feat: RBAC | ACLs based access management #891
Conversation
| .withRBAC({ | ||
| acls: [{ | ||
| acl: [{ | ||
| actions: ['C', 'R', 'U', 'D'], |
There was a problem hiding this comment.
Why does anonymous get full access to everything here?
There was a problem hiding this comment.
this is not actually anonymous, these are slack end points.
and we have slack command for create org , site entities , so with the intent of not breaking any existing flow giving access.
@solaris007 Can we restrict it without any break in current flow ?
There was a problem hiding this comment.
Ok - I'll take your word for it but it does say user_id: 'anonymous' ...
|
|
||
| context.dataAccess = createDataAccess({ | ||
| tableNameData: DYNAMO_TABLE_NAME_DATA, | ||
| aclCtx: context?.attributes?.authInfo?.rbac || {}, |
There was a problem hiding this comment.
i suggest just feeding in the context itself and let the method handle the resolution. this is public API and users should not have to deal with that line. while we're at it, we can probably reduce the signature to context only, as the table name originates from context.env usually.
There was a problem hiding this comment.
So If I am understanding you correctly here we should only feed the whole context in config i.e.
context.dataAccess = createDataAccess({
context,
}, log);
and in service layer resolve it to aclCtx, i.e.
export const createDataAccess = (config, log = console, client = undefined) => {
registerLogger(log);
// resolve here
config.aclCtx = config?.context?.attributes?.authInfo?.rbac || {};
config.tableNameData: config?.context?.env?.DYNAMO_TABLE_NAME_DATA;
const rawClient = createRawClient(client);
const electroService = createElectroService(rawClient, config, log);
const entityRegistry = new EntityRegistry(electroService, config, log);
return entityRegistry.getCollections();
};
There was a problem hiding this comment.
one more thing to keep it like that way as it is, that the API createDataAccess is used to create dataAccess for RBAC table as well with different ACls ( allow to read role role-member entities) as per need , for example in ACLs fetching while authenticate.
So I think we can keep it like this way to have flexibility
| try { | ||
| const { validatedItems, errorItems } = this.#validateItems(newItems); | ||
|
|
||
| const createdItems = this.#createInstances(validatedItems); |
There was a problem hiding this comment.
why was this moved before the validated items size check?
There was a problem hiding this comment.
AFAIU
after the size check , in the next line validatedItems got saved in DB
const response = await this.entity.put(validatedItems).go();
so using #createInstances after it just for get object in-memory and call onCreateMany which actually do nothing.
so it moving up before saving and check permission make sense to me.
@bosschaert Correct me I am wrong here ?
There was a problem hiding this comment.
it is more that we can save the computational effort (as before) if none of the items are valid.
There was a problem hiding this comment.
yup, so we can move permission check within the valid check block like
const createdItems = [];
if (validatedItems.length > 0) {
createdItems = this.#createInstances(validatedItems);
// Check that the current user has permission to create each entity
createdItems.forEach((item) => item.ensurePermission('C'));
const response = await this.entity.put(validatedItems).go();
if (isNonEmptyArray(response?.unprocessed)) {
this.log.error(`Failed to process all items in batch write for [${this.entityName}]: ${JSON.stringify(response.unprocessed)}`);
}
}
There was a problem hiding this comment.
moved it after validation, permission check happening before creation
| throw new DataAccessError(message); | ||
| } | ||
|
|
||
| // TODO this is quite inefficient, consider a batch lookup |
There was a problem hiding this comment.
please complete this todo - also, projection via electrodb might be considered to reduce payload size. only project props that are needed by ensurePermission.
There was a problem hiding this comment.
will look into it 👍
There was a problem hiding this comment.
considered the projection to reduce entity payload and batched the processing, please check
packages/spacecat-shared-data-access/src/models/base/base.model.js
Outdated
Show resolved
Hide resolved
packages/spacecat-shared-data-access/src/models/role-member/role-member.schema.js
Outdated
Show resolved
Hide resolved
|
This PR will trigger a minor release when merged. |
|
@ravverma in general it looks good to me, but I'll leave the final review to @solaris007 |
Thanks @bosschaert
|
Please go through wiki for more details :
https://wiki.corp.adobe.com/display/AEMSites/Project+Spacecat+%7C+RBAC
Please ensure your pull request adheres to the following guidelines:
Related Issues
Thanks for contributing!