github.com/voedger/voedger@v0.0.0-20240520144910-273e84102129/design/authnz/README.md

github.com/voedger/voedger@v0.0.0-20240520144910-273e84102129/design/authnz/README.md (about)

     1  ### Abstract
     2  
     3  Authorization and authentication design
     4  
     5  - [Concepts](#concepts)
     6  - [ACL Rules](#acl-rules)
     7  - [Query AuthNZ process](#query-authnz-process)
     8  - [Command AuthNZ process](#command-authnz-process)
     9  - [Detailed design](#detailed-design)
    10  
    11  ### Concepts (Основные понятия)
    12  Naming based on [AuthNZ: Existing concepts](https://dev.heeus.io/launchpad/#!19546)
    13  
    14  - Subject. Entity that can make a request - User/Device/Service
    15  - Login. Represents a subject which can log in (synonym: sign in), user/device
    16  - Profile. Linked to login, personal data and other application specific information
    17  - Principal (Принципал). Unique key which can be used in ACL (список управления доступом)
    18    - Login | Group | Role
    19  - Role (Роль). Schema-level principal (predefined group, предопределенная группа)
    20    - Allows to create predefined ACLs (предопределенные списки управления доступом)
    21    - Examples
    22      - unTill: Waiter, Waiter+, Manager
    23      - PK: Executor, Executor+, Manager
    24  - Group (Группа). Workspace-level principal
    25  - PrincipalToken (То́кен Принципала) - token which authenticated principals (токен который удостоверяет подлинность принципалов)
    26    - Login + Role/Group memberships
    27  - ACL. Acces Control List (список управления доступом)
    28    - Currently we use predefined ACLs only (предопределенные списки управления доступом)
    29      - ACL managements too complicated
    30    - Users can only manage groups and roles membership
    31    - Permissions for Hosts can be manages by
    32      - GRANT ROLE ChargeBee TO ADDRESS <ip>
    33  
    34  ### ACL Rules
    35  - “Principal P from Workspace W is [Allowed/Denied] Operation O on Resources matching ResourcePattern RP”.
    36    - Principal
    37    - Policy (Allow/Deny)
    38    - Operation
    39    - ResourcePattern
    40    - MembershipInheritance (00, 10, 11, 01)
    41    - Ref. comments [here](https://dev.heeus.io/launchpad/#!19546)
    42  
    43  ### Query AuthNZ process
    44  
    45  |Step   |Actor      | Served by   |
    46  |-      |---------- | ----------  |
    47  |Send a request to the QueryProcessor |Subject |
    48  |Authenticate Principal|QueryProcessor |IAuthenticator.Authenticate()
    49  |Authorize EXECUTE operation|QueryProcessor |IAuthorizer.Authorize()
    50  |Opt: Authorize READ operation|QueryProcessor|IAuthorizer.Authorize()
    51  
    52  ### Command AuthNZ process
    53  |Step|Actor|Served by|
    54  |-|-|-|
    55  |Send a request to the CommandProcessor|Subject |
    56  |Authenticate Principal|CommandProcessor |IAuthenticator.Authenticate()
    57  |Authorize EXECUTE operation|CommandProcessor |IAuthorizer.Authorize()
    58  |Authorize fields CREATE/UPDATE|CommandProcessor |IAuthenticator.Authorize() 
    59  
    60  ### Detailed design
    61  
    62  - [Reset password](reset-password.md)
    63  
    64  ### Components
    65  
    66  - [iauthnz](https://github.com/heeus/core/tree/main/iauthnz)
    67  
    68  ### See also
    69  
    70  - [Originated from A&D: AuthNZ](https://dev.heeus.io/launchpad/#!17808)
    71  - [Slack design: WDocs](https://dev.heeus.io/launchpad/#!19080)
    72  - [AuthNZ: Existing concepts](https://dev.heeus.io/launchpad/#!19546) (including comments!)
    73