infratographer · mikemrm · Jun 16, 2023 · Jun 15, 2023 · Jun 15, 2023
@@ -20,7 +20,7 @@ The concepts necessary to accomplish this are described in this section.
 
 ### Resource
 
-A resource is any uniquely identifiable thing in the Infratographer ecosystem. Resources have types and are identified using URNs in permissions-api. For example, the URN `urn:infratographer:loadbalancer:a69e79ce-ac05-4a3e-b9b3-f371255e8e99` corresponds to a resource of type `loadbalancer` and ID `a69e79ce-ac05-4a3e-b9b3-f371255e8e99`.
+A resource is any uniquely identifiable thing in the Infratographer ecosystem. Resources have types and are identified using Prefixed IDs in permissions-api. For example, the Prefixed ID `loadbal-hWV_xTSoYqIkXXWyK6eco` corresponds to a resource of type `loadbalancer`.
 
 ### Subject
 
@@ -68,7 +68,7 @@ $ ./permissions-api server --config permissions-api.example.yaml
 
 ### Generating access tokens
 
-permissions-api requests are authenticated using JWT access tokens. If you are using the provided [dev container](#development), permissions-api is already configured to accept JWTs from the included [mock-oauth2-server][mock-oauth2-server] service. A UI to manually create access tokens is available at http://localhost:8081/default/debugger. Tokens must be configured with a "scope" value in the UI set to `openid permissions-api` (which maps to an audience in the JWT of `permissions-api`) and a subject value of `urn:infratographer:subject:$SOME_UUID`.
+permissions-api requests are authenticated using JWT access tokens. If you are using the provided [dev container](#development), permissions-api is already configured to accept JWTs from the included [mock-oauth2-server][mock-oauth2-server] service. A UI to manually create access tokens is available at http://localhost:8081/default/debugger. Tokens must be configured with a "scope" value in the UI set to `openid permissions-api` (which maps to an audience in the JWT of `permissions-api`) and a Prefixed ID (ex: `idntusr-0xqwVtYKHjjuLfjSItHLU`).
 
 [mock-oauth2-server]: https://github.com/navikt/mock-oauth2-server
 
@@ -78,8 +78,8 @@ Resources are defined in terms of their relationships to other resources using t
 
 ```
 $ curl --oauth2-bearer "$AUTH_TOKEN" \
-    -d '{"relationships": [{"relation": "tenant", "subject_urn": "urn:infratographer:tenant:075b8c8c-1214-49ac-a7ed-ec102f165568"}]}' \
-    http://localhost:7602/api/v1/resources/urn:infratographer:tenant:3fc4e4e0-6030-4e36-83d6-09ae2d58fee8/relationships
+    -d '{"relationships": [{"relation": "tenant", "subject_id": "tnntten-OJrD-JdCFThZiRgqk6vs6"}]}' \
+    http://localhost:7602/api/v1/resources/tnntten-MCR3xIIMWfVpVM22w82NZ/relationships
 ```
 
 ### Creating roles
@@ -89,17 +89,17 @@ Roles are created using the `/roles` API endpoint. For example, the following cu
 ```
 $ curl --oauth2-bearer "$AUTH_TOKEN" \
     -d '{"actions": ["loadbalancer_create"]}' \
-    http://localhost:7602/api/v1/resources/urn:infratographer:tenant:3fc4e4e0-6030-4e36-83d6-09ae2d58fee8/roles
+    http://localhost:7602/api/v1/resources/tnntten-MCR3xIIMWfVpVM22w82NZ/roles
 ```
 
 ### Assigning roles to subjects
 
-Roles are assigned to subjects using the `/assignments` API endpoint. The curl command below will assign the subject with the given URN to the given role:
+Roles are assigned to subjects using the `/assignments` API endpoint. The curl command below will assign the subject with the given ID to the given role:
 
 ```
 $ curl --oauth2-bearer "$AUTH_TOKEN" \
-    -d '{"subject_urn": "urn:infratographer:user:e0a97b60-af68-4376-828c-78c6c2ab04a9"}' \
-    http://localhost:7602/api/v1/roles/7a5ccbfb-6838-478e-9d61-cffd38ceb5a3/assignments
+    -d '{"subject_id": "idntusr-0xqwVtYKHjjuLfjSItHLU"}' \
+    http://localhost:7602/api/v1/roles/permrol-XqGKCT8L5CikBuIpbFQEt/assignments
 ```
 
