diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /etc/authzd/policy1.cedar | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'etc/authzd/policy1.cedar')
| -rw-r--r-- | etc/authzd/policy1.cedar | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar deleted file mode 100644 index 966bbcfb..00000000 --- a/etc/authzd/policy1.cedar +++ /dev/null @@ -1,37 +0,0 @@ -permit (principal, action, resource) -when -{ - context has host && - context has method && - context has path && - ((context.host == "sparkle.runway.gitlab.net" || - context.host == "sparkle.staging.runway.gitlab.net" || - context.host like "localhost:*") && - ((context.method == "GET" && - (context.path == "/" || - context.path == "/callback" || - context.path == "/dashboard/nav" || - context.path == "/health" || - context.path == "/signout" || - context.path == "/sparkles")) || - (context.method == "POST" && (context.path == "/sparkles/restore")))) -}; - -permit ( - principal is User, - action == Action::"POST", - resource == Resource::"/sparkles" -) -when -{ - context has host && - context.host == "sparkle.staging.runway.gitlab.net" && - principal has username -}; - -permit ( - principal == User::"1", - action == Action::"GET", - resource == Resource::"/dashboard" -) -when { context has host && context.host == "localhost:10000" }; |