Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor[internal/openfga] simplifies some model access checks #1484

Merged
merged 3 commits into from
Dec 12, 2024

Conversation

alesstimec
Copy link
Collaborator

Description

  • adds a method to internal/openfga to check if user has specific relation to a model
  • removes the need for allowedModelAccess map, which was horrible
  • makes doModel method slightly faster because now it does a single openfga check instead of 3
  • simplifies userModelAccess in jujuapi

Engineering checklist

Check only items that apply

  • Documentation updated
  • Covered by unit tests
  • Covered by integration tests

Test instructions

Notes for code reviewers

@alesstimec alesstimec requested a review from a team as a code owner December 6, 2024 11:13
Copy link
Contributor

@SimoneDutto SimoneDutto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

if err != nil {
return errors.E(op, err)
}
if !allowedModelAccess[access][accessLevel] {

if !hasAccess {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically before we were handling hierarchy between roles manually? And now we rely on our authorization model, good

}
if hasReadAccess {
return "read", nil
func userModelAccess(ctx context.Context, user *openfga.User, model names.ModelTag) string {
Copy link
Contributor

@SimoneDutto SimoneDutto Dec 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

godoc please

Copy link
Contributor

@ale8k ale8k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm ty

func userModelAccess(ctx context.Context, user *openfga.User, model names.ModelTag) string {
userRelation := user.GetModelAccess(ctx, model)
switch userRelation {
case ofganames.AdministratorRelation:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know we have ofganames now, but I really think permission package with access constants would've been better from juju.

@alesstimec alesstimec merged commit 2219df3 into canonical:v3 Dec 12, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants