#zanzibar
- j
Joey
08/22/2023, 11:07 PMfor example - j
Joey
08/22/2023, 11:08 PMCopy codedefinition user {} definition apikey { relation user: user } definition document { relation viewer: user | apikey#user permission view = viewer } - j
Joey
08/22/2023, 11:08 PMin the above, if you grant
role to any user for a particular API keyviewer - j
Joey
08/22/2023, 11:08 PMthen you can check for
as the subject, to see if any user holding that key has accessapikey:somekey#user - j
Joey
08/22/2023, 11:08 PMthis is a very simple example (and likely not the best design) - j
Joey
08/22/2023, 11:08 PMbut it does work - e
emyrk
08/22/2023, 11:11 PMIf I insert more relationships that all makes sense. We have some short lived tokens that it might not make sense for, but that's great thanks! - j
Joey
08/22/2023, 11:12 PMif the tokens are truly short lived, you can use caveats (https://authzed.com/docs/reference/caveats) to handle those cases - j
Joey
08/22/2023, 11:12 PMgood example is IP-based access control - j
Joey
08/22/2023, 11:13 PMyou can have a relationship exist iff the subject is not accessing from a disallowed IP range - j
Joey
08/22/2023, 11:13 PM(or only if from an allowed) - j
Joey
08/22/2023, 11:13 PMif, on the other hand, the API tokens themselves always reference a user - j
Joey
08/22/2023, 11:13 PMand the tokens are VERY short lived - j
Joey
08/22/2023, 11:13 PMthen just check the user itself as the subject - e
emyrk
08/22/2023, 11:15 PMFor short lived tokens I was going to check against the user yes. It's reasonable to say I won't add these special restricted tokens for short lived. If I insert relationships, I think I can figure this out. I just want to be able to make tokens that can only perform a subset of actions the user can. An example being a read-only tokem - j
Joey
08/22/2023, 11:18 PMyeah, you can do that with a properly structured set of relationships - j
Joey
08/22/2023, 11:18 PMas in the above, if you had two `relation`'s,
andeditor
, you'd only grant the API tokenviewerviewer - j
Joey
08/22/2023, 11:18 PMso it can only edit the document - j
Joey
08/22/2023, 11:19 PMbut the user could also be an
directlyeditor - j
Joey
08/22/2023, 11:19 PMso if you check with the user as a subject, they have
permissionedit - j
Joey
08/22/2023, 11:19 PMbut their token does not - e
emyrk
08/22/2023, 11:38 PMThat makes sense, but it doesn't lend well to more customizable tokens. It would be nice if I could control the token's permissions on a pretty granular level. Like "can only read one type of resource", or "can only read a specific resource". - e
emyrk
08/22/2023, 11:43 PMWhat you mentioned makes it so the token is read-only, or I use the User directly. I could see us having multiple different token restrictions, or maybe even making it customizable. - e
emyrk
08/22/2023, 11:44 PMCaveats might be the answer, but I was curious if I could do it strictly in Zanzibar syntax - j
Joey
08/23/2023, 12:04 AMyou can do this with user defined (or token defined) roles: https://authzed.com/blog/user-defined-roles - j
Joey
08/23/2023, 12:05 AMjust have the definitions be internal - j
Joey
08/23/2023, 12:05 AMif you don't need quite that level of customization, its fairly easy to do with a slightly simpler schema - j
Joey
08/23/2023, 12:05 AMwhere you still ensure that a token has access and the specific permission - e
emyrk
08/23/2023, 12:11 AMOh this might be exactly what I was looking for. Thank you - vroldanbet Hi Im a computer sciencem
monsieurkowalski
09/05/2023, 11:41 AM@vroldanbet Hi! Im a computer science student, I'm looking for remote internship oppurtunities, do you (authzed) offer any?v- 2
- 2