authzed
Caveat for ABAC+RBAC working on playground but not on local dev #2194
Unanswered
jithinprasadr
asked this question in
Q&A
Replies: 2 comments 4 replies
-
|
I just ran this locally and it still seems to work as expected: How are you testing it locally? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I tested with grpc request through postman Following is my WriteRelationships message With the CheckPermission message as follows |
Beta Was this translation helpful? Give feedback.
-
|
Are you sure that the consistency syntax is correct on postman? I've never used postman for gRPC; does it error when it can't correctly serialize something or silently omit it? I could see this being a silent fallback to I'd also retry with a minimal subset of the relations you're writing, and make sure that the relations match your intent. |
Beta Was this translation helpful? Give feedback.
3 replies
-
|
Ultimately, I want to interact through Java API. But before that, I am trying to verify whether endpoints are working fine or not through postman |
Beta Was this translation helpful? Give feedback.
-
|
Remove the |
Beta Was this translation helpful? Give feedback.
-
|
I tried after removing |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I am trying to implement a RBAC+ABAC requirement.
There are two types of users - admin users and managers. The documents that are readable by admins are a readable by their managers as well. Additionally managers can read all documents that are accessible to any admin. But there is a restriction for managers based on their current role. The manager has the ability to switch to a normal admin. In this case, the manager can only access the documents that are readable under their admin. If they switch to manager role, then they can read any document.
To address this scenario, I created a group to represent admin and managers and document are associated to groups.
Inorder to supply the current role of manager, I created a caveat and matches the value for access.
I tried the same in spicedb playground and is working fine
https://play.authzed.com/s/Di5XFplvHjqy/assertions
But when I tried the same in the local machine, the permission is denied for the first assert.
Need to know what configuration is missing in my local machine
Result of CheckPermission:
{ "checked_at": { "token": "GhUKEzE3MzYzNDA4NDM0OTI1ODg1MDA=" }, "permissionship": "PERMISSIONSHIP_NO_PERMISSION", "partial_caveat_info": null, "debug_trace": { "check": { "resource": { "object_type": "document", "object_id": "doc2" }, "permission": "read", "permission_type": "PERMISSION_TYPE_PERMISSION", "subject": { "object": { "object_type": "user", "object_id": "tom" }, "optional_relation": "" }, "result": "PERMISSIONSHIP_CONDITIONAL_PERMISSION", "caveat_evaluation_info": { "expression": "requirement == group_id", "result": "RESULT_FALSE", "context": { "fields": { "group_id": { "string_value": "admin" }, "requirement": { "string_value": "manager" } } }, "partial_caveat_info": null, "caveat_name": "group_owner" }, "duration": { "seconds": "0", "nanos": 541700 }, "optional_expires_at": null, "sub_problems": { "traces": [ { "resource": { "object_type": "group", "object_id": "admins,managers" }, "permission": "read", "permission_type": "PERMISSION_TYPE_PERMISSION", "subject": { "object": { "object_type": "user", "object_id": "tom" }, "optional_relation": "" }, "result": "PERMISSIONSHIP_HAS_PERMISSION", "caveat_evaluation_info": null, "duration": { "seconds": "0", "nanos": 541700 }, "optional_expires_at": null, "sub_problems": { "traces": [ { "resource": { "object_type": "admin", "object_id": "admin1,admin2,admin3,admin4,admin5,admin6,admin7" }, "permission": "read", "permission_type": "PERMISSION_TYPE_PERMISSION", "subject": { "object": { "object_type": "user", "object_id": "tom" }, "optional_relation": "" }, "result": "PERMISSIONSHIP_HAS_PERMISSION", "caveat_evaluation_info": null, "duration": { "seconds": "0", "nanos": 541700 }, "optional_expires_at": null, "sub_problems": { "traces": [ { "resource": { "object_type": "admin", "object_id": "admin1,admin2,admin3,admin4,admin5,admin6,admin7" }, "permission": "owner", "permission_type": "PERMISSION_TYPE_RELATION", "subject": { "object": { "object_type": "user", "object_id": "tom" }, "optional_relation": "" }, "result": "PERMISSIONSHIP_HAS_PERMISSION", "caveat_evaluation_info": null, "duration": { "seconds": "0", "nanos": 0 }, "optional_expires_at": null, "was_cached_result": false } ] } } ] } } ] } }, "schema_used": "caveat group_owner(group_id string, requirement string) {\n\trequirement == group_id\n}\n\ndefinition admin {\n\trelation owner: user\n\trelation parent: office\n\tpermission read = owner + parent->read\n\tpermission write = owner\n\tpermission access = owner\n}\n\ndefinition document {\n\trelation owner: group with group_owner\n\tpermission read = owner->read\n\tpermission write = owner->write\n}\n\ndefinition group {\n\trelation member: admin\n\tpermission read = member->read\n\tpermission write = member->write\n}\n\ndefinition office {\n\trelation parent: office\n\trelation manager: admin#owner\n\trelation child: office | admin\n\tpermission read = manager + parent->read\n\tpermission access = child->access\n}\n\ndefinition user {}" }, "optional_expires_at": null }Beta Was this translation helpful? Give feedback.
All reactions