-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathresource.proto
More file actions
76 lines (69 loc) · 2.75 KB
/
resource.proto
File metadata and controls
76 lines (69 loc) · 2.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
syntax = "proto3";
package resource;
option go_package = "./resource";
import "openfga/openfga.proto";
import "patch/go.proto";
option (go.lint).all = true;
import "example/pb/types.proto";
service ResourceService {
option (openfga.defaults) = { type: "system", id: "default" };
option (openfga.module) = {
name: "resource",
extends: [ {
type: "system",
relations: [
{ define: "resource_admin", as: "[user, user with non_expired_grant] or admin" },
{ define: "resource_writer", as: "[user] or resource_admin" },
{ define: "resource_reader", as: "[user] or resource_admin or reader" },
{ define: "resource_watcher", as: "[user] or resource_admin or watcher" }
]
} ],
definitions: [ {
type: "resource",
relations: [
{ define: "system", as: "[system]" },
{ define: "admin", as: "[user] or resource_admin from system" },
{ define: "reader", as: "[user] or resource_reader from system" }
]
}, {
type: "sub",
relations: [
{ define: "resource", as: "[resource]" },
{ define: "admin", as: "[user] or admin from resource" },
{ define: "reader", as: "[user] or reader from resource" }
]
} ],
conditions: [ "non_expired_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) { current_time < grant_time + grant_duration }" ]
};
rpc Create (CreateRequest) returns (CreateResponse) {
option (openfga.access) = { check: [ { as: "resource_writer" } ] };
};
rpc Read (ReadRequest) returns (ReadResponse) {
option (openfga.access) = { check: [ { as: "resource_reader" }, { type: "resource", id: "{id}" as: "reader" } ] };
}
rpc Update (UpdateRequest) returns (UpdateResponse) {
option (openfga.access) = { check: [ { as: "resource_writer" }, { type: "resource", id: "{resource.id}" as: "admin" } ] };
}
rpc AddSub (AddSubRequest) returns (AddSubResponse) {
option (openfga.access) = { check: [
// { as: "resource_writer" },
{ type: "resource", id: "{id}" as: "admin" }
] };
}
rpc ReadSub (ReadSubRequest) returns (ReadSubResponse) {
option (openfga.access) = { check: [
// { as: "resource_reader" },
{ type: "resource", id: "{resource_id}" as: "reader", ignore_not_found: true },
{ type: "sub", id: "{id}" as: "reader" }
] };
}
rpc Delete(DeleteRequest) returns (DeleteResponse) {
option (openfga.access) = { check: [ { as: "resource_writer" }, { type: "resource", id: "{id}" as: "admin" } ] };
}
rpc List(ListRequest) returns (ListResponse) {
option (openfga.access) = { check: [ { as: "resource_reader" } ] };
}
rpc Watch(WatchRequest) returns (stream Event) {
option (openfga.access) = { check: [ { as: "resource_watcher" } ] };
}
}