For the slide deck on RBAC and implementation design, please check out - https://docs.google.com/presentation/d/1wNp1re47Isc_BX_wZWPjmJkOgnSqrlfhiNKRqJrirFE/edit#slide=id.p
Design discussion that has been signed off / agreed upon as of date:
Use OPA and Envoy as sidecars in backend microservices for authorization
A program which can convert the json schema definitions to OPA rego code
Sample schema definition (Work in progress, but the design is more or less as it looks below, some parts of the json keys can change to make more meaningful naming convention)
{
"apis": [
{
"name": "createContent",
"uris": "/content/v1/create",
"upstream_url": "http://knowledge-mw:5000/v1/content/create",
"checks": [
{
"checkType": "roleCheck",
"key": "token",
"token": "CONTENT_CREATOR, COURSE_CREATOR"
},
{
"checkType": "orgCheck",
"key": "body",
"body": "request.content.createdFor[*]"
},
{
"checkType": "ownerCheck",
"key": "header || body",
"body": "request.userId",
"header": "X-User-Id"
}
]
}
]
}
Schema can use
||,&&or single keys. The||and&&signify OR and AND operation. If AND is used, then both keys are checked against the token and both need to match, if OR is used, then one of the key should match in the tokenSample token structure
{
"iss": "mykey",
"aud": "project-sunbird-stage-client",
"userid": "7e726898-0635-44cf-81ff-3b3a889c8dba",
"typ": "Bearer",
"exp": 1622744532,
"iat": 1622658132,
"roles": [
{
"scope": [
{
"orgId": "01269878797503692810"
}
],
"role": "COURSE_CREATOR"
},
{
"scope": [
{
"orgId": "ORG_001"
},
{
"orgId": "ORG_002"
}
],
"role": "BOOK_CREATOR"
}
]
}
Parser code (work in progress) - https://github.com/keshavprasadms/rego-go-parser