From 8f53dfd4e54348b90b4aad5c60d1b8f03fd31499 Mon Sep 17 00:00:00 2001 From: Marvin Gajek Date: Sun, 17 Nov 2024 17:27:56 +0100 Subject: [PATCH] fix OpenFGA model and add sample tuples --- docs/diagrams/openfga-tuples.yml | 85 ++++++++++++++++++++++++++++++++ docs/diagrams/openfga.dsl | 25 +++++----- 2 files changed, 99 insertions(+), 11 deletions(-