/1260
Example PEP obligations once Subject entity found to be entitled in a data access decision:
Option 1: Obligations as a separate policy construct
https://<namespace>/oblg/<name>
https://namespace/oblg/drm:watermark
anyOf
rule like we've discussedPolicy work:
obligations
tableobligation_assignments
table linking derived obligations and attribute_valuesobligation_fulfillments
tablehttps://namespace/oblg/<name>, i.e. https://demo.com/oblg/drm:watermark or demo.com/oblg/readonly
Authz/KAS/SDK work:
Option 2: Obligations via flag within existing attributes as previously detailed
Policy work
policy database migration to:
ENUM('data','obligation')
new
obligation_assignments
table linking derived obligation_attribute_values and data_attribute_valuesnew
obligation_fulfillments
tableUpdate attributes CRUD to support obligations via type enum flag
anyOf
?)Update other policy CRUD to differentiate between attribute types
obligation fulfillment conditions protos (not purely subject-oriented, so can't reuse subject condition sets without breaking changes)
FQN lookup for obligation values (no change)
https://namespace/attr/obligation_name/value/<value>, i.e. https://demo.com/attr/drm/value/watermark
CLI CRUD for obligations (still separate subcommands to improve documentation specificity and clarity)
Hide obligation type attributes/values from existing CLI CRUD of those policy objects
docs/tests for new CRUD behaviors (assignments, fulfillments)
Value protos are updated to include derived obligations
GetAttributesByValueFQNs adds support in protos/db to return derived obligations for values
GetAttributesByValueFQNs is updated to have a different response if the requested FQN was an obligation-type attribute value
Authz/KAS/SDK work:
Level of Effort (LOE) cost comparison to implement, maintain, understand, and develop
Other data points
unsafe
policy service was 9 new RPC endpoints, db functionalities with tests, 9 new CLI paths, and docs and took one engineer (myself) ~2 weeks with around 2/3 focusThe two options mostly overlap in cost to implement beyond policy, with the following roughly the same:
Pros/Cons of Options
Option 1: Obligations as a separate construct
anyOf
rule and parent/child structure)hierarchy
orallOf
rules on obligations, we'd need a new enum construct, but it would be decoupled so they could evolve separatelyOption 2: Obligations via flag within existing attributes as previously detailed
anyOf
rule