For the slide deck on RBAC and implementation design, please check out - https://docs.google.com/presentation/d/1wNp1re47Isc_BX_wZWPjmJkOgnSqrlfhiNKRqJrirFE/edit#slide=id.p
Design discussion that has been signed off / agreed upon as of date:
Use OPA and Envoy as sidecars in backend microservices for authorization
A program which can convert the json schema definitions to OPA rego code
Sample schema definition (Work in progress, but the design is more or less as it looks below, some parts of the json keys can change to make more meaningful naming convention)
| Code Block | ||
|---|---|---|
| ||
{
"apis": [
{
"name": "createContent",
"uris": "/content/v1/create",
"upstream_url": "http://knowledge-mw:5000/v1/content/create",
"checks": [
{
"checkType": "roleCheck",
"key": "token",
"token": "CONTENT_CREATOR, COURSE_CREATOR"
},
{
"checkType": "orgCheck",
"key": "body",
"body": "request.content.createdFor[*]"
},
{
"checkType": "ownerCheck",
"key": "header || body",
"body": "request.userId",
"header": "X-User-Id"
}
]
}
]
} |
Schema can use
||,&&or single keys. The||and&&signify OR and AND operation. If AND is used, then both keys are checked against the token and both need to match, if OR is used, then one of the key should match in the tokenSample token structure
| Code Block | ||
|---|---|---|
| ||
{
"iss": "mykey",
"aud": "project-sunbird-stage-client",
"userid": "7e726898-0635-44cf-81ff-3b3a889c8dba",
"typ": "Bearer",
"exp": 1622744532,
"iat": 1622658132,
"roles": [
{
"scope": [
{
"orgId": "01269878797503692810"
}
],
"role": "COURSE_CREATOR"
},
{
"scope": [
{
"orgId": "ORG_001"
},
{
"orgId": "ORG_002"
}
],
"role": "BOOK_CREATOR"
}
]
} |
Parser code (work in progress) - https://github.com/keshavprasadms/rego-go-parser
Addminutils will invoke the get user roles API and append the roles and orgs information to JWT token, sign it and then issue it to the user
Design disucssion that is work in progress:
New proposed flow for Portal and Mobile for anonymous and logged in user
