Policy: resource mappings GET/LIST should provide attribute value FQNs in response

Question

Policy: resource mappings GET/LIST should provide attribute value FQNs in response

Closed this issue 3 months ago · 4 comments

Background

LIST of resource mappings is a known service to service API for PDPs and should therefore provide the FQN in response of mapped attribute values to avoid PEPs/PDPs receiving the value id and having to do a roundtrip.

Acceptance Criteria

resource mappings return fqns of attribute values they map to in response
integration tests

Answer 1 · 2024-10-09T14:16:51.000Z

@jakedoublev does this include the ListResourceMappingsByFullyQualifiedGroup query as well or just the base GET/LIST queries?

https://github.com/opentdf/platform/blob/main/service/policy/db/query.sql#L530-L545

Answer 2 · 2024-10-09T14:33:13.000Z

@ryanulit I think we probably want the FQN of the Resource Mapping in each read RPC because the mappings are used by services downstream (not admins alone) and therefore should not rely on UUIDs.

Answer 3 · 2024-10-09T14:58:59.000Z

You meant FQN of the Attribute Value right? This also just made me think that we might want to return the FQN of the Resource Mapping Group (i.e. https://<namespace>/resm/<group_name>) in its Get/List queries as well, but I can make a separate ticket for that if you agree.

Answer 4 · 2024-10-09T15:04:54.000Z

Sorry for the confusion. I agree we need the below for read actions (get/list):

attribute value FQN when returning resource mappings
resource mapping group FQN when returning resource mapping groups
after requirement change that resource mappings must be in a group is implemented, a get/list of a resource mapping should also include the relevant RM group FQN