Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kevinmichaelchen/rebac-policy-hasura-transpiler
WIP — WORK IN PROGRESS — :fire: Transpile ReBAC policies into Hasura Permissions JSON
https://github.com/kevinmichaelchen/rebac-policy-hasura-transpiler
Last synced: about 1 month ago
JSON representation
WIP — WORK IN PROGRESS — :fire: Transpile ReBAC policies into Hasura Permissions JSON
- Host: GitHub
- URL: https://github.com/kevinmichaelchen/rebac-policy-hasura-transpiler
- Owner: kevinmichaelchen
- Created: 2023-08-24T16:12:03.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-08-25T15:59:53.000Z (over 1 year ago)
- Last Synced: 2024-06-21T18:52:37.374Z (6 months ago)
- Language: Go
- Homepage: https://kevinmichaelchen.github.io/rebac-policy-hasura-transpiler/
- Size: 36.1 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# rebac-policy-hasura-transpiler
This project is an exploration into whether it's possible to transpile OPA policies (written in Rego) to the JSON that Hasura expects for its Permission Rules.
I'm not even sure this is [possible](https://stackoverflow.com/questions/69413970/converting-rego-policy-to-json)...
The end goal might be a CLI to transpile [ReBAC][rebac] policies to JSON for Hasura Permissions Rules.
The policies themselves are inspired by [permit.io][permit-io]'s API.
## Motivation
This project may interest you if:
- you're using Hasura;
- you've got lots of interconnected tables;
- your authorization logic is complex; and
- you want a way to derive your Hasura [Permissions Rules JSON][hasura-perms]
from a dedicated entitlements system## Considerations
### Arbitrary Nesting
In Permit's [API][permit-api], you can seemingly self-referential _role
derivations_ that span an indefinite number of edges in the graph.#### Imaginary Domain
Imagine you're building an LDAP system for school districts, and you've got a
few kinds of models: Users, Organizational Units (which can be nested) and
Classrooms.With the Permit API, you can give the following grant to any users with the
`editor` role on an Org Unit, thereby causing editor privileges to trickle down
the Org Unit tree, all the way to the leaves.```json
{
"granted_to": {
"users_with_role": [
{
"linked_by_relation": "parent",
"on_resource": "org_unit",
"role": "editor"
}
]
}
}
```#### The Problem
The problem is that the JSON in Hasura's Permissions Rules has no way to express
this kind of indefinite, arbitrarily long path length.While not a perfect solution, this CLI lets you specify the number of levels
that the Hasura rules should traverse.## Tasks
### docs
Run / watch docs.
```
mdbook watch --open docs
```### parse_rego
Parse Rego policies to JSON.
```
./opa parse --format json opa-data/classroom_write_access.rego
```### test
Run Go tests
```
go test ./...
```### prettify_json
Prettify test JSON
```shell
jq 'del(..|nulls)' test.json > test.pretty.json
```### introspect
Introspect Hasura's schema and update the local `hasura.sdl.graphqls` file.
```
npx --yes \
graphqurl -- \
http://localhost:8080/v1/graphql \
-H 'x-hasura-admin-secret: myadminsecretkey' \
--introspect > hasura.sdl.graphqls
```### synth_import
Create JSON schema files for Synth data generation.
```
synth import \
--from postgres://postgres:postgrespassword@localhost:15432/postgres \
synth_workspace
```### synth_gen
Generate fake data with Synth.
```shell
synth generate synth_workspace \
--scenario everything \
--size 1 | jq
```[hasura-perms]: https://hasura.io/docs/latest/auth/authorization/permissions/
[permit-io]: https://permit.io
[permit-api]:
https://docs.permit.io/modeling/google-drive#foldereditor---fileeditor-via-parent
[rebac]: https://en.wikipedia.org/wiki/Relationship-based_access_control