Refactor API for consistency #59
Labels
Milestone
Comments
|
Would the format of a single check still be the same? |
|
No, it would be replaced by the batch request where the batch size is 1. |
|
Fixed by #60 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have
/api/checkfor checking a single principal and a single resource against a single action. It returns a response like the following.{ "requestId": "460d1429-9798-4a6f-8505-170193909003", "statusCode": 200, "statusMessage": "Allow", "effect": "EFFECT_ALLOW", "meta": { "matchedPolicy": "leave_request:20210210", "effectiveDerivedRoles": [ "any_employee", "direct_manager" ], "evaluationDuration": "0.000628452s" } }Then we have the
/api/check_resource_batchendpoint which checks a single principal against multiple actions and multiple resources.{ "requestId": "test", "resourceInstances": { "XX125": { "actions": { "approve": "EFFECT_DENY", "create": "EFFECT_DENY", "view:public": "EFFECT_ALLOW" } }, "XX150": { "actions": { "approve": "EFFECT_DENY", "create": "EFFECT_DENY", "view:public": "EFFECT_ALLOW" } }, "XX250": { "actions": { "approve": "EFFECT_DENY", "create": "EFFECT_DENY", "view:public": "EFFECT_ALLOW" } }, "YY100": { "actions": { "approve": "EFFECT_ALLOW", "create": "EFFECT_ALLOW", "view:public": "EFFECT_ALLOW" } }, "YY200": { "actions": { "approve": "EFFECT_ALLOW", "create": "EFFECT_ALLOW", "view:public": "EFFECT_ALLOW" } } } }This is not ideal because we have two wildly different responses for very similar requests. The
/api/checkendpoint is strictly not necessary because it can be subsumed by the/api/check_resource_batchendpoint.Proposal
/api/checkendpoint./api/check_resource_batchto/api/checkand make it the default endpoint.debugparameter to the request so that we can add debug metadata (matched policy, active derived roles) to the response.The text was updated successfully, but these errors were encountered: