AuthNZ

Authorization and authentication.

Concepts

Naming based on Stidy existing AuthNZ concepts.

• Subject: An entity that can make a request - User/Device/Service

• Login: Represents a subject which can log in (synonym: sign in), user/device

• Profile: Linked to login, personal data and other application specific information

• Principal: An unique key which can be used in ACL (список управления доступом)

  • Login | Group | Role

• Role: A schema-level principal (predefined group)

  • Allows to create predefined ACLs

  • Examples

    • unTill: Waiter, Waiter+, Manager

    • PK: Executor, Executor+, Manager

• Global Role: See here

• Group: A workspace-level principal

• PrincipalToken: A token which authenticates principals.

  • Login + Role memberships

• ACL: Acces Control List (список управления доступом)

  • Currently we use predefined ACLs only (предопределенные списки управления доступом)

    • ACL managements too complicated

  • Users can only manage groups and roles membership

  • Permissions for Hosts can be manages by

    • GRANT ROLE ChargeBee TO ADDRESS

ACL Rules

• “Principal P from Workspace W is [Allowed/Denied] Operation O on Resources matching ResourcePattern RP”.

  • Principal

  • Policy (Allow/Deny)

  • Operation

  • ResourcePattern

  • MembershipInheritance (00, 10, 11, 01)

Query AuthNZ process

Command AuthNZ process

Roles (by Copilot)

Here are some vsql files where ROLE is used in the voedger/voedger repository:

1. sys.vsql

   • sys.vsql

   • Everyone, Anonymous, AuthenticatedUser, System, ProfileOwner, WorkspaceDevice, RoleWorkspaceOwner, WorkspaceOwner, ClusterAdmin, WorkspaceAdmin

2. appws.vsql

   • appws.vsql

   • ClusterAdmin