Voedger Internals
  • Introduction
  • 💡Concepts
    • Event Sourcing & CQRS
    • Editions (deprecated)
      • Community Edition
      • Standart Edition
      • Standart Edition (v1)
  • 🚀Server
    • Overview (Server)
    • Design
      • Query Processor
      • API Gateway implementation
      • N1 Cluster
      • N3 Cluster
      • N5 Cluster
      • Orchestration
      • Sequences
      • Packages overview
        • sys
        • registry
    • Features
      • API Gateway
        • API v2
          • Conventions
            • API URL
            • HTTP methods and processors
            • Naming conventions
            • Query constraints
            • Error handling
          • Documents and records
            • Create document or record
            • Update document or record
            • Deactivate document or record
            • Read document or record
            • Read from CDoc collection
          • Queries
            • Read from query
          • Views
            • Read from view
          • Commands
            • Execute command
          • BLOBs
            • Create BLOB
            • Read BLOB
          • Temporary BLOBs
            • Create temporary BLOB
            • Read temporary BLOB
          • Schemas
            • List app workspaces
            • List workspace roles
            • Read workspace role schema
        • API v1
          • API Conventions
          • BLOBs
      • Admin Endpoint
      • Clusters
        • Bootstrap
        • Monitoring
        • Secure prometheus and grafana
        • Alerting
        • Maintenance
          • SELECT, UPDATE
      • VVMs
      • Applications
        • Deploy Application
        • Sidecar Applications
      • AuthNZ
        • Issue Principal Token
        • Refresh Principal Token
        • Enrich Principal Token
        • ACL Rules
        • Global Roles
      • Data types
        • Core types
        • Small integers
        • Uniques With Multiple Fields
        • Verifiable Fields
      • Workspaces
        • Create Workspace
        • Deactivate Workspace
        • See also (Workspaces)
      • Invites
        • Invite to Workspace
        • Join Workspace
        • Leave Workspace
        • Cancel sent Invite
        • Cancel accepted Invite
        • Update Invite roles
      • Users
        • Create a new user
        • Change user password
        • Send Email
        • Reset password
        • Change Email
      • Notifications
        • Heartbeats
      • Devices
        • Create a new device
        • Join device to workspace
      • Jobs
      • DMBS Drivers
        • AmazonDB Driver
      • Frozen
        • Ephemeral Storage
        • Storage Extensions
  • 🛠️Framework
    • Overview (Framework)
    • Features
      • vpm
      • vpm init
      • vpm tidy
      • vpm baseline
      • vpm orm
      • vpm build
      • API for testing
  • Development
    • Requirements Management
    • Requirements Management (Overview)
Powered by GitBook
On this page
  • Concepts
  • ACL Rules
  • Query AuthNZ process
  • Command AuthNZ process
  • Roles (by Copilot)

Was this helpful?

Edit on GitHub
  1. 🚀Server
  2. Features

AuthNZ

PreviousSidecar ApplicationsNextIssue Principal Token

Last updated 1 month ago

Was this helpful?

Authorization and authentication.

Concepts

Naming based on .

  • Subject: An entity that can make a request - User/Device/Service

  • Login: Represents a subject which can log in (synonym: sign in), user/device

  • Profile: Linked to login, personal data and other application specific information

  • Principal: An unique key which can be used in ACL (список управления доступом)

    • Login | Group | Role

  • Role: A schema-level principal (predefined group)

    • Allows to create predefined ACLs

    • Examples

      • unTill: Waiter, Waiter+, Manager

      • PK: Executor, Executor+, Manager

  • Global Role: See

  • Group: A workspace-level principal

  • PrincipalToken: A token which authenticates principals.

    • Login + Role memberships

  • ACL: Acces Control List (список управления доступом)

    • Currently we use predefined ACLs only (предопределенные списки управления доступом)

      • ACL managements too complicated

    • Users can only manage groups and roles membership

    • Permissions for Hosts can be manages by

      • GRANT ROLE ChargeBee TO ADDRESS

ACL Rules

  • “Principal P from Workspace W is [Allowed/Denied] Operation O on Resources matching ResourcePattern RP”.

    • Principal

    • Policy (Allow/Deny)

    • Operation

    • ResourcePattern

    • MembershipInheritance (00, 10, 11, 01)

Query AuthNZ process

Step
Actor
Served by

Send a request to the QueryProcessor

Subject

Authenticate Principal

QueryProcessor

IAuthenticator.Authenticate()

Authorize EXECUTE operation

QueryProcessor

IAuthorizer.Authorize()

Opt: Authorize READ operation

QueryProcessor

IAuthorizer.Authorize()

Command AuthNZ process

Step
Actor
Served by

Send a request to the CommandProcessor

Subject

Authenticate Principal

CommandProcessor

IAuthenticator.Authenticate()

Authorize EXECUTE operation

CommandProcessor

IAuthorizer.Authorize()

Authorize fields CREATE/UPDATE

CommandProcessor

IAuthenticator.Authorize()

Roles (by Copilot)

Here are some vsql files where ROLE is used in the voedger/voedger repository:

  1. sys.vsql

    • Everyone, Anonymous, AuthenticatedUser, System, ProfileOwner, WorkspaceDevice, RoleWorkspaceOwner, WorkspaceOwner, ClusterAdmin, WorkspaceAdmin

  2. appws.vsql

    • ClusterAdmin

Stidy existing AuthNZ concepts
here
sys.vsql
appws.vsql