Not a final version.
An authorization framework written in go based on Zanzibar: Google’s Consistent, Global Authorization System.
It offers an IDE with a graph for visualizing the relations and permissions between entities.
!!! This is not meant for production usage, there are still a lot of things missing and the quality and organization of code is questionable since this is my first Go project and was done in a serious hurry!!!
See below for "planned" things.
In the editor, you can define the relation between entities using yaml, for example, the default configuration is this:
type: user
---
type: group
relations:
member: user
---
type: folder
relations:
reader: user | group#member
---
type: document
relations:
parent_folder: folder
writer: user
reader: user
permissions:
read: reader | writer | parent_folder.reader
read_and_write: reader & writer
read_only: reader & !writerThis is just an example, Kala is able to model and combine every type of authorization (RBAC, ABAC, ACL, Custom Roles etc.), you can find some examples in the dropdown.
In the above example, there are 4 types defined:
- user
- group that has a relation that indicates a
membercan be an user - folder with a
readerrelation that can either be an user or the members of a group - document with some relations and some permissions:
readpermission indicates that someone can read the document if they're areaderORwriterOR they havereaderon theparent_folderread_and_writeindicates that they need to be both areaderAND awriterread_onlyindicates that they need to bereaderBUT NOT awriter
Permissions are only computed from relations.
After each change in the editor you need to press Ctrl+K to load the config.
You can define some tuples for the authorization system, as seen in the tuples tab which indicate the relations between some entities, the id of the entities is up to you to define, they don't have any more meaning than what you give them.
An interesting tuple is the following:
The folder:secret_folder is a parent_folder for document:report.csv.
The members of group:dev are a reader on folder:secret_folder.
user:steve is a member of group:dev.
You can verify permissions between entities, based on the previous example, does user:steve have read permission on document:report.csv?
Based on the defined relations, the answer is true.
Kala uses ent as an ORM for the Go backend, which offers functions to query your database using a graph-like structure.
Internally, permissions are evaluated concurrently and short-circuited, for the example above, we're checking at the same time if steve has any of the following relations on the document: reader | writer | parent_folder.reader.
If any of them returns true, return true and cancel all other goroutines (since we have an OR expression).
This can be seen by clickiing the question mark button to get a little overview on the relation check process:
In ./website, create an .env.local with:
NEXT_PUBLIC_BACKEND_URL="http://127.0.0.1:1323/v0"
You can either build the docker image for the backend or run the backend using task.
task gen
task run-once
cd website
yarn devThe whole website is keyboard driven, press Ctrl+Shift+K for help
- After you finish modifying your config, you need to reload the changes by pressing
Ctrl+K - Add tuples to the database using the "Tuples" tab
- Verify permissions using the "PermissionCheck" tab
- obviously implement a proper CRUD interface, don't @ me
- organize the code !!!
- caching for permission checks, implement something similar to Zookies used in Google's Zanzibar paper
- some proper logging
- healtcheck, metrics endpoints
- support relation checking
- watch permission changes endpoint
- answering the question: "Who has access to this resource?"
- Adding a way to add "public access" easily
- Proper expression support in permissions (doesn't support paranthesis)
- make it distributed
- some CLI functionality
- some simple policy engine similar to OPA on top
- SDKs and client libraries