Comments (4)
I'm fairly familiar with gRPC and after doing some brainstorming on Zulip I'm not sure Zanzibar's current annotation based model will work.
With HTTP there is a well defined model of using path and/or query parameters along with headers to defined the "object" that Zanzibar will authorize. With gRPC these are defined per service method as a strongly typed protobuf message. Given the way protobuf messages are encoded (using field ids) there just is no way to extract the "object" without code that knows how to access that rpc message specifically.
Maybe can would provide an injectable interface that service methods can call with the "object" and/or the "relation". Then Zanzibar can access the authorized user for them and do the authorization. With this model we can still use the FGARelation
annotation to provide static relations.
Actually, we could provide the same interface for HTTP for endpoints that need to provide some really dynamic "object" determination; HTTP will just have an extra set of annotations that perform the authorization call for you.
from quarkus-zanzibar.
Here's how that would look...
public class MyGRPCServiceImpl implements MyGRPCService {
@Inject
ZanzibarAuthorizer authorizer;
// Call using a static relation
@FGARelation("owner")
Response accessDocuemnt(DocuementAccessRequest request) {
// authorize... throwing exception with status PERMISSION_DENIED if failed
authorizer.authorize(request.getDocumentId())
// access document
...
}
// Call using a dynamic relation
Response accessDocuemnt(DocuementAccessRequest request) {
// Figure out required relation...
String dynamicRelation;
if (request.getOperation() == "read") {
dynamicRelation = "reader";
}
else {
dynamicRelation = "writer";
}
// authorize... throwing exception with status PERMISSION_DENIED if failed
authorizer.authorize(request.getDocumentId(), dynamicRelation)
// access document
...
}
}
from quarkus-zanzibar.
Notice how that could be used for HTTP or gRPC.
Obviously it would be required for gRPC but HTTP endpoints could use it when they need to dynamically determine the "relation" or "object".
from quarkus-zanzibar.
Also it appears there is no default authentication handling for gRPC. Clement correctly suggested that gRPC prefers mutual TLS so we need to provide a plugin point where users can install a ServerInterceptor
that provides Zanzibar with the authenticated username, at which point they can choose to use mutual TLS or some other method.
from quarkus-zanzibar.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from quarkus-zanzibar.