spicedb
- j
Joey
10/21/2022, 3:11 PMif it is on the same machine, most of the penalty would be around the actual checks - j
Joey
10/21/2022, 3:11 PMdepending on how you do them - p
phroggyy
10/21/2022, 3:12 PMwell it'd be deployed in our k8s cluster so we'd set it up to be on the same node whenever possible - j
Joey
10/21/2022, 3:12 PMyeah, you could sidecar it - p
phroggyy
10/21/2022, 4:32 PM@Joey continuing my thinking from before... tell me if this seems insane, but I was think our authz proxy keeps a record of
andserviceaccount
objects, and binds service accounts to be readers/writers on prefixes. Does this seem a sensible way of authorising the proxyingprefix - j
Joey
10/21/2022, 4:33 PMnot sure I follow - j
Joey
10/21/2022, 4:33 PMyou mean a k8s service account? - p
phroggyy
10/21/2022, 4:33 PMSo I want to effectively "delegate" management of a subset of the authz system, so svc A can update everything under its own prefix - p
phroggyy
10/21/2022, 4:34 PMAnd svc A needs to go through the proxy to update its authz records - p
phroggyy
10/21/2022, 4:34 PMIn order to authorise that, I need to identify the service, hence a service account (not k8s specific, that's just an authN concern) - j
Joey
10/21/2022, 4:34 PMyeah, that seems reasonable - j
Joey
10/21/2022, 4:34 PMyou're basically trading a known secret for a prefix in the proxy - j
Joey
10/21/2022, 4:35 PManother option would be to have the caller hold a signed version of the prefix - j
Joey
10/21/2022, 4:35 PMbut then revocation becomes a possible issue - p
phroggyy
10/21/2022, 4:39 PMRight yeah, and the prefix would have to be checked at issue-time anyway, which should come from the authz layer itself, at which point it's not adding much value having it in the token I guess, if everything goes through the proxy anyway - j
Joey
10/21/2022, 4:40 PMdepends on how the tokens are tracked - j
Joey
10/21/2022, 4:40 PMbut yes - c
chance
10/21/2022, 4:43 PMis there a way to constrict assignment via a relation? For example:type user {} type district { relation admin: user } type site { relation district relation site_admin: user // <- is it possible to limit this down to a user must be an admin of district? } - j
Joey
10/21/2022, 4:45 PMyou'd usually use an intersection for that - j
Joey
10/21/2022, 4:46 PMdefinition user {} definition district { relation admin: user } definition site { relation district: district relation site_admin: user permission can_view_site = site_admin & district->admin } - c
chance
10/21/2022, 4:46 PMaah, awesome, thanks - j
Joey
10/21/2022, 4:46 PMalternatively - j
Joey
10/21/2022, 4:46 PMif all district admins are site admins - j
Joey
10/21/2022, 4:46 PMthen you can just use that directly - j
Joey
10/21/2022, 4:46 PMrelation site_admin: district#admin - j
Joey
10/21/2022, 4:46 PMbut that's only if it is all of them - c
chance
10/21/2022, 4:47 PMit was just a contrived example but they wouldn't be in what I'm modeling - j
Joey
10/21/2022, 4:47 PMorpermission can_view_site = district->admin - j
Joey
10/21/2022, 4:47 PMok - c
chance
10/21/2022, 4:49 PMthe docs don't cover querying permissions for a definition so I'm guessing that's still a work in progress. I'm trying to model it so that if certain relations are revoked, cascading permissions are reduced.