blob: f5e2e968e2a363ef77db5b6682120d9f9a652b21 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
# SpiceDB Integration Guide
SpiceDB provides relation-based authorization using the Google Zanzibar model.
This service handles complex permission hierarchies through relationship graphs.
## Architecture
```
+---------------------------------------------------------------------+
| Client Request |
+---------------------------------------------------------------------+
|
V
+---------------------------------------------------------------------+
| Envoy Proxy (:20000) |
| |
| Routes /authzed.api.v1.* directly to SpiceDB |
|---------------------------------------------------------------------+
| SpiceDB APIs
V
+---------------------+
| SpiceDB (:50051) |
| |
| +-----------------+ |
| | Relations | |
| | * user:mokhax | |
| | * project:1 | |
| | * maintainer | |
| | * developer | |
| +-----------------+ |
+---------------------+
```
## Authorization Flow
```
Client Envoy SpiceDB
| | |
| gRPC PermissionCheck | |
|---------------------->| |
| | Route by gRPC service |
| |----------------------->|
| | |
| | | Query
| | | relations
| | | graph
| | Permission result |
| |<-----------------------|
| | |
| Permission response | |
|<----------------------| |
```
## Quick Start
### 1. Start All Services
```bash
# Start authzd, envoy, and spicedb
make run
```
### 2. Setup SpiceDB Schema & Data
```bash
# Initialize schema and test data
make run-spicedb-setup
# Test permissions
make run-spicedb-permission-check
```
### 3. Test SpiceDB Permissions
```bash
# Check permissions via zed CLI
zed --endpoint "localhost:20000" --token "secret" --insecure permission check project:1 read user:mokhax
```
## SpiceDB Configuration
### Schema Development
1. Update schema in `etc/authzd/spice.schema`
2. Apply with `zed schema write`
3. Add relationships with `zed relationship create`
### Schema Example
```zed
definition user {}
definition project {
relation developer: user
relation maintainer: user
permission read = developer + maintainer
permission write = maintainer
}
```
### Creating Relationships
```bash
# Add user to project as maintainer
zed relationship create project:1 maintainer user:mokhax
# Add user to project as developer
zed relationship create project:1 developer user:tanuki
```
## zed CLI Commands
### Schema Management
```bash
# Write schema to SpiceDB
zed --endpoint "localhost:20000" --token "secret" --insecure schema write etc/authzd/spice.schema
# Read current schema
zed --endpoint "localhost:20000" --token "secret" --insecure schema read
```
### Relationship Management
```bash
# Create relationships
zed --endpoint "localhost:20000" --token "secret" --insecure relationship create project:1 maintainer user:mokhax
# Delete relationships
zed --endpoint "localhost:20000" --token "secret" --insecure relationship delete project:1 developer user:tanuki
```
### Permission Checks
```bash
# Check specific permissions
zed --endpoint "localhost:20000" --token "secret" --insecure permission check project:1 write user:mokhax
# Bulk permission checks
zed --endpoint "localhost:20000" --token "secret" --insecure permission check project:1 read user:tanuki
```
## Make Targets
- `make run-spicedb-setup` - Initialize schema and test data
- `make run-spicedb-permission-check` - Test permission queries
## References
- [SpiceDB Documentation](https://authzed.com/docs)
- [Google Zanzibar Paper](https://authzed.com/blog/what-is-google-zanzibar)
- [Cedar Policy Language](https://docs.cedarpolicy.com/)
- [Envoy External Authorization](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter)
|
