Last active
July 6, 2018 20:48
-
-
Save manifest/3c350a075d5350676f25a4c5ee91bdfb to your computer and use it in GitHub Desktop.
AuthZ Examples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| do | |
| $$ | |
| declare | |
| _iam_id uuid := '00000000-0000-1000-a000-000000000000'; | |
| _res_id uuid := '00000000-0000-1000-a000-000000000010'; | |
| _ex1_id uuid := '00000000-0000-1000-a000-000000000001'; | |
| _ex2_id uuid := '00000000-0000-1000-a000-000000000002'; | |
| begin | |
| delete from abac_object; | |
| delete from abac_subject; | |
| delete from abac_action; | |
| delete from abac_policy; | |
| insert into abac_subject (inbound, outbound) values | |
| (('account/1', 'uri', _iam_id) ::abac_attribute, ('user', 'role', _ex1_id) ::abac_attribute); | |
| insert into abac_object (inbound, outbound) values | |
| (('pear', 'type', _res_id) ::abac_attribute, ('fruit', 'type', _res_id) ::abac_attribute), | |
| (('apple', 'type', _res_id) ::abac_attribute, ('fruit', 'type', _res_id) ::abac_attribute), | |
| (('green', 'color', _res_id) ::abac_attribute, ('light', 'color', _res_id) ::abac_attribute), | |
| (('red', 'color', _res_id) ::abac_attribute, ('light', 'color', _res_id) ::abac_attribute), | |
| (('object/1', 'uri', _res_id) ::abac_attribute, ('pear', 'type', _res_id) ::abac_attribute), | |
| (('object/2', 'uri', _res_id) ::abac_attribute, ('pear', 'type', _res_id) ::abac_attribute), | |
| (('object/3', 'uri', _res_id) ::abac_attribute, ('apple', 'type', _res_id) ::abac_attribute), | |
| (('object/4', 'uri', _res_id) ::abac_attribute, ('apple', 'type', _res_id) ::abac_attribute), | |
| (('object/5', 'uri', _res_id) ::abac_attribute, ('apple', 'type', _res_id) ::abac_attribute), | |
| (('object/1', 'uri', _res_id) ::abac_attribute, ('green', 'color', _res_id) ::abac_attribute), | |
| (('object/2', 'uri', _res_id) ::abac_attribute, ('green', 'color', _res_id) ::abac_attribute), | |
| (('object/3', 'uri', _res_id) ::abac_attribute, ('green', 'color', _res_id) ::abac_attribute), | |
| (('object/4', 'uri', _res_id) ::abac_attribute, ('red', 'color', _res_id) ::abac_attribute), | |
| (('object/5', 'uri', _res_id) ::abac_attribute, ('red', 'color', _res_id) ::abac_attribute); | |
| insert into abac_object (inbound, outbound) values | |
| (('namespace/' || _iam_id, 'uri', _iam_id) ::abac_attribute, ('namespace', 'type', _iam_id) ::abac_attribute), | |
| (('namespace/' || _res_id, 'uri', _iam_id) ::abac_attribute, ('namespace', 'type', _iam_id) ::abac_attribute), | |
| (('namespace/' || _res_id, 'uri', _iam_id) ::abac_attribute, ('namespace/' || _iam_id, 'uri', _iam_id) ::abac_attribute), | |
| (('namespace/' || _ex1_id, 'uri', _iam_id) ::abac_attribute, ('namespace', 'type', _iam_id) ::abac_attribute), | |
| (('namespace/' || _ex1_id, 'uri', _iam_id) ::abac_attribute, ('namespace/' || _iam_id, 'uri', _iam_id) ::abac_attribute), | |
| (('namespace/' || _ex2_id, 'uri', _iam_id) ::abac_attribute, ('namespace', 'type', _iam_id) ::abac_attribute), | |
| (('namespace/' || _ex2_id, 'uri', _iam_id) ::abac_attribute, ('namespace/' || _iam_id, 'uri', _iam_id) ::abac_attribute), | |
| (('fruit', 'type', _res_id) ::abac_attribute, ('namespace/' || _res_id, 'uri', _iam_id) ::abac_attribute), | |
| (('light', 'color', _res_id) ::abac_attribute, ('namespace/' || _res_id, 'uri', _iam_id) ::abac_attribute), | |
| (('object/1', 'uri', _res_id) ::abac_attribute, ('namespace/' || _ex1_id, 'uri', _iam_id) ::abac_attribute), | |
| (('object/2', 'uri', _res_id) ::abac_attribute, ('namespace/' || _ex1_id, 'uri', _iam_id) ::abac_attribute), | |
| (('object/3', 'uri', _res_id) ::abac_attribute, ('namespace/' || _ex1_id, 'uri', _iam_id) ::abac_attribute), | |
| (('object/4', 'uri', _res_id) ::abac_attribute, ('namespace/' || _ex2_id, 'uri', _iam_id) ::abac_attribute), | |
| (('object/5', 'uri', _res_id) ::abac_attribute, ('namespace/' || _ex2_id, 'uri', _iam_id) ::abac_attribute); | |
| insert into abac_action (inbound, outbound) values | |
| (('read', 'operation', _iam_id) ::abac_attribute, ('any', 'operation', _iam_id) ::abac_attribute), | |
| (('update', 'operation', _iam_id) ::abac_attribute, ('any', 'operation', _iam_id) ::abac_attribute); | |
| insert into abac_policy (subject, object, action, namespace_id) values | |
| ( | |
| array[('user', 'role', _ex1_id) ::abac_attribute], | |
| array[('fruit', 'type', _res_id) ::abac_attribute], | |
| array[('read', 'operation', _iam_id) ::abac_attribute], | |
| _iam_id | |
| ), | |
| ( | |
| array[('user', 'role', _ex1_id) ::abac_attribute], | |
| array[('apple', 'type', _res_id) ::abac_attribute, ('green', 'color', _res_id) ::abac_attribute], | |
| array[('any', 'operation', _iam_id) ::abac_attribute], | |
| _iam_id | |
| ); | |
| end | |
| $$ language plpgsql; | |
| -- authorize w/ namespace list | |
| select abac_authorize( | |
