Policy queries #790
Merged
Policy queries #790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # src/clj/fluree/db/query/fql.cljc
# Conflicts: # src/clj/fluree/db/db/json_ld.cljc
…y.query # Conflicts: # src/clj/fluree/db/api/query.cljc # src/clj/fluree/db/json_ld/policy.cljc # src/clj/fluree/db/query/json_ld/response.cljc
# Conflicts: # src/clj/fluree/db/db/json_ld.cljc
zonotope
reviewed
Jun 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New policy-query engine replaces old policy features.
Tests with examples in test/fluree.db.policy.*
Currently, this deprecates the latest
f:equalspolicy, but that could get added back as an interim feature if needed (at the expense of extra query/parsing when policy-wrapping a db).Key features:
fluree/wrap-identity-policyinstead of the mainfluree/wrap-policyAPI.values/variables can be supplied when callingfluree/wrap-policy. These can be any variables used in your policy queries, and allow variables coming from an external system (e.g. identity provider, app) to be used as part of policy criteriafluree/wrap-policyset of APIs (listed below) allow a flag,default-allow?which if true, will allow any data not covered by policy to be allowed. Prior Fluree versions always had all data not covered by policy to be denied - now there is an option.Policy APIs
fluree/wrap-policy- the main API, where you supply the db, policies in JSON-LD, default-allow? flag, and values/variable map. How you assemble your policies is together up to you/your app. Policy queries use the special?$thisvariable to evaluate if the user can see the flake/value. If the policy query returns any results, they can see it, if it returns no results they cannot see it.fluree/wrap-identity-policy- most similar to prior Fluree versions, where instead of supplying policies, you supply an identity. We query the DB for the provided identity, and look for thef:policyClassproperty, which should contain a list of classes. We then query the DB for all policies matching those class(es) to find the full set of policies - and with those in hand, call the standardfluree/wrap-policybut also inject the specialvaluesvariable?$identitywhich is available to your policy queries in addition to the standard?$thisvariable.fluree/credential-query- Use instead offluree/queryif your query is wrapped in a verifiable credential. If so, we'll verify the credential, extract the identity and callfluree/wrap-identity-policyto policy-enforce the db. NOTE:fluree/queryno longer accepts verifiable credential queries, use this API instead.fluree/credential-history- Likefluree/credential-query, use this for history queries that are wrapped in a verifiable credential. NOTE:fluree/historyno longer accepts verifiable credential queries, use this API instead.