Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Role-Based Access Control (RBAC) to auth? #27

Closed
SimonLab opened this issue Jan 21, 2019 · 11 comments
Closed

Add Role-Based Access Control (RBAC) to auth? #27

SimonLab opened this issue Jan 21, 2019 · 11 comments
Assignees
Labels
question A question needs to be answered before progress can be made on this issue

Comments

@SimonLab
Copy link
Member

We discuss this morning having a role-based access control system (https://en.wikipedia.org/wiki/Role-based_access_control)

Do we want to have the RBAC implemented inside the auth package or should we create another repository/package for it?

@SimonLab SimonLab added the question A question needs to be answered before progress can be made on this issue label Jan 21, 2019
@nelsonic
Copy link
Member

@SimonLab good question. Thank you for opening this issue for us to capture the discussion/research.

Short/Quick Answer

Yes, we are going to have RBAC system built-in to Auth as "auth" stands for both "authentication" and "authorisation" which is synonymous for permission.

We don't need to over-think it, we just need the concept of Roles, Content Types and levels of Permissions.

Longer Answer

The best way of thinking about Auth is in the context of an Example Application: "Blog".

Let's consider a typical publishing platform like Medium. https://en.wikipedia.org/wiki/Medium_(website)
It has four Content Types:

  1. Post which typically include:
  2. Comment - Anyone who is authenticated (and not blocked) can comment on Posts where commenting is enabled. (Medium calls comments Response ...)
  3. Reaction - In the case of Medium there is now only a "clap" which can be clicked multiple times.
    (a variety of Reaction Emojis and one "unit" of each reaction per person would be my pref.)
  4. Highlight - A highlight is where a person drags their cursor over a section of text and saves it as a highlight. See: https://help.medium.com/hc/en-us/articles/214406358-Highlights

Don't worry, we aren't going to build a blogging platform, the space is way too crowded.
However, we are going to build a basic CMS so that we can publish our own content for our Learning Platform which will use the Auth (Login, Roles, Permissions and Notifications Systems).

By default we should have at least 7 Roles in the Roles table/schema:

role_id role_name description created_at created_by
0 Unauthenticated Anyone who is not logged in. Can view public content but cannot perform any action on content until they authenticate. 1541609554 -
1 Super Admin Can CREATE new roles. Can CREATE, UPDATE and DELETE Any content. Can PURGE deleted items. Can "ban" any user including people with "Admin" Role. 1541609554 -
2 Admin Can create roles. Can CREATE, UPDATE and DELETE Any content. Can "ban" any user except people with "Admin" Role. Can see deleted content and un-delete it. Cannot purge deleted. This guarantees audit-trail. 1541609554 -
3 Editor Can CREATE and UPDATE Any content. Can "DELETE" content. Cannot see deleted content. 1541609554 -
4 Content Creator Can CREATE content. Can UPDATE their own content. Can DELETE their own content. 1541609554 -
5 Commenter Can COMMENT on content that has commenting enabled. 1541609554 -
6 Banned Can login and see their past content. Cannot create any new content. Can see the reason for their banning (which the Admin has to write when performing the "ban user" action. usually linked to a specific action the person performed like a particularly unacceptable comment.) 1541609554 -

image

@nelsonic
Copy link
Member

nelsonic commented Jul 14, 2020

Given that we need the concept of roles, privileges and grants in order to regulate access to doors @home dwyl/smart-home-auth-server#1 I'm going to focus on this today.
I have closed all other browser tabs and applications and will be focussing on RBAC exclusively until it's finished.
I will still check my notifications 3 times per day, so if anyone needs me for something else I will still respond.
But until further notice this is my highest priority: #31

@nelsonic
Copy link
Member

If you google for "rbac database schema": https://www.google.com/search?q=rbac+database+schema&tbm=isch
There are several hundred examples you can get inspiration from:

image

Some are more complex than others.
This is what I've distilled from my reading:

Let's create the Database Schemas (Tables) to store our RBAC data,
starting with Roles:

mix phx.gen.html Ctx Role roles name:string desc:string person_id:references:people

Next

mix phx.gen.html Ctx Permission permissions name:string desc:string person_id:references:people

Next create the many-to-many relationship between roles and permissions.

mix ecto.gen.migration create_role_permissions

Now create the many-to-many relationship between people and roles:

mix ecto.gen.migration create_people_roles

@nelsonic
Copy link
Member

By putting the roles and permissions resources in an auth pipeline, none of the tests pass.
Just need to write a helper function that sets up the JWT/session. BRB.

@nelsonic
Copy link
Member

Taking a little detour to refresh my knowledge of testing as I want to add the helper function to the ConnCase file.
See: https://github.com/phoenixframework/phoenix/blob/master/guides/testing/testing.md

@nelsonic
Copy link
Member

Didn't learn anything new from reading the official docs. Going to keep searching. 🔍

@nelsonic
Copy link
Member

Before:

Finished in 74.9 seconds
1 property, 79 tests, 17 failures

After:

Finished in 8.9 seconds
1 property, 79 tests, 0 failures

With 100% coverage.

Next: create associations between the Roles and Permissions Schemas.

@nelsonic
Copy link
Member

Default roles summarised in: #82 (comment) included in next PR. 🔜 #85 🚧

@nelsonic
Copy link
Member

@SimonLab given that you opened this issue, if you want to take a look at #85 your feedback is very welcome. 👍

th0mas added a commit that referenced this issue Sep 17, 2020
PR: RBAC Role Based Access Control #27 #31 #82
@nelsonic
Copy link
Member

Roles deployed to https://dwylauth.herokuapp.com/roles
RBAC for controlling access in apps: https://github.com/dwyl/rbac

The original question of this issue is answered:
https://github.com/dwyl/auth/blob/master/role-based-access-control.md

Closing. ✅

Any further questions: please open new issues. (thanks!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question A question needs to be answered before progress can be made on this issue
Projects
None yet
Development

No branches or pull requests

2 participants