Integration with Authzed by guicassolato · Pull Request #375 · Kuadrant/authorino

guicassolato · 2023-02-06T16:46:22Z

Adds built-in integration with Authzed.

Authorino will send check permission requests to Authzed/SpiceDB via GRPC.
Subject, resource and permission parameters can be set to static values or read from the Authorization JSON.

Closes #372.

Verification steps

Setup locally:

make local-setup
kubectl port-forward service/envoy 8000:8000 2>&1 >/dev/null &

Deploy a SpiceDB instance:

kubectl apply -f -<<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: spicedb
  labels:
    app: spicedb
spec:
  selector:
    matchLabels:
      app: spicedb
  template:
    metadata:
      labels:
        app: spicedb
    spec:
      containers:
      - name: spicedb
        image: authzed/spicedb
        args:
        - serve
        - "--grpc-preshared-key"
        - secret
        - "--http-enabled"
        ports:
        - containerPort: 50051
        - containerPort: 8443
  replicas: 1
---
apiVersion: v1
kind: Service
metadata:
  name: spicedb
spec:
  selector:
    app: spicedb
  ports:
    - name: grpc
      port: 50051
      protocol: TCP
    - name: http
      port: 8443
      protocol: TCP
EOF

kubectl port-forward service/spicedb 8443:8443 2>&1 >/dev/null &

Create the permission schema:

curl -X POST http://localhost:8443/v1/schema/write \
  -H 'Authorization: Bearer secret' \
  -H 'Content-Type: application/json' \
  -d @- << EOF
{
  "schema": "definition blog/user {}\ndefinition blog/post {\n\trelation reader: blog/user\n\trelation writer: blog/user\n\n\tpermission read = reader + writer\n\tpermission write = writer\n}"
}
EOF

Store relationships:

curl -X POST http://localhost:8443/v1/relationships/write \
  -H 'Authorization: Bearer secret' \
  -H 'Content-Type: application/json' \
  -d @- << EOF
{
  "updates": [
    {
      "operation": "OPERATION_CREATE",
      "relationship": {
        "resource": {
          "objectType": "blog/post",
          "objectId": "1"
        },
        "relation": "writer",
        "subject": {
          "object": {
            "objectType": "blog/user",
            "objectId": "emilia"
          }
        }
      }
    },
    {
      "operation": "OPERATION_CREATE",
      "relationship": {
        "resource": {
          "objectType": "blog/post",
          "objectId": "1"
        },
        "relation": "reader",
        "subject": {
          "object": {
            "objectType": "blog/user",
            "objectId": "beatrice"
          }
        }
      }
    }
  ]
}
EOF

Create the AuthConfig and Secrets:

kubectl apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
  - talker-api-authorino.127.0.0.1.nip.io
  identity:
  - name: friends
    apiKey:
      selector:
        matchLabels:
          app: talker-api
    credentials:
      in: authorization_header
      keySelector: APIKEY
  authorization:
  - name: authzed
    authzed:
      endpoint: spicedb:50051
      insecure: true
      sharedSecretRef:
        name: spicedb
        key: grpc-preshared-key
      subject:
        kind:
          value: blog/user
        name:
          valueFrom:
            authJSON: auth.identity.metadata.annotations.username
      resource:
        kind:
          value: blog/post
        name:
          valueFrom:
            authJSON: context.request.http.path.@extract:{"sep":"/","pos":2}
      permission:
        valueFrom:
          authJSON: context.request.http.method.@replace:{"old":"GET","new":"read"}.@replace:{"old":"POST","new":"write"}
---
apiVersion: v1
kind: Secret
metadata:
  name: spicedb
  labels:
    app: spicedb
stringData:
  grpc-preshared-key: secret
---
apiVersion: v1
kind: Secret
metadata:
  name: api-key-writer
  labels:
    authorino.kuadrant.io/managed-by: authorino
    app: talker-api
  annotations:
    username: emilia
stringData:
  api_key: IAMEMILIA
---
apiVersion: v1
kind: Secret
metadata:
  name: api-key-reader
  labels:
    authorino.kuadrant.io/managed-by: authorino
    app: talker-api
  annotations:
    username: beatrice
stringData:
  api_key: IAMBEATRICE
EOF

Send requests:

curl -H 'Authorization: APIKEY IAMEMILIA' -X GET  http://talker-api-authorino.127.0.0.1.nip.io:8000/posts/1 -i
# HTTP/1.1 200 OK

curl -H 'Authorization: APIKEY IAMEMILIA' -X POST http://talker-api-authorino.127.0.0.1.nip.io:8000/posts/1 -i
# HTTP/1.1 200 OK

curl -H 'Authorization: APIKEY IAMBEATRICE' -X GET  http://talker-api-authorino.127.0.0.1.nip.io:8000/posts/1 -i
# HTTP/1.1 200 OK

curl -H 'Authorization: APIKEY IAMBEATRICE' -X POST http://talker-api-authorino.127.0.0.1.nip.io:8000/posts/1 -i
# HTTP/1.1 403 Forbidden
# x-ext-auth-reason: PERMISSIONSHIP_NO_PERMISSION | token: GhUKEzE2NzU3MDE3MjAwMDAwMDAwMDA=

eguzki · 2023-02-15T22:16:00Z

verification steps working 👍

@guicassolato

@guicassolato added this integration a few months back in Kuadrant/authorino#375

guicassolato self-assigned this Feb 6, 2023

guicassolato force-pushed the authzed branch from 85b22c6 to 9a08f12 Compare February 7, 2023 10:47

guicassolato marked this pull request as ready for review February 7, 2023 12:38

guicassolato requested a review from a team February 7, 2023 13:48

guicassolato force-pushed the authzed branch 3 times, most recently from cc9290e to 87efa4b Compare February 9, 2023 16:48

guicassolato force-pushed the authzed branch from 87efa4b to 7f040e0 Compare February 15, 2023 19:30

eguzki previously approved these changes Feb 15, 2023

View reviewed changes

guicassolato added 3 commits February 16, 2023 10:28

feat: integration with Authzed

d63ab74

docs: authzed authorization

ab0181d

user guide: authzed

27a6df5

guicassolato dismissed eguzki’s stale review via 27a6df5 February 16, 2023 09:30

guicassolato force-pushed the authzed branch from 7f040e0 to 27a6df5 Compare February 16, 2023 09:30

guicassolato merged commit 4ab127f into main Feb 16, 2023

guicassolato deleted the authzed branch February 16, 2023 10:16

guicassolato mentioned this pull request Feb 16, 2023

Update Authorino manifests Kuadrant/authorino-operator#108

Merged

alechenninger added a commit to alechenninger/awesome-spicedb that referenced this pull request May 5, 2023

Add Authorino

fbc9f07

@guicassolato added this integration a few months back in Kuadrant/authorino#375

alechenninger mentioned this pull request May 5, 2023

Add Authorino authzed/awesome-spicedb#6

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integration with Authzed#375

Integration with Authzed#375
guicassolato merged 3 commits intomainfrom
authzed

guicassolato commented Feb 6, 2023 •

edited

Loading

Uh oh!

eguzki commented Feb 15, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

guicassolato commented Feb 6, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Verification steps

Uh oh!

eguzki commented Feb 15, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

guicassolato commented Feb 6, 2023 •

edited

Loading