Jake
05/16/2022, 7:09 PMSingha1
05/16/2022, 7:12 PMSingha1
05/16/2022, 7:13 PMjzelinskie
05/16/2022, 7:29 PMliammoch
05/17/2022, 4:53 PMJoey
05/17/2022, 5:24 PMdefinition host {
relation superuser: user
permission can_access = superuser
}
definition port {
relation host: host
relation accessor: user
permission can_access = accessor + host->can_access
}
Joey
05/17/2022, 5:25 PMyetitwo
05/17/2022, 9:39 PMJoey
05/17/2022, 10:01 PMJoey
05/17/2022, 10:01 PMyetitwo
05/17/2022, 10:02 PMliammoch
05/17/2022, 10:37 PMliammoch
05/17/2022, 10:56 PMJoey
05/18/2022, 12:22 AMJoey
05/18/2022, 12:22 AM30
Joey
05/18/2022, 12:22 AMJoey
05/18/2022, 12:22 AMhost1_30
or somesuchJoey
05/18/2022, 12:22 AMJoey
05/18/2022, 12:23 AMJoey
05/18/2022, 12:23 AMliammoch
05/18/2022, 2:15 AMAnother idea would be express the port as a permission and have host as the resource. This would require us to modify the schema to express each network port as a permission and schema would need to be updated as we enable more ports. But to support the super user use case we would need to add every single network port as a permission in the schema. Would it be useful to support a 'default' permission in a relation, which is used when the permission in the check request does not match anything defined in the schema? The default permission could check to see if the user has an 'any' relation to the host.
In the above idea we model access to a specific port as a permission. Would it be a concern if we were to add all possible network ports as unique permissions on the host object?
The second part of the proposal tries to avoid adding all ports as permissions and proposes the idea of a default permission to handle the super user case. Let me know your thoughts. Completely okay to laugh it off 🙂tomilo.mark
05/18/2022, 8:08 AMproject_1 {
team_11 {}
team_12 {
user_1
}
}
project_2 {
team_21 {}
team_22 {
user_1
}
}
LookupResources allows to get a list of all available teams, regardless of the project but I have to get a list of teams available to the user_1, but only in project_1.
What is the best way to do this?Jaroslav Holaň
05/18/2022, 8:38 AMJake
05/18/2022, 1:47 PMLookup
as written. You could make a graph node that was the combination of a team and project, and then you could look up teams that relate to that node, but that's probably not what you're looking for. I think your best bet is to either go forward: find the teams that belong to a project, and Check
each one if the user is a member, or go backward, find every team that a user is a member of (transitively?) and then Check
whether each one belongs to the projectJake
05/18/2022, 1:58 PMlocalhost
if they're in two different containers, you need to use user-defined bridge networkingJake
05/18/2022, 7:54 PM.zed
probably?Joey
05/18/2022, 7:56 PMyetitwo
05/18/2022, 7:57 PMJoey
05/18/2022, 8:05 PM