Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
use inquiries data in policies
See original GitHub issueHi,
Is it possible to use inquiries parameters in element of the policy ?
The use case is to limit an API call to only raws that belongs to a particular user. (stored in the example below in ‘route_instance_id’)
I want to authorise the rule only if the route_instance_id in the inquiry resource match the user_id in the inquiry subject
The only way I’ve found for now is to add dynamic policy at each request, but it’s not very efficient and hard to maintain.
ex:
inquiry = vakt.Inquiry(
subject={"user_id": 42, "roles": ["user"]},
action="GET",
resource={
'route_endpoint': 'test_endpoint',
'route_instance_id': 42}
'query_sort': '-id',
'query_foo': 'bar'}
}
),
context={"ip": "127.0.0.1"},
)
against policy:
policy_user_test = vakt.Policy(
uuid.uuid4().hex,
resources=[
{
"route_endpoint": Eq("test_endpoint"),
"route_instance_id": Inquiry('subject', 'user_id'),
}
], # uri
actions=[Eq("GET")],
subjects=[{"roles": AnyIn("user")}],
effect=vakt.ALLOW_ACCESS,
description="""
Allow get for only its own instance
""",
)
I’ve seen there was a first support before 1.2 for string with SubjectEqual & co, but it has been dropped and did not support dict, is there a reason for dropping this ?
I think the use case is quite common (below is an example, but i’ve plenty of use-case like this one for the api).
Or perhaps there is another way to do the same thing i’ve overlooked ?
Thanks, Regards, Thomas.
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi, sorry wasn’t available last week.
1.4.0 works perfectly for my use case.
Thanks a lot !! Thomas.
Hi Thomas, Thanks for the question.
SubjectEqual & co are still there so I can’t say they are dropped, but indeed they still work only in case your policies (and inquiries respectively) are String-based like it was prior to 1.2. I have underestimated their usefulness when implemented Rule-based Policies support (Policies where you can define various attributes with dicts, like in your example). Besides, as far as I remember, there were some implementation issues with composition of Rules (And, Or, … Not, etc) for such Rules, so they remained overlooked.
Unfortunately the only way to achieve this is to deal with them in the old-fashion (like prior to 1.2), but in this case you’re loosing attributes dict definition facility.
We need to add new Rules, or new way to define such cases. Something like: SubjectKeyEqual(‘user_id’) I agree that there are plenty of use-cases for such functionality. So, hold on, I’ll implement it as the next most important feature after we finish and merge SQLStorage support.
Please, don’t close this issue - it will be the reference.