Multi-scopes auth & Attach fix #1076
Conversation
MarinPostma
force-pushed
the
multi-ns-auth
branch
5 times, most recently
from
5928ef6 to
5da8564
Compare
|
Why can't we just allow attach on all namespaces? To attach a namespace JWT needs an appropriate claim isn't that enough? |
|
From the dicussion we had, we all had, I understood that we wanted a killswitch for that feature. Furthermore, until we solve the issue I raised on Slack, I'd rather leave the ability to disable attach altogether. |
That's fine. Let's leave it as is for now but eventually we might want to be able to set default for it per group so that each new namespace is allowed/not allowed automatically depending on what the owner of the group finds more useful. |
| )), | ||
| Authenticated::Authorized(a) => { | ||
| if !a.has_right(Scope::Namespace(namespace.clone()), perm) { | ||
| return Err(crate::Error::NotAuthorized(format!( |
There was a problem hiding this comment.
ultra nit: No need for return here.
libsql-server/src/auth/authorized.rs
Outdated
| pub fn merge_legacy(&mut self, namespace: NamespaceName, perm: Permission) { | ||
| let scope = match perm { | ||
| Permission::Read => self.read_only.get_or_insert_with(Default::default), | ||
| Permission::Write => self.read_only.get_or_insert_with(Default::default), |
There was a problem hiding this comment.
Shouldn't this be self.read_write?
MarinPostma
force-pushed
the
multi-ns-auth
branch
from
0b8ca95 to
96da442
Compare
This PR adds support for multi-scope authentication, and fixes attach, and other quirks:
allow_attachis now a property of the namespace. Ifallow_attachis set to true, then other database can attach to it, given that they also have the rightallow_attachcan be passed at namespace creation