Questions related to design
Closed this issue · 2 comments
kushsharma commented
I am going through the shield to understand the current design, I have a couple of questions related to it:
- APIs for creating a
user
accept User model that hasslug
defined but the User model for shield doesn't have it, nor does it persist in the database? Do you know if this is a bug? - The validation rules defined in protobuf are not really used to validate anywhere in the shield, is this by design?
- If I go with validation rules defined for the
name
of theUser
, it doesn't accept spaces. My understanding of the name was to use something likeKush Sharma
, is this incorrect? - For
users
I see we are using a dedicated table to managemetadata
and have droppedmetadata
column fromusers
table but this is not the same for rest of the models likeorg
orgroup
. Is this because we wanted to query metadata via key inusers
? - In a recent commit on protos a lot of useful APIs were removed which were used for shield management, are we replacing them with something else? For example, how am I supposed to add
admins
to thegroup
now? - I don't see a direct 1-to-1 mapping of a
user
to anorganization
,user
gets added to agroup
and thegroup
is attached to anorg
. Does that mean before creatingusers
, it is mandatory to create agroup
? - I see a
relations
table being introduced in recent commits, is the way moving forward to manage 1-to-1 or 1-to-many relationships? Even for agroup
to org? It's managed via a column in thegroup
table currently. - I went through the documentation and I got the gist of how the
proxy
is working but theauthz
part was lacking some critical explanations like how isresources_config
shown in Tour is really built. How am I supposed to know how to model asystem
type or aresource_group
? How do they really fit? Can we explain it via a small use case in the docs? I tried using the config directly as it is and it throws a bunch of errors, is the config outdated? - Currently to make changes in
protobuf
files and use the latest commit, due to the last commit for API cleanup, we can't really contribute toShield
(compilation errors). Is this parity difference between shield source and proton planned to be picked up on priority?
I wanted to understand the onboarding flow of it to start using it efficiently. I am trying to list a set of steps I got to understand, help me correct if there are better alternatives to the following flow.
- I create an empty
resources_config
file, create a basicruleset
file and create a shield config file. - I start
spicedb
via docker image and then start shield on my local machine. - First thing I should do is create a
User
object and then create anorganization
. To attach a user to anorg
should I create agroup
first? If I want to add a user to multiple organizations, should I create multiple groups attached to organizations and then attach thisUser
to each one of thegroup
? - If the answer to the above is yes, what if we automatically create a
default
group as soon as an organization is created to ease this process? - I want to list all the
orgs
auser
belong to, should I first list all the groups it belongs to and then queryorg
one by one? Is this the right approach? - If I want to attach
metadata
to auser
, saylastname
, then I have to first create akey
in metadata aslastname
and then actually pass it withUser
while creating/updating it, why not create these keys automatically when the request arrives? How is this flow of manual creation helping? - What should be the correct implementation of querying a
user
by its username/slug? Or this is not supported yet due to the bug discussed above?
ravisuhag commented
@kushsharma Do we have answers to all the questions now?
kushsharma commented
@ravisuhag yes we can close this