Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unified policy for secure both registry records & Elasticsearch datasets #3256

Closed
t83714 opened this issue Oct 28, 2021 · 1 comment
Closed

Unified policy for secure both registry records & Elasticsearch datasets #3256

t83714 opened this issue Oct 28, 2021 · 1 comment
Assignees
@t83714
Milestone
Next (v2.0.0)

Comments

@t83714
Copy link
Contributor

t83714 commented Oct 28, 2021
edited
Loading

We currently have a dataset policy that secures dataset records only.

The policy was created for early trial of our access control model and only for purpose of securing dataset in elastic-search originally.

However, our main metadata store registry actually support a more generic record type which users can create other record types on top of it. e.g. distributions, organisations etc.

This ticket is about creating one single "unified story" to:

  • secure the generic record model including different record types
  • secure two storage engines: registry & elastic search & different use cases
  • the solution should be expansible so users can add more policy to add custom logic for custom record type

Solution

  • One policy entrypoint object/record/allow.rego to delegate auth decision to policy created specifically for a particular record type.
    • e.g. when a record is a dataset record (test by checking if a record has dcat-dataset-strings aspect), delegate the decision to object/dataset/allow.rego
  • if it's an unknown record type, default access control logic applied.
    • i.e. Only users have matching permission with appropriate constraint can perform the operation.
    • e.g. if a user has object/record/update permission with owner constraint, only the record owner/creator can update the record.
  • Existing policy object/dataset/allow.rego needs to be adjusted to match more generic registry API data structure.
  • Policy enforcement at Search API / Elasticsearch can use extra logic to translate the data field reference that matches registry data structure to data field references matches Elasticsearch data structure.
  • i.e. in policy we should access aspect data field with json patch input.object.dataset.[aspect name].[aspect field name].
  • e.g. reference input.object.dataset.publishingState in previous policy should change to input.object.dataset. publishing.state as publishingState field is defined as state field in publishing aspect
  • e.g. input.object.dataset.accessControl.ownerId reference should be input.object.dataset["access-control"].ownerId --- as ownerId field us defined in access-control aspect.
    • Please note: the new decision API default concise format response will convert the reference to input.object.dataset.access-control.ownerId for ease of processing
@t83714 t83714 self-assigned this Oct 28, 2021
@t83714 t83714 added this to the Next milestone Oct 28, 2021
t83714 added a commit that referenced this issue Oct 28, 2021
@t83714
related to #3256:
a7dd09f 
- create object.record.allow entrypoint
- replace references in object.dataset.allow with registry layout references
@t83714 t83714 mentioned this issue Oct 28, 2021
Merged
2 tasks
This was referenced Jan 27, 2022
Closed
Closed
@t83714
Copy link
Contributor Author

t83714 commented Mar 2, 2022

closed via #3257

@t83714 t83714 closed this as completed Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t83714 t83714

Labels
None yet
Projects
None yet
Milestone
Next (v2.0.0)
Development

No branches or pull requests
1 participant
@t83714