-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Make DAC write permission more granular #3218
base: develop
Are you sure you want to change the base?
feat: Make DAC write permission more granular #3218
Conversation
e66b85c
to
4c5abd5
Compare
4c5abd5
to
19a52d8
Compare
@@ -443,8 +453,8 @@ Note: | |||
- The collection with the target document must have a valid policy and resource linked. | |||
- The target document must be registered with ACP already (private document). | |||
- The requesting identity MUST either be the owner OR the manager (manages the relation) of the resource. | |||
- If the specified relation was not granted the miminum DPI permissions (read or write) within the policy, | |||
and a relationship is formed, the subject/actor will still not be able to access (read or write) the resource. | |||
- If the specified relation was not granted the miminum DPI permissions (read or update or delete) within the policy, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: These should read (read and update and delete)
no? Having all 3 is required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. They are required for the owner
relation only. This part of documentation is under the topic of sharing the document (adding a relationship). The relation being added might not have any of read
or update
or delete
(in which case the identity might not be able to perform any action) or any other permission combination, which will determine what the identity that is being shared with can do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I asked the right question in the wrong location!
They are required for the owner relation only
Is there nowhere in the documentation that notes this? I see no other lines changed.
thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there nowhere in the documentation that notes this? I see no other lines changed.
From line 100
onwards...
## DAC DPI Rules
To qualify as a DPI-compliant `resource`, the following rules **MUST** be satisfied:
- The resource **must include** the mandatory `registerer` (`owner`) relation within the `relations` attribute.
- The resource **must encompass** all the required permissions under the `permissions` attribute.
- Every required permission must have the required registerer relation (`owner`) in `expr`.
- The required registerer relation **must be positioned** as the leading (first) relation in `expr` (see example below).
- Any relation after the required registerer relation must only be a union set operation (`+`).
For a `Policy` to be `DPI` compliant for DAC, all of its `resources` must be DPI compliant.
To be `Partially-DPI` at least one of its `resource` must be DPI compliant.
### More Into The Weeds:
All mandatory permissions are:
- Specified in the `dpi.go` file within the variable `dpiRequiredPermissions`.
It's worded in a generic manner so in future changing would have to be done in minimal places... so for example it says dpi.go
file has the required owner permissions defined (it's actually part of what it means for a policy to be DPI/DRI compliant)
thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)
Fair enough
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
has the required owner permissions defined
Does the doc define what the required owner permissions are? How will users know they need to define update
and delete
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same way they knew before that read
and write
are required by looking where the doc tells them to look.
Which is here:
However, I do understand if you are suggested to have it explicitly defined and for us to maintain it every time it is changed. LMK, if so, happy to do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah okay - thanks Shahzad :)
I have a preference for them to not have to look at a .go
file to get that info, but changing that isn't really in scope here and we probably have better things to spend our time on atm :)
Thanks for your explanations!
expr: owner + reader + updater + deleter | ||
update: | ||
expr: owner + updater | ||
delete: | ||
expr: owner + deleter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: I'm curious why we decided not to have write: updater + deleter
) | ||
require.Error(t, errCheckDocAccess) | ||
require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP) | ||
require.False(t, hasAccess) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: all unit tests (I didn't see any changes in integration tests) assert that there is no access. Is there a place where you assert that there is access?
Relevant issue(s)
Resolves #2905
Description
Split
write
intoupdate
anddelete
permission.For reviewers
[ ] Reviewing the draft please let me know if anything in the splitting logic seems odd to others, we will now not have any
write
perm, only separateupdate
anddelete
permission.How has this been tested?