Joey
03/08/2023, 6:26 PMblankstare
03/08/2023, 10:15 PMproj1
and user:project_db_reader
output: role:spanner_database_reader
, role:some_other_role_user_has_access_to
, ...
4. Maybe the role_binding indirection is confusing me, trying to go from
input: user:project_db_reader
, role:spanner_database_reader
, project:proj1
output: yes/no
5. Can I do a direct lookup-resources on role type from user? Or do I have to find a way to walk it using role_bindings?
input: user:project_db_reader
Output: role:spanner_database_reader
on project:proj
Is there a better way than this?
* lookup-resources to go from user -> role_bindings
* for each role binding
* lookup-resources to go from role_binding -> proj1
* lookup-subject to go from role_binding -> role
Essentially, it seems what I need is some way to express and query a dynamically named relation (e.g. the user-defined role).
given:
user1 -> {roleA, roleB} -> proj1
-> {roleA,roleD} -> proj2
Be able to lookup:
1. What roles does user1 have access to in proj1
* roleA, RoleB
2. Similar to 1 but just checking for a specific role. Does user1 have roleB on proj1
3. What roles does user1 have in general?
* roleA, RoleB in proj1
* roleA, roleD in proj2corkrean
03/09/2023, 12:51 AMblankstare
03/09/2023, 5:20 PM