Joey
05/18/2022, 8:54 PMJoey
05/18/2022, 8:55 PMSingha1
05/18/2022, 8:55 PMJoey
05/18/2022, 8:56 PMJoey
05/18/2022, 8:56 PMliammoch
05/18/2022, 8:57 PMliammoch
05/18/2022, 11:02 PMAllow small fragments of policy to be associated with individual relationships in a new field called “caveats”. As we attempt to evaluate permissions these pieces of policy will be combined and surfaced as immutable caveats that apply to the result sets as they are collected. Before the result is returned to the user, a final policy is assembled and evaluated against user-supplied attributes, and a final decision is made.
Because the caveats are immutable and apply to the sub-problem, they can be cached at every level of the decision making process.
Will the policy language be built around a fixed set of attributes like time, day ... or would there be a way for an application to define the attributes.
- When you say 'user-supplied' attributes, what do you mean?
- When are these attributes supplied?
- How are these attributes expressed?
- Do you plan to support different data types for these attributes?
Just wanted to add that I find the Caveats proposal super useful and would greatly help address some of our use cases around time based and location based access.ecordell
05/19/2022, 1:37 AMCheck
.
This proposal makes a distinction between the policy/attributes associated with a relationship (which would be provided when the relationship is written) and attributes that you provide at query time to evaluate against the stored relations.
> How are these attributes expressed?
TBD, but ideally in a way that won't tank cache hit ratios. I would think something datalog-y so that rule evaluation is order-independent, but we don't have any concrete proposal yet.
> Do you plan to support different data types for these attributes?
Also TBD, but probably. Distinguishing time at a minimum seems valuable to me, but other folks may have other ideas.Singha1
05/19/2022, 11:57 AMJaroslav Holaň
05/19/2022, 1:01 PMJake
05/19/2022, 1:03 PMJake
05/19/2022, 1:03 PMyetitwo
05/19/2022, 3:08 PMauthzed/zed
container on the docker hub registry, but it's currently empty. it'd be nice to use it for CI with schema validation and the like. is there a plan to get a tag published?yetitwo
05/19/2022, 3:09 PMJoey
05/19/2022, 3:10 PMJoey
05/19/2022, 3:10 PMyetitwo
05/19/2022, 3:16 PMliammoch
05/19/2022, 4:05 PMliammoch
05/19/2022, 4:06 PMJoey
05/19/2022, 4:28 PMJoey
05/19/2022, 4:28 PMJoey
05/19/2022, 4:28 PMPrchowdh
05/19/2022, 5:38 PMdefinition group {
relation member: user | group#member
}
I am taking this from the example of sub relation. How are the group has to be related to here ? is it recursive in nature?Joey
05/19/2022, 5:42 PMJoey
05/19/2022, 5:43 PMPrchowdh
05/19/2022, 5:53 PMJoey
05/19/2022, 5:53 PMJoey
05/19/2022, 5:54 PMgroup:firstgroup#member@group:secondgroup#member
Joey
05/19/2022, 5:54 PMOptionalRelation
set to member
Prchowdh
05/19/2022, 5:59 PM