currently the permission related annotations acts on https request. It would be nice i

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Here's how that would look... <div class="highlight highlight-source-java notransl

[feature request] add support for grpc about quarkus-zanzibar HOT 4 OPEN

quarkiverse commented on July 20, 2024

[feature request] add support for grpc

from quarkus-zanzibar.

Comments (4)

kdubb commented on July 20, 2024

@raffaelespazzoli @iocanel

I'm fairly familiar with gRPC and after doing some brainstorming on Zulip I'm not sure Zanzibar's current annotation based model will work.

With HTTP there is a well defined model of using path and/or query parameters along with headers to defined the "object" that Zanzibar will authorize. With gRPC these are defined per service method as a strongly typed protobuf message. Given the way protobuf messages are encoded (using field ids) there just is no way to extract the "object" without code that knows how to access that rpc message specifically.

Maybe can would provide an injectable interface that service methods can call with the "object" and/or the "relation". Then Zanzibar can access the authorized user for them and do the authorization. With this model we can still use the FGARelation annotation to provide static relations.

Actually, we could provide the same interface for HTTP for endpoints that need to provide some really dynamic "object" determination; HTTP will just have an extra set of annotations that perform the authorization call for you.

from quarkus-zanzibar.

kdubb commented on July 20, 2024

Here's how that would look...

public class MyGRPCServiceImpl implements MyGRPCService {
  
  @Inject
  ZanzibarAuthorizer authorizer;
  
  // Call using a static relation
  @FGARelation("owner")
  Response accessDocuemnt(DocuementAccessRequest request) {
    // authorize... throwing exception with status PERMISSION_DENIED if failed
    authorizer.authorize(request.getDocumentId())

    // access document 
    ...
  }
  
  // Call using a dynamic relation
  Response accessDocuemnt(DocuementAccessRequest request) {

    // Figure out required relation...
    String dynamicRelation;
    if (request.getOperation() == "read") {
      dynamicRelation = "reader";
    }
    else {
      dynamicRelation = "writer";
    }

    // authorize... throwing exception with status PERMISSION_DENIED if failed
    authorizer.authorize(request.getDocumentId(), dynamicRelation)

    // access document 
    ...
  }
}

from quarkus-zanzibar.

kdubb commented on July 20, 2024

Notice how that could be used for HTTP or gRPC.

Obviously it would be required for gRPC but HTTP endpoints could use it when they need to dynamically determine the "relation" or "object".

from quarkus-zanzibar.

kdubb commented on July 20, 2024

Also it appears there is no default authentication handling for gRPC. Clement correctly suggested that gRPC prefers mutual TLS so we need to provide a plugin point where users can install a ServerInterceptor that provides Zanzibar with the authenticated username, at which point they can choose to use mutual TLS or some other method.

from quarkus-zanzibar.

[feature request] add support for grpc about quarkus-zanzibar HOT 4 OPEN

Comments (4)

Related Issues (6)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent