Introduce policy decision API #1137
Comments
|
@vhdirk I don't get why you added the Basically what I think you need:
By using the "actions", one would however require to have |
|
I forgot to update the payload after I added the policy id as a pathparam :) As far as the response goes; the idea was that you could test multiple permissions independently. But there's not that many combinations to be made with permissions, so I think the simple boolean response would be fine. |
That won't work as the Ditto "policies" service/persistence does not track "backward relations" and architecturally we don't want it to. Solution could be simple: Always make "policyId" and "thingId" the same, then you won't need to look up the "policyId" before checking the policy permissions. |
thjaeckle
added
enhancement
community-interest
|
Since frontends usually have to check for multiple paths at once to reduce the number of requests per page load the endpoint should accept multiple requests in one. E.g. with a payload like: And a result payload like: Or simplified: Maybe it's also useful if I can call that permission check action on a thing and ditto then forwards this to the policy check action with the corresponding thingId. That way I don't have to find out the policyId of a thing first. When retrieving a thing or feature one could also supply a path parameter to request deviating permissions so if I GET a feature and I'm interested if there are properties on that feature I can't READ or WRITE then I'd like to know that. Similar to the |
|
Thinking about this feature request again ..
Idea (building on input provided by @w4tsn and @vhdirk): Payload: [
{
"resource": "thing:/features/lamp/properties/on",
"entityId": "org.eclipse.ditto:some-thing-1",
"hasPermissions": [ "READ" ]
},
{
"resource": "message:/features/lamp/inbox/toggle",
"entityId": "org.eclipse.ditto:some-thing-1",
"hasPermissions": [ "WRITE" ]
},
{
"resource": "policy:/",
"entityId": "org.eclipse.ditto:some-policy-1",
"hasPermissions": [ "READ", "WRITE" ]
}
]The response payload would either just be: [
true,
true,
false
]Or it would include the whole "input" (maybe optionally with a "verbose" flag). And an alternative to that (as JsonArrays are often problematic to handle, using indices, etc.): {
"lamp_reader": {
"resource": "thing:/features/lamp/properties/on",
"entityId": "org.eclipse.ditto:some-thing-1",
"hasPermissions": [ "READ" ]
},
"lamp_toggler": {
"resource": "message:/features/lamp/inbox/toggle",
"entityId": "org.eclipse.ditto:some-thing-1",
"hasPermissions": [ "WRITE" ]
},
"policy_admin": {
"resource": "policy:/",
"entityId": "org.eclipse.ditto:some-policy-1",
"hasPermissions": [ "READ", "WRITE" ]
}
}Which could (by default) just return a response like: {
"lamp_reader": true,
"lamp_toggler": true,
"policy_admin": false
}Or it would include the whole "input" (maybe optionally with a "verbose" flag). |
|
Ideas:
|
|
@hu-ahmed started to work on this .. |
For our UI, we'd like an endpoint that we can call to check if we should enable/disable certain elements based on policies.
As briefly discussed on gitter with @thjaeckle, that endpoint could look something like:
POST /api/2/policies/{policyId}/actions/checkPermissionswith a payload like{ "resource": "thing:/features/X/properties/Y", "id": "org.eclipse.ditto:mythingId", "permissions": [ "READ" ], }The response could be something like
[ { "permission": "READ", "allowed": true/false } ]That would require you to have the policyId at hand, potentially having to fetch the Thing prior to using this api. It does make it generic to use for any kind of resource (thing, policy, messages)
The text was updated successfully, but these errors were encountered: