This repository contains three possible trade-offs when considering fine-grained authorization that contains both conditions and relationships.
The three possible trade-offs that are demonstrated are:
- Coupling policy and enforcement
- Complex Access Control Rules
- Data manipulation
For more information on each and to learn more, refer to the following blog post
The data that we are using to demonstrate the trade-offs are a set of visits with relationships with diagnoses and practitioners. An allowed visit is a visit that is not concealed, its related diagnoses are not concealed, and its practitioner is advertised.
All the mock data is stored in the data/data.json
file.
// Visit
{
"appointment_id": "123",
"practitioner_id": "123456",
"diagnosis": ["y4500"],
"concealed": false
}
// Diagnosis
{
"id": "y4500",
"concealment": false
}
// Practitioner
{
"practitioner_id": "123456",
"is_advertised": true
}
The project's main test file is the index.js
file, which contains four types of policy checks that require both conditions and relationships to be checked.
All the tests filter the visits array and should return the following result:
[true, false, false, false, true, true]
The tests are:
- Simple policy configuration with the trade-off of using complex enforcement code
- Graph-based policy configuration with the trade-off of data manipulation and extra conditional edges and special nodes
- Policy configuration with the trade-off of complex access control rules in the Rego language
Demonstration of a simple solution by Permit.io that solves the problem with a simple policy configuration and enforcement code
Each test starts by cleaning the data and some policies from the Permit.io environment. Then, it applies the relevant policy data and runs the test.
Besides the tests and the data, the project contains a main.tf
file that applies the policy configuration to the Permit.io environment.
The policy
folder contains policy configuration in the Rego language used in the third test.
The lib
folder contains all the code used to sync data to Permit.io and perform the policy checks.
The code is written in JavaScript and uses Permit.io to base the authorization service. Running the project requires you to follow the following steps:
Preqrequisites: Node.js, npm, terraform, and docker installed
-
Clone the repository
-
Run
npm install
to install the dependencies -
Get your Permit.io API key from here. (open a free account if you don't have one)
-
Copy the
.env.template
file to an.env
file and add your Permit.io API key in thePERMIT_API_KEY
andTF_VAR_PERMIT_API_KEY
. -
Apply the policy configuration to a clean environment in your Permit.io account by running:
terraform init ✔ 9s 12:57:07 terraform plan terraform apply
After this step, your Permit policy editor should look like the following:
-
Run the Permit.io PDP docker container by running (ensure that you load the Permit.io API key in the environment):
docker run -p 7766:7000 -p 8181:8181 --rm --env PDP_API_KEY=$PERMIT_API_KEY --env PDP_DEBUG=true permitio/pdp-v2:latest
-
Run the tests with the
node index
command.
The desired output should be:
Flat filter result: [true,false,false,false,true,true]
Graph filter result: [true,false,false,false,true,true]
Custom rego check result: [true,false,false,false,true,true]
Single check result: [true,false,false,false,true,true]