Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role permissions checks #170

Merged
merged 6 commits into from
Sep 6, 2023
Merged

Role permissions checks #170

merged 6 commits into from
Sep 6, 2023

Commits on Sep 6, 2023

  1. Refactor logic for getting current subject and checking permissions 

    Some functions, like currentSubject and checkAction, have logic that
is either duplicated or could be reused elsewhere for things like
checking access to actions in permissions-api itself. This commit
moves some of that logic around so it is easier for other
handlers (such as the handlers for roles) to use.

Signed-off-by: John Schaeffer <[email protected]>
    @jnschaeffer
    jnschaeffer committed Sep 6, 2023
    Configuration menu
    Copy the full SHA
    7bf02ae View commit details
    Browse the repository at this point in the history

  2. Add permissions checks for role creation 

    This commit adds permissions checks for role creation, as well as the
action and bindings to the example policy.

Signed-off-by: John Schaeffer <[email protected]>
    @jnschaeffer
    jnschaeffer committed Sep 6, 2023
    Configuration menu
    Copy the full SHA
    6f6bb28 View commit details
    Browse the repository at this point in the history

  3. Add create-role command to bootstrap permissions-api 

    This commit adds a command to create roles directly in SpiceDB,
bypassing permissions checks. The intent of this command is to
bootstrap a new permissions-api deployment with enough access to start
provisioning roles using some subject.

Signed-off-by: John Schaeffer <[email protected]>
    @jnschaeffer
    jnschaeffer committed Sep 6, 2023
    Configuration menu
    Copy the full SHA
    d1352a4 View commit details
    Browse the repository at this point in the history

  4. Add permissions checks for other role operations 

    This commit adds permissions checks for getting, listing, updating,
and deleting roles.

Signed-off-by: John Schaeffer <[email protected]>
    @jnschaeffer
    jnschaeffer committed Sep 6, 2023
    Configuration menu
    Copy the full SHA
    43a9d0b View commit details
    Browse the repository at this point in the history

  5. Fix linting whitespace issue in checkActionWithResponse 

    Signed-off-by: John Schaeffer <[email protected]>
    @jnschaeffer
    jnschaeffer committed Sep 6, 2023
    Configuration menu
    Copy the full SHA
    a1071c8 View commit details
    Browse the repository at this point in the history

  6. Check role permissions based on the resource, not the role 

    One of the quirks of our current role model is that roles don't belong
to a resource outright - instead, their binding to a resource is
inferred by the actions that can be performed. This means that we
can't use the role itself to make authorization decisions. This commit
updates permissions checks for roles to use the role's resource rather
than the role itself for checking permissions.

Signed-off-by: John Schaeffer <[email protected]>
    @jnschaeffer
    jnschaeffer committed Sep 6, 2023
    Configuration menu
    Copy the full SHA
    5baa948 View commit details
    Browse the repository at this point in the history