 ### Checking permissions
@@ -108,7 +108,7 @@ The `/has` API endpoint is used to check whether the authenticated subject in th
 
 ```
 $ curl --oauth2-bearer "$AUTH_TOKEN" \
-    http://localhost:7602/api/v1/has/loadbalancer_create/on/urn:infratographer:tenant:3fc4e4e0-6030-4e36-83d6-09ae2d58fee8
+    http://localhost:7602/api/v1/has/loadbalancer_create/on/tnntten-MCR3xIIMWfVpVM22w82NZ
 ```
 
 ## Development

@@ -16,9 +16,9 @@ permissions-api consumes resource lifecycle events over [NATS][nats]. This secti
 
 permission-api expects lifecycle event messages in the format described in [`go.infratographer.com/x/pubsubx`][pubsubx], and interprets the message fields as follows:
 
-* `subject_urn`: The URN of the resource the event is about
+* `subject_id`: The Prefixed ID of the resource the event is about
 * `event_type`: The type of lifecyle event for the resouce. Must match one of the defined lifecycle events
-* `fields`: Information related to the resource. A field's value will be persisted in permissions-api if the field is of the form `{foo}_urn` and a defined relationship exists on the resource with relation `{foo}`
+* `fields`: Information related to the resource. A field's value will be persisted in permissions-api if the field is of the form `{foo}_id` and a defined relationship exists on the resource with relation `{foo}`
 
 [pubsubx]: https://github.com/infratographer/x/blob/v0.0.7/pubsubx/message.go
 
@@ -48,18 +48,18 @@ As an example, consider the following lifecycle event for a resource of type `lo
 
 ```json
 {
-  "subject_urn": "urn:infratographer:loadbalancer:0e919c70-6d04-4050-a474-073ab8b58ffe",
+  "subject_urn": "loadbal-1vzGV0jqpeKlbMBZzq3uf",
   "event_type": "create",
   "additional_subjects": [
-    "urn:infratographer:tenant:42f0e8f2-4b81-4e5a-86f2-62d78ed35dca",
-    "urn:infratographer:loadbalancerport:db25eabd-30eb-4654-9bb6-a22c140eac97",
-    "urn:infratographer:loadbalancerassignment:44cadf84-c626-4428-8910-3a699a78b898"
+    "tnntten-RNsrsfboJb_r6OyXHxBzN",
+    "loadprt-j3UjvKqoRyMUicC7pWatJ",
+    "loadpvd-tvedEoZ2d_vkoTjjdLK76"
   ],
-  "actor_urn": "urn:infratographer:user:35464f0b-a7b4-47db-b446-01e61987db6c",
+  "actor_urn": "idntusr-xbNJrq0updKVkgiaDOxtY",
   "source": "loadbalancer-api",
   "timestamp": "2023-05-06T17:30:00Z",
   "fields": {
-    "tenant_urn": "urn:infratographer:tenant:42f0e8f2-4b81-4e5a-86f2-62d78ed35dca"
+    "tenant_id": "tnntten-RNsrsfboJb_r6OyXHxBzN"
   },
   "additional_data": {}
 }

@@ -5,15 +5,14 @@ go 1.20
 require (
 	github.com/authzed/authzed-go v0.8.0
 	github.com/authzed/grpcutil v0.0.0-20230524151342-4caf7fd1108a
-	github.com/google/uuid v1.3.0
 	github.com/labstack/echo/v4 v4.10.2
 	github.com/nats-io/nats-server/v2 v2.9.17
 	github.com/nats-io/nats.go v1.24.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.15.0
 	github.com/stretchr/testify v1.8.3
-	go.infratographer.com/x v0.0.8
+	go.infratographer.com/x v0.0.15
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.40.0
 	go.opentelemetry.io/otel v1.14.0
@@ -23,7 +22,7 @@ require (
 )
 
 require (
-	github.com/MicahParks/keyfunc v1.9.0 // indirect
+	github.com/MicahParks/keyfunc/v2 v2.0.3 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
@@ -36,21 +35,22 @@ require (
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jaevor/go-nanoid v1.3.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/jzelinskie/stringz v0.0.0-20210414224931-d6a8ce844a70 // indirect
 	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/labstack/echo-contrib v0.14.1 // indirect
-	github.com/labstack/echo-jwt/v4 v4.1.0 // indirect
+	github.com/labstack/echo-jwt/v4 v4.2.0 // indirect
 	github.com/labstack/gommon v0.4.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.18 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/minio/highwayhash v1.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -85,10 +85,11 @@ require (
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/crypto v0.8.0 // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/crypto v0.9.0 // indirect
+	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect