https://authzed.com logo
#spicedb
Title
# spicedb
b

Bryan

12/03/2021, 7:18 PM
Hey there, stopping in from GitHub 👋 I'm following up on an effort to model custom roles that @User had started https://discordapp.com/channels/844600078504951838/844600078948630559/912412258678755338 and I'm looking for some advice. Background At GitHub, granting roles on repos is done on a per-repo basis. In other words, a when a role is given to a user for a repo, it applies to only that repository. Using the guidance from ☝️ , we have this schema: https://play.authzed.com/s/WEwcI3gcA-0c/schema. This roughly models the current behavior of roles. A role can have certain permissions "turned on" by creating relationships between the role and its members (for example:
delete_issue
). A user can be a member of that role and a repo can be related to various roles. The Problem This a rough approximation of the intended behavior, but falls apart pretty quickly. Consider the scenario where two users
monalisa
and
geoff
are to be granted the
repo_manager
role on
repo1
and
repo2
, respectively. In real life,
monalisa
gets
repo_manager
on
repo1
, but has no permissions over
repo2
and vice-versa for
geoff
. However, as the assertions show with this model, any member of
repo_manager
gets the
repo_manager
permissions on ALL repos that have a relationship with
repo_manager
. If there were a third user
jeeves
who was given membership of the
repo_manager
role, they would get permissions on
repo1
and
repo2
instantly. I read the blog post on user defined roles (https://authzed.com/blog/user-defined-roles/). It's almost what I need, but is structurally different from how roles at GitHub work. Repos don't "own" the roles. In the blog post, a role is defined on a per-project basis. The
admin
role "belongs" to the
pied_piper
project. It couldn't be re-used in a different project.
2 Views