https://authzed.com logo
Join Discord
Powered by
How would you implement rest api layer
# spicedb
v
right, I think it would make sense to use a URL path as the Object ID to implement REST resource authorization. The HTTP Verb can be implemented as a permission.
We do not have any docs or examples on how to use SpiceDB to authorize a REST application, would you mind opening an issue in github.com/authzed/docs ?
What stack are you using?
a
I am currently on Go/PostgreSQL/Gin. The problem is that I receive multiple roles from authentication service. Every role could be assigned any attribute. Then I would like to combine attributes and treat multiple roles and assigned attributes as one. So if I got user with two roles role1 -> keyattr1:attr1, role2 -> keyattr1:attr2 I would need that to merge into one unit
That's all about defining schema I suppose and proper enforcing authzed service
I wonder if per every resource group I should make different object type in authzed. Then I suppose I could make relation per objectType what attributes are allowed on that resource group
The most disturbing case is how to handle that multiple roles assignment where every role got its own attributes and overall user ie for list all endpoints should receive filtered resource based on every attr
That should not be a problem to make something like /resource/* GET and limit access on the resource when I got attr attrType == 1 So in that case I should be only allowed to enter resources of attrType == 1
v
Generally you want all the state needed to perform authorization decisions stored in SpiceDB, including Role information. What you are describing is more akin to a policy, which SpiceDB also supports with a functionality called Caveats. If you still prefer to provide those roles as input, then your application can merge the attributes from the various roles, and pass them as "caveat context" in the API call to SpiceDB. And yeah, ideally you want to model every resource type. You can still use the full URL path as the ObjectID. Example: You have mydomain.com/folder//document/ so you would model the 
folder
definition and the 
document
. Depending on your use-case you can establish a relation from 
folder
to 
document
called 
child
, or viceversa, called 
parent
. So a relationships would look like this:
Copy code
folder:folder/1#child@document:folder/1/document/2
document:folder/1/document/2#parent@folder:folder/1
a
okay I will look into caveats and ask more questions 🙂 I need to make some demo for my project to understand that a bit more
How would you merge every attr and role into one? So having two roles that got different attrs would combine that's the case of /resource Get list all having two roles with two different attr values I would like to have like OR operator of that. But I will have to figure it out somehow
v
I'm not sure to understand. My assumption is that role information is metadata that comes as part of the authentication service. In your Go application, before performing the call to SpiceDB, you'd take those roles and come up with a combined list of attributes
if you could perhaps provide a more detailed example with inputs and outputs I could perhaps get a better picture of what you are trying to do
a
Okay. I will try to figure out my case and if I got more questions I will come back
4 Views
PreviousNext
Powered by