| array[('user', 'role', '00000000-0000-1000-a000-000000000001') ::abac_attribute], | |
| array[('apple', 'type', '00000000-0000-1000-a000-000000000010') ::abac_attribute, ('green', 'color', '00000000-0000-1000-a000-000000000010') ::abac_attribute], | |
| array[('update', 'operation', '00000000-0000-1000-a000-000000000000') ::abac_attribute], | |
| array['00000000-0000-1000-a000-000000000000' ::uuid] | |
| ); | |
| -- authorize with parent namespaces | |
| with | |
| subject_attrs as ( | |
| select array[ | |
| ('user', 'role', '00000000-0000-1000-a000-000000000001') ::abac_attribute | |
| ]), | |
| object_attrs as ( | |
| select array[ | |
| ('apple', 'type', '00000000-0000-1000-a000-000000000010') ::abac_attribute, | |
| ('green', 'color', '00000000-0000-1000-a000-000000000010') ::abac_attribute | |
| ]), | |
| action_attrs as ( | |
| select array[ | |
| ('update', 'operation', '00000000-0000-1000-a000-000000000000') ::abac_attribute | |
| ]) | |
| select abac_authorize( | |
| (select * from subject_attrs), | |
| (select * from object_attrs), | |
| (select * from action_attrs), | |
| abac_object_target_namespace_array('namespace/', 'uri', '00000000-0000-1000-a000-000000000000' ::uuid, (select * from object_attrs)) | |
| ); | |
| -- select abac_object_target(array[('object/1', 'uri', '00000000-0000-1000-a000-000000000010') ::abac_attribute]); | |
| -- select abac_object_list_1(('apple', 'type', '00000000-0000-1000-a000-000000000010') ::abac_attribute, 0, 100); | |
| -- select abac_object_list_2(('apple', 'type', '00000000-0000-1000-a000-000000000010') ::abac_attribute, ('green', 'color', '00000000-0000-1000-a000-000000000010') ::abac_attribute, 0, 100); | |
| select abac_object_list(array[ | |
| ('apple', 'type', '00000000-0000-1000-a000-000000000010') ::abac_attribute, | |
| ('green', 'color', '00000000-0000-1000-a000-000000000010') ::abac_attribute | |
| ], 0, 100); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| do | |
| $$ | |
| declare | |
| _n_iam_id uuid := '00000000-0000-1000-a000-000000000000'; | |
| _n_iam_label text := 'iam.netology-group.services'; | |
| _a_a1_id uuid := '10000000-0000-1000-a000-000000000001'; | |
| _n_ex1_id uuid := '00000000-0000-1000-a000-000000000010'; | |
| _n_ex1_label text := 'example-1.org'; | |
| _a_c1_id uuid := '10000000-0000-1000-a000-000000000010'; | |
| _i_c1iam_1_id text := '[email protected].' || _n_iam_id; | |
| _n_ex2_id uuid := '00000000-0000-1000-a000-000000000020'; | |
| _n_ex2_label text := 'example-2.org'; | |
| _a_c2_id uuid := '10000000-0000-1000-a000-000000000020'; | |
| _i_c2iam_1_id text := '[email protected].' || _n_iam_id; | |
| _a_u1_id uuid := '10000000-0000-1000-a000-000000000100'; | |
| _i_u1ex1_1_id text := '[email protected].' || _n_iam_id; | |
| _i_u1ex2_1_id text := '[email protected].' || _n_iam_id; | |
| begin | |
| delete from abac_object; | |
| delete from abac_subject; | |
| delete from abac_action; | |
| delete from abac_policy; | |
| insert into abac_subject (inbound, outbound) values | |
| (('account/' || _a_a1_id, 'uri', _n_iam_id) ::abac_attribute, ('admin', 'role', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute, ('client', 'role', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute, ('client', 'role', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute, ('user', 'role', _n_iam_id) ::abac_attribute); | |
| insert into abac_object (inbound, outbound) values | |
| (('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_a1_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_c1iam_1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_c2iam_1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_c1iam_1_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_c2iam_1_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('namespace/' || _n_ex1_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('namespace/' || _n_ex2_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_u1ex1_1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_ex1_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_u1ex2_1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace/' || _n_ex2_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_u1ex1_1_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_u1ex2_1_id, 'uri', _n_iam_id) ::abac_attribute, ('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute); | |
| insert into abac_object (inbound, outbound) values | |
| (('namespace/' || _n_iam_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace', 'type', _n_iam_id) ::abac_attribute), | |
| (('namespace/' || _n_ex1_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace', 'type', _n_iam_id) ::abac_attribute), | |
| (('namespace/' || _n_ex2_id, 'uri', _n_iam_id) ::abac_attribute, ('namespace', 'type', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_a1_id, 'uri', _n_iam_id) ::abac_attribute, ('account', 'type', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute, ('account', 'type', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute, ('account', 'type', _n_iam_id) ::abac_attribute), | |
| (('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute, ('account', 'type', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_c1iam_1_id, 'uri', _n_iam_id) ::abac_attribute, ('identity', 'type', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_c2iam_1_id, 'uri', _n_iam_id) ::abac_attribute, ('identity', 'type', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_u1ex1_1_id, 'uri', _n_iam_id) ::abac_attribute, ('identity', 'type', _n_iam_id) ::abac_attribute), | |
| (('identity/' || _i_u1ex2_1_id, 'uri', _n_iam_id) ::abac_attribute, ('identity', 'type', _n_iam_id) ::abac_attribute); | |
| insert into abac_action (inbound, outbound) values | |
| (('create', 'operation', _n_iam_id) ::abac_attribute, ('any', 'operation', _n_iam_id) ::abac_attribute), | |
| (('read', 'operation', _n_iam_id) ::abac_attribute, ('any', 'operation', _n_iam_id) ::abac_attribute), | |
| (('update', 'operation', _n_iam_id) ::abac_attribute, ('any', 'operation', _n_iam_id) ::abac_attribute), | |
| (('delete', 'operation', _n_iam_id) ::abac_attribute, ('any', 'operation', _n_iam_id) ::abac_attribute), | |
| (('list', 'operation', _n_iam_id) ::abac_attribute, ('any', 'operation', _n_iam_id) ::abac_attribute); | |
| insert into abac_policy (subject, object, action, namespace_id) values | |
| ( | |
| array[('account/' || _a_a1_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('account/' || _a_a1_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('any', 'operation', _n_iam_id) ::abac_attribute], | |
| _n_iam_id | |
| ), | |
| ( | |
| array[('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('account/' || _a_c1_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('any', 'operation', _n_iam_id) ::abac_attribute], | |
| _n_iam_id | |
| ), | |
| ( | |
| array[('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('account/' || _a_c2_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('any', 'operation', _n_iam_id) ::abac_attribute], | |
| _n_iam_id | |
| ), | |
| ( | |
| array[('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('account/' || _a_u1_id, 'uri', _n_iam_id) ::abac_attribute], | |
| array[('any', 'operation', _n_iam_id) ::abac_attribute], | |
| _n_iam_id | |
| ); | |
| end | |
| $$ language plpgsql; | |
| --- AuthZ | |
| -- admin can access anything (user's identity) | |
| select abac_authorize( | |
| array[('account/10000000-0000-1000-a000-000000000001', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute], | |
| array[('identity/[email protected]', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute], | |
| array[('read', 'operation', '00000000-0000-1000-a000-000000000000') ::abac_attribute], | |
| array['00000000-0000-1000-a000-000000000000' ::uuid] | |
| ); | |
| -- client can access namespace's identities w/ filter by account id | |
| select abac_authorize( | |
| array[('account/10000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute], | |
| array[ | |
| ('namespace/00000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| ('account/10000000-0000-1000-a000-000000000100', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| ('identity', 'type', '00000000-0000-1000-a000-000000000000') ::abac_attribute | |
| ], | |
| array[('read', 'operation', '00000000-0000-1000-a000-000000000000') ::abac_attribute], | |
| array['00000000-0000-1000-a000-000000000000' ::uuid] | |
| --- Listing | |
| -- client's objects | |
| select abac_object_list_1( | |
| ('account/10000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| 0, 100); | |
| -- client's identities | |
| select abac_object_list_2( | |
| ('account/10000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| ('identity', 'type', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| 0, 100); | |
| -- namespace's objects | |
| select abac_object_list_1( | |
| ('namespace/00000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| 0, 100); | |
| -- namespace's identities | |
| select abac_object_list_2( | |
| ('namespace/00000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| ('identity', 'type', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| 0, 100); | |
| -- namespace's identities w/ filter by account id | |
| select abac_object_list_3( | |
| ('namespace/00000000-0000-1000-a000-000000000010', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| ('account/10000000-0000-1000-a000-000000000100', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| ('identity', 'type', '00000000-0000-1000-a000-000000000000') ::abac_attribute, | |
| 0, 100); | |
| -- targets for user's identity | |
| select abac_object_target(array[ | |
| ('identity/[email protected]', 'uri', '00000000-0000-1000-a000-000000000000') ::abac_attribute | |
| ]); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment