Relationship-Based Access Control (ReBAC) with OPA
Don't miss How to implement ReBAC in Rego!
In the ReBAC model, relationships between our core entities, subject, action, and resource, play a central role:
- Ownership
A subject, or a group of subjects, may own a resource, or a set of resources.
- Grouping
A set of subjects may be assigned permissions together.
- Parent-Child relations
A resource may contain other resources, like a nested folder structure.
As such, it extends the RBAC model by introducing more structure across the available entities. It aims to build a better foundation for modelling real-world scenarios.
Requirements
The core challenges to implementing ReBAC with OPA are the same as with the other policy models:
- Providing the data required to make a policy decision.
- Creating the Rego policies required to base a decision on the available relationship data.
Finding the right structure
The model always abstracts the target domain, but how to do this concretely is not an easy task. Questions to settle for your modelling exercise include:
Group structure
Is a "group" membership a first-class entity in your model, like for example
{
"viewers": [
{
"entity": "doc:readme",
"object": "group:eng"
}
]
}
or is membership as relation itself what can define a viewer:
{
"viewers": [
{
"entity": "doc:readme",
"object": "group:eng",
"relation": "MEMBER"
}
]
}
In the end, these modelling decisions depend on an overview of exactly what kind of relationship is relevant for the application at hand.
Actions and relations to resources
In the How-to, we've singled out viewers and owners, and defined their rules based on the relations that we modelled.
Is that sufficient, or should these terms also be subject to relational abstraction?
This and related questions need to be answered taking into account the design of the system as a whole: What's a constraint of your application and what's user-editable?
Relationship queries
When resolving the relations between our resources, queries to other services can also be considered. Graph databases could be a good match; but SQL calls to relational databases may also do the trick.