-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor Shopping Example: simulate ACLs with LB4 authorization #4522
Comments
@deepakrkris, since this is originally a migration guide task, I'd like to understand more on the acceptance criteria change. Here are my thoughts:
|
@dhmlau the shopping app has only a basic authorizer , not a casbin based rbac authorizer |
@dhmlau this is already done . https://github.com/strongloop/loopback-next/blob/master/examples/access-control-migration/src/services/assign-project-instance-id.voter.ts |
@dhmlau , yes the shopping example tasks can be deferred, there were few follow ups discussed in the migration PR https://github.com/strongloop/loopback-next/pull/4571/files#r381350460 , https://github.com/strongloop/loopback-next/pull/4571/files#r383709072 by @emonddr and @bajtos .May be we can prioritize them ? |
@deepakrkris, thanks for your info.
Seems like we're going around circles about having casbin in the first place, then removing it, and we want to add it back again. :). Not your fault, just pointing out the fact. :)
The links only show the files, do you see particular comment(s) that we need to have follow up discussions? Could you please coordinate with @emonddr and @bajtos for those follow up questions (possibly opening a new GH issues)? thanks! |
From what you described, @deepakrkris, let's continue the discussion here on the next steps, and for now, I'll defer this task from Q1, since it is no longer a migration guide related issue. Thanks! |
@emonddr from your comment in https://github.com/strongloop/loopback-next/pull/4571/files#r381350460
@emonddr @jannyHou , do you think we can prioritize this for the migration example app in Q1 ? |
@jannyHou from @bajtos comment https://github.com/strongloop/loopback-next/pull/4571/files#r383709072 👍
I see one limitation, the current way of casbin configuration in this example will explode with a growing number of APIs and more importantly with "data" (when additional projects are added). Usually API access is grouped with scopes and rbac checks are done against the scopes. Data level restrictions are so instead of,
we could have,
and check for project1 specific access from the database with a ""owner column. |
@dhmlau @deepakrkris I think, since we already have an example app(access-control-migration) that ONLY focuses on and demos the authentication and authorization, I would suggest use it as much as possible in the auth migration docs. For this story, I think sth we can do is:
To summarize, we can first explain the concept differences. And since we already have example defining the ACL based on a user implemented authorization system, let's use it whenever needs scenario/code explanation to support the concept. WDYT? And if we agree to not touch the shopping example, maybe bring back the original description and update based on it? |
@deepakrkris for #4522 (comment), sorry I haven't got a chance to create follow-up story for it. If you can add the limitations section in this story that would be great 👍 |
This issue has been marked stale because it has not seen activity within six months. If you believe this to be in error, please contact one of the code owners, listed in the |
This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the |
Describe how to simulate ACLs in Shopping Example
Acceptance criteria
@authorize
to add role based access controlAuthorizer
that implements ACL enforcement similar to https://github.com/strongloop/loopback-next/blob/master/examples/access-control-migrationAuthorizer/Voter
that implements custom LB3 role resolverExtract the jwt authentication to a local component
The text was updated successfully, but these errors were encountered: