search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
17 stars 5 forks source link

Add attributes to entities #1400

Open Doom4535 opened 3 weeks ago

Doom4535 commented 3 weeks ago

How does one allow entities to access attributes in OpenTDF? The examples show how to add attributes to TDF objects, but they don't show decryption of these objects after they were created with an attribute. Furthermore, there are some references to entities with attributes inside of test/rego, but as far as I can tell the *.rego files are not used.

Do we need to add a role of some sort into Keycloak that correlates a user with OpenTDF attributes or do we need to do something within OpenTDF to bind an authenticated user from Keycloak to OpenTDF?

Additionally, while going through examples/CMD/attributes.go, I noticed that ruler() always returns policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF even though the switch statement implies it should likely be one of allof, anyof, or hierarchy.

P.S. What is the current state of Casbin support (referenced in the opentdf-example.yaml)?

damorris25 commented 2 weeks ago

Entity attributes are assigned in the IDP (Keycloak in this case). In OpenTDF, the subject mappings + subject condition sets then define how to map from the IDP definition of an entity attribute to the normalized OpenTDF Attribute values.

Example: Keycloak might have an attribute of 'nationality' with a value of 'usa' but in OpenTDF there is an Attribute called 'CountryOfAffiliation'. The subject mapping would define this mapping.

Casbin: https://github.com/opentdf/platform/blob/main/service/internal/auth/casbin.go