How does ladon verify the scope/hierarchy or tenancy of the resource in an incoming request ?

Question

How does ladon verify the scope/hierarchy or tenancy of the resource in an incoming request ?

sirajmansour opened this issue 7 years ago · 1 comments

Take a multi-tenanted scenario, with multiple spaces(or projects) per tenant.
If i have the following policy defined

{
  "description": "Sample policy.",
  "subjects": ["users:<peter|ken>", "users:maria", "groups:admins"],
  "actions" : ["delete", "<create|update>"],
  "effect": "allow",
  "resources": [
    "resources:myorg.com:organizations:dummyorg:spaces:testspace:<.+>"
  ]
}

and the following request comes in

{
  "subject": "users:peter",
  "action" : "delete",
  "resource": "resources:myorg.com:organizations:dummyorg:spaces:testspace:resource123",
}

Is ladon able to verify that resource123 actually sits under organizations:dummyorg and spaces:testspace ?

Answer 1 · 2017-12-11T08:44:48.000Z

Of course, why shouldn't it? There are some best practices here.

In the future, please use issues for reporting bugs or feature requests. For example, if you tested the above in some code and it should have passed but didn't, that would be a good issue. For everything else use the forums or the chat.