Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Make DAC write permission more granular #3218

Draft
wants to merge 4 commits into
base: develop
Choose a base branch
from

Conversation

shahzadlone
Copy link
Member

@shahzadlone shahzadlone commented Nov 7, 2024

Relevant issue(s)

Resolves #2905

Description

Split write into update and delete permission.

For reviewers

[ ] Reviewing the draft please let me know if anything in the splitting logic seems odd to others, we will now not have any write perm, only separate update and delete permission.

How has this been tested?

  • todo: Update previous test once migration of policyID is done
  • todo: Split previous write tests

@shahzadlone shahzadlone added feature New feature or request area/acp Related to the acp (access control) system labels Nov 7, 2024
@shahzadlone shahzadlone self-assigned this Nov 7, 2024
@shahzadlone shahzadlone force-pushed the lone/feat/granular-dpi-mutation-perms branch from e66b85c to 4c5abd5 Compare January 2, 2025 20:06
@shahzadlone shahzadlone force-pushed the lone/feat/granular-dpi-mutation-perms branch from 4c5abd5 to 19a52d8 Compare January 2, 2025 20:06
@shahzadlone shahzadlone requested a review from a team January 2, 2025 20:06
@@ -443,8 +453,8 @@ Note:
- The collection with the target document must have a valid policy and resource linked.
- The target document must be registered with ACP already (private document).
- The requesting identity MUST either be the owner OR the manager (manages the relation) of the resource.
- If the specified relation was not granted the miminum DPI permissions (read or write) within the policy,
and a relationship is formed, the subject/actor will still not be able to access (read or write) the resource.
- If the specified relation was not granted the miminum DPI permissions (read or update or delete) within the policy,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: These should read (read and update and delete) no? Having all 3 is required?

Copy link
Member Author

@shahzadlone shahzadlone Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. They are required for the owner relation only. This part of documentation is under the topic of sharing the document (adding a relationship). The relation being added might not have any of read or update or delete (in which case the identity might not be able to perform any action) or any other permission combination, which will determine what the identity that is being shared with can do.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I asked the right question in the wrong location!

They are required for the owner relation only

Is there nowhere in the documentation that notes this? I see no other lines changed.


thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there nowhere in the documentation that notes this? I see no other lines changed.

From line 100 onwards...

## DAC DPI Rules
To qualify as a DPI-compliant `resource`, the following rules **MUST** be satisfied:
- The resource **must include** the mandatory `registerer` (`owner`) relation within the `relations` attribute.
- The resource **must encompass** all the required permissions under the `permissions` attribute.
- Every required permission must have the required registerer relation (`owner`) in `expr`.
- The required registerer relation **must be positioned** as the leading (first) relation in `expr` (see example below).
- Any relation after the required registerer relation must only be a union set operation (`+`).
For a `Policy` to be `DPI` compliant for DAC, all of its `resources` must be DPI compliant.
To be `Partially-DPI` at least one of its `resource` must be DPI compliant.
### More Into The Weeds:
All mandatory permissions are:
- Specified in the `dpi.go` file within the variable `dpiRequiredPermissions`.

It's worded in a generic manner so in future changing would have to be done in minimal places... so for example it says dpi.go file has the required owner permissions defined (it's actually part of what it means for a policy to be DPI/DRI compliant)

thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)

Fair enough

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

has the required owner permissions defined

Does the doc define what the required owner permissions are? How will users know they need to define update and delete?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same way they knew before that read and write are required by looking where the doc tells them to look.

Which is here:

https://github.com/sourcenetwork/defradb/pull/3218/files#diff-ad40faeabd754bac2701e0b75e95ceca2744fb511c6cb44221dfa2d6101ab6d8R35-R40

However, I do understand if you are suggested to have it explicitly defined and for us to maintain it every time it is changed. LMK, if so, happy to do that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay - thanks Shahzad :)

I have a preference for them to not have to look at a .go file to get that info, but changing that isn't really in scope here and we probably have better things to spend our time on atm :)

Thanks for your explanations!

Comment on lines +188 to +192
expr: owner + reader + updater + deleter
update:
expr: owner + updater
delete:
expr: owner + deleter
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: I'm curious why we decided not to have write: updater + deleter

)
require.Error(t, errCheckDocAccess)
require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP)
require.False(t, hasAccess)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: all unit tests (I didn't see any changes in integration tests) assert that there is no access. Is there a place where you assert that there is access?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/acp Related to the acp (access control) system feature New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Split ACP write perm into delete and update
3 participants