Modeling Google Cloud IAM in SpiceDB

Modeling Google Cloud IAM in SpiceDB | A...

simonsp

03/27/2024, 7:20 PM

👋 I'm prototyping a multitenant permission system where the tenant is an organization. The permission system should allow custom roles and role bindings. I have a couple of questions: 1. is it correct to set the type of the relations of the role to be

organization#member

? IUUC, the [Google Cloud IAM in SpiceDB blog post](https://authzed.com/blog/google-cloud-iam-modeling) makes those relationships

user:*

because the system is not multitenant, so any role created should be available to be associated to any user in the system. In my case, the roles belong to a specific organization. 2. What's the notation that should be used in the "Test relantionships UI" for the type of

organization#member

? in the Type field I tried

organization

organization#member

account

, and in the ID field I tried

organization:123

organization:123#member

organization:123#member:*

, but none of them worked.

simonsp

03/27/2024, 7:20 PM

Here's part of the schema:

Copy code

definition organization {
  relation member: account
  // Role Bindings granted on org-level
  relation role_binding: role_binding

  // Cluster
  permission cluster_create = role_binding->cluster_create
  permission cluster_read = role_binding->cluster_read
  permission cluster_update = role_binding->cluster_update
  permission cluster_delete = role_binding->cluster_delete
  permission cluster_list = role_binding->cluster_list
}

definition account {
}

definition role {
  relation organization: organization
  // Cluster
  relation cluster_create: organization#member
  relation cluster_read: organization#member
  relation cluster_update: organization#member
  relation cluster_delete: organization#member
  relation cluster_list: organization#member
}

// A role assignment binds one role to one account
definition role_binding {
  relation organization: organization
  // A role binding is bound on one side to one role
  relation role: role
  // A role binding is bound on the other side to one account
  relation account: account

  // Cluster
  permission cluster_create = account & role->cluster_create
  permission cluster_read = account & role->cluster_read
  permission cluster_update = account & role->cluster_update
  permission cluster_delete = account & role->cluster_delete
  permission cluster_list = account & role->cluster_list
}

definition cluster {
  relation organization: organization

  permission create = organization->cluster_create
  permission read = organization->cluster_read
  permission update = organization->cluster_update
  permission delete = organization->cluster_delete
  permission list = organization->cluster_list
}

simonsp

03/27/2024, 7:22 PM

Here's what I have in the testing UI https://cdn.discordapp.com/attachments/1222626333180563507/1222626850011086888/image.png?ex=6616e6fc&is=660471fc&hm=430a43f2e5247e72f06e7a467b32aa8c62179f58b6d9245091c7dfb269462cd8&

Joey

03/27/2024, 7:33 PM

1. yes, that is a good alternative

Joey

03/27/2024, 7:33 PM

2. type: organization, ID: the org ID, member in the third column

simonsp

03/27/2024, 7:55 PM

About (2), I still don't understand how to write the Type and the ID for the role in my example

simonsp

03/27/2024, 7:57 PM

If I write

member

I get an error saying "object member definition not found" https://cdn.discordapp.com/attachments/1222626333180563507/1222635568601763850/image.png?ex=6616ef1b&is=66047a1b&hm=f6ac8bfdb0eb6e97398ac545abc5cf49dcd966182ab47d7c190dadcfc33049cb&

simonsp

03/27/2024, 8:00 PM

If I try type "account" that also throws an error https://cdn.discordapp.com/attachments/1222626333180563507/1222636293876355252/image.png?ex=6616efc7&is=66047ac7&hm=63a68a59a3aba7723ba05df059fb96c482ece4a4a97282a9411a5e15afe84655&

Joey

03/27/2024, 8:08 PM

third column of the subject

Joey

03/27/2024, 8:08 PM

6th column overall

Joey

03/27/2024, 8:09 PM

aka in "Subject Relation"

simonsp

03/27/2024, 8:12 PM

ohh, got it! thanks

Previous Next