Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature request] add support for grpc #7

Open
raffaelespazzoli opened this issue Sep 2, 2022 · 4 comments
Open

[feature request] add support for grpc #7

raffaelespazzoli opened this issue Sep 2, 2022 · 4 comments

Comments

@raffaelespazzoli
Copy link

currently the permission related annotations acts on https request. It would be nice if there was a way to have the same or similar annotations working on grpc methods.
@kdubb
Copy link
Contributor

kdubb commented Nov 9, 2022
edited
Loading

@raffaelespazzoli @iocanel

I'm fairly familiar with gRPC and after doing some brainstorming on Zulip I'm not sure Zanzibar's current annotation based model will work.

With HTTP there is a well defined model of using path and/or query parameters along with headers to defined the "object" that Zanzibar will authorize. With gRPC these are defined per service method as a strongly typed protobuf message. Given the way protobuf messages are encoded (using field ids) there just is no way to extract the "object" without code that knows how to access that rpc message specifically.

Maybe can would provide an injectable interface that service methods can call with the "object" and/or the "relation". Then Zanzibar can access the authorized user for them and do the authorization. With this model we can still use the FGARelation annotation to provide static relations.

Actually, we could provide the same interface for HTTP for endpoints that need to provide some really dynamic "object" determination; HTTP will just have an extra set of annotations that perform the authorization call for you.

@kdubb
Copy link
Contributor

kdubb commented Nov 9, 2022

Here's how that would look...

public class MyGRPCServiceImpl implements MyGRPCService {
  
  @Inject
  ZanzibarAuthorizer authorizer;
  
  // Call using a static relation
  @FGARelation("owner")
  Response accessDocuemnt(DocuementAccessRequest request) {
    // authorize... throwing exception with status PERMISSION_DENIED if failed
    authorizer.authorize(request.getDocumentId())

    // access document 
    ...
  }
  
  // Call using a dynamic relation
  Response accessDocuemnt(DocuementAccessRequest request) {

    // Figure out required relation...
    String dynamicRelation;
    if (request.getOperation() == "read") {
      dynamicRelation = "reader";
    }
    else {
      dynamicRelation = "writer";
    }

    // authorize... throwing exception with status PERMISSION_DENIED if failed
    authorizer.authorize(request.getDocumentId(), dynamicRelation)

    // access document 
    ...
  }
}

@kdubb
Copy link
Contributor

kdubb commented Nov 9, 2022

Notice how that could be used for HTTP or gRPC.

Obviously it would be required for gRPC but HTTP endpoints could use it when they need to dynamically determine the "relation" or "object".

@kdubb
Copy link
Contributor

kdubb commented Nov 9, 2022

Also it appears there is no default authentication handling for gRPC. Clement correctly suggested that gRPC prefers mutual TLS so we need to provide a plugin point where users can install a ServerInterceptor that provides Zanzibar with the authenticated username, at which point they can choose to use mutual TLS or some other method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kdubb @raffaelespazzoli