Attribute Based Control

[jon-whit]

I'm really interested in adopting ladon as the authorization framework for an API that I am developing in Golang. I'd like to be able to make access control decisions based on not only users and groups permitted to do something, but also if users contain a specific attribute. For example consider the following policy:

{
  "description": "Allow all District Managers to create, update, and delete articles under any conditions.",
  "subjects": ["users: <(user.position == 'District Manager')>"],
  "actions" : ["<create|update|delete>"],
  "effect": "allow",
  "resources": [
    "resources:articles:<.*>",
  ],
}

The subjects in this case can map to all of the users who have an attribute (e.g. position) that is equal to "District Manager".

Is there an easy way to achieve this style of policy definition in ladon already? If not, would you consider adding something like this?

[aeneasr]

Yes, that's what conditions are for. For example this one.

Keep in mind that ladon does not have a concept of attributes and does not store those either. You have to transmit these attributes to ladon on every authorization request.

[jon-whit]

@arekkas thanks for the response!

The semantics on the policy definition are a little confusing.. Maybe you can enlighten me.

If I wanted to create a policy rule to match the policy I mentioned above, what would that look like? My confusion is that I want the "subjects" to match all of the subjects under a given condition. So would that look like this:

{
  "description": "Allow all District Managers to create, update, and delete articles.",
  "subjects": ["users: <*>"],
  "actions" : ["<create|update|delete>"],
  "effect": "allow",
  "resources": [
    "resources:articles:<.*>",
  ],
  "conditions": {
    "user.position": "District Manager"
  }
}

Do I understand that correctly?

[aeneasr]

The concept section should cover that :)

https://github.com/ory/ladon#concepts

[jon-whit]

@arekkas but it doesn't. Hence the reason why I am asking. The documentation is vague to that degree..

[aeneasr]

Sorry, I meant this one: https://github.com/ory/ladon#conditions

Your request would look like

{
  "subject": "users:peter",
  "action" : "delete",
  "resource": "resources:articles:ladon-introduction",
  "context": {
    "user.position": "District Manager"
  }
}

{
  "description": "Allow all District Managers to create, update, and delete articles.",
  "subjects": ["users: <*>"],
  "actions" : ["<create|update|delete>"],
  "effect": "allow",
  "resources": [
    "resources:articles:<.*>",
  ],
  "conditions": {
    "user.position": {
      "type": "StringEqualCondition",
      "options": { "equals": "District Manager" }
    }
  }
}

This is all the help I can get as GitHub issues are reserved for reporting issues or feature requests. There are forums at community.ory.am and a chat channel on gitter. If you have a larger scope where you need help with you can drop us a mail at hi@ory.am

[jon-whit]

@arekkas Maybe you could mention that on your main page for this repository? That would be helpful. There wasn't any documentation that mentioned general support should be directed at community.ory.am.

Also, general feedback, the perception I received from our interaction was very negative. In the future, maybe you could more politely direct my questions toward the forums, rather than rejecting them. If you're trying to establish a community of users who adopt your software, leaving negative perceptions isn't the way to achieve that ;).

[aeneasr]

Maybe you could mention that on your main page for this repository? That would be helpful. There wasn't any documentation that mentioned general support should be directed at community.ory.am.

Absolutely, looks like I forgot to add the issue template here which is now the case.

Also, general feedback, the perception I received from our interaction was very negative. In the future, maybe you could more politely direct my questions toward the forums, rather than rejecting them. If you're trying to establish a community of users who adopt your software, leaving negative perceptions isn't the way to achieve that ;).

Sorry if it came along that way, the tone was not intended to be negative. Helping users use the software is very important. However, as OSS maintainer (of multiple projects) it's also important to sometimes cut questions short and show ways how they can be resolved otherwise. If you feel that the documentation does not answer your questions properly or you find sections which are hard to understand, please point them out or help improve them. This is the best way to bring the project forward. It is also important to understand that there is no entitlement in open source, while I try to answer all questions (which I think I did in your case) there is a limit to how far that goes. Most OSS projects don't even bother answering these things. In any case, I hope you find this library useful and that you now have a good idea of where you can find help with regards to implementing Access Control Policies for your specific use case.

[aeneasr]

I forgot one thing, more examples are covered in the Hydra docs. I also created an issue ( #105 ) which tracks adding examples/how-to to the ladon docs and also copying over the ones from Hydra. Any help is gladly accepted!