feat: Make DAC write permission more granular #3218
Conversation
shahzadlone
added
feature
shahzadlone
force-pushed
the
lone/feat/granular-dpi-mutation-perms
branch
from
e66b85c to
4c5abd5
Compare
shahzadlone
force-pushed
the
lone/feat/granular-dpi-mutation-perms
branch
from
4c5abd5 to
19a52d8
Compare
| @@ -443,8 +453,8 @@ Note: | |||
| - The collection with the target document must have a valid policy and resource linked. | |||
| - The target document must be registered with ACP already (private document). | |||
| - The requesting identity MUST either be the owner OR the manager (manages the relation) of the resource. | |||
| - If the specified relation was not granted the miminum DPI permissions (read or write) within the policy, | |||
| and a relationship is formed, the subject/actor will still not be able to access (read or write) the resource. | |||
| - If the specified relation was not granted the miminum DPI permissions (read or update or delete) within the policy, | |||
There was a problem hiding this comment.
question: These should read (read and update and delete) no? Having all 3 is required?
There was a problem hiding this comment.
No. They are required for the owner relation only. This part of documentation is under the topic of sharing the document (adding a relationship). The relation being added might not have any of read or update or delete (in which case the identity might not be able to perform any action) or any other permission combination, which will determine what the identity that is being shared with can do.
There was a problem hiding this comment.
Ah, I asked the right question in the wrong location!
They are required for the owner relation only
Is there nowhere in the documentation that notes this? I see no other lines changed.
thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)
There was a problem hiding this comment.
Is there nowhere in the documentation that notes this? I see no other lines changed.
From line 100 onwards...
## DAC DPI Rules
To qualify as a DPI-compliant `resource`, the following rules **MUST** be satisfied:
- The resource **must include** the mandatory `registerer` (`owner`) relation within the `relations` attribute.
- The resource **must encompass** all the required permissions under the `permissions` attribute.
- Every required permission must have the required registerer relation (`owner`) in `expr`.
- The required registerer relation **must be positioned** as the leading (first) relation in `expr` (see example below).
- Any relation after the required registerer relation must only be a union set operation (`+`).
For a `Policy` to be `DPI` compliant for DAC, all of its `resources` must be DPI compliant.
To be `Partially-DPI` at least one of its `resource` must be DPI compliant.
### More Into The Weeds:
All mandatory permissions are:
- Specified in the `dpi.go` file within the variable `dpiRequiredPermissions`.
It's worded in a generic manner so in future changing would have to be done in minimal places... so for example it says dpi.go file has the required owner permissions defined (it's actually part of what it means for a policy to be DPI/DRI compliant)
thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)
Fair enough
There was a problem hiding this comment.
has the required owner permissions defined
Does the doc define what the required owner permissions are? How will users know they need to define update and delete?
There was a problem hiding this comment.
The same way they knew before that read and write are required by looking where the doc tells them to look.
Which is here:
However, I do understand if you are suggested to have it explicitly defined and for us to maintain it every time it is changed. LMK, if so, happy to do that.
There was a problem hiding this comment.
Ah okay - thanks Shahzad :)
I have a preference for them to not have to look at a .go file to get that info, but changing that isn't really in scope here and we probably have better things to spend our time on atm :)
Thanks for your explanations!
| expr: owner + reader + updater + deleter | ||
| update: | ||
| expr: owner + updater | ||
| delete: | ||
| expr: owner + deleter |
There was a problem hiding this comment.
question: I'm curious why we decided not to have write: updater + deleter
| ) | ||
| require.Error(t, errCheckDocAccess) | ||
| require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP) | ||
| require.False(t, hasAccess) |
There was a problem hiding this comment.
question: all unit tests (I didn't see any changes in integration tests) assert that there is no access. Is there a place where you assert that there is access?
Relevant issue(s)
Resolves #2905
Description
Split
writeintoupdateanddeletepermission.For reviewers
[ ] Reviewing the draft please let me know if anything in the splitting logic seems odd to others, we will now not have any
writeperm, only separateupdateanddeletepermission.How has this been tested?