search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.36k stars 2.56k forks source link

Zanzibar Style Fine Grained Authorization #27331

Closed kdubb closed 1 year ago

kdubb commented 1 year ago

Description

Many cloud applications require authorization models that don't fit nicely into those provided by current Quarkus extensions.

Google's Zanzibar paper offers an elegant solution to complex fine grained authorization models and has spawned a few open sourced implementations.

The extension should provide an authorization filter that can check against a Zanzibar style API along with custom authorization annotations targeted at extracting the required data from incoming requests. Additionally, an API client must be provided to allow managing the authorization tuples in the Zanzibar style server.

A proper extension will allow integration with Zanzibar style authorization at a level of ease similar to what's available today for RBAC authorization in Quarkus.

Interested in this extension, please +1 via the emoji/reaction feature of GitHub (top right).

Configuration suggestion

Aside from server configuration, most of the configuration would be annotation based, similar to todays RBAC authorization.

FGA requires three basic pieces of information for a "check" to be performed. The target "object" accessed is being authorized for, a "relation" and a "user". The user is readily available through standard Quarkus security machinery, which means we required the target object and relation to be configured.

Example annotations to provide missing information required for a check:

interface APIResource {

  // Target and relation are provided separately to allow placing each on
  // the method or class for as much re-use as available.
  // Relation is a freeform string while the target object is extracted from
  // the incoming request. The "source" could be PATH, QUERY, HEADER or REQUEST.
  // Additionally, the target object must have a type specified for disambiguation.

  @AuthRelation("reader")
  @AuthTarget(source=PATH, name="id", type="document")
  @Path("/docs/{id}")
  Uni<Document> fetchDocument(@Path("id") Strig id) {...}
}

Additional context

Google's Zanzibar has inspired a few open source implementations, including OpenFGA, SpiceDB, and Keto.

While the initial version of the extension will most likely focus on a single implementation, an extension is envisioned that would allow adapting any compatible implementation as the source of "checks".

kdubb commented 1 year ago

FYI, I have a preliminary extension currently targeting OpenFGA. While it's in its infancy it manages to be fairly complete providing advanced features like dev-services.

kdubb commented 1 year ago

I have a basic working set of extensions here

kdubb commented 1 year ago

@gastaldi @gsmet We're ready for some repositories to be created in Quarkiverse. We've got a working set of extensions and converted some of our projects to use them with quite a good result.

Currently we have two distinct projects that each require their own repository:

  1. quarkus-openfga-client for the OpenFGA reactive client.
  2. quarkus-zanzibar for the Zanzibar filter(s) and the connector extensions as submodules.

You can see this setup here. Even thought these are a bit out-of-date right now.

quarkus-bot[bot] commented 1 year ago

/cc @aloubyansky, @gsmet, @maxandersen

gastaldi commented 1 year ago

Done, the following repositories were created:

kdubb commented 1 year ago

Thank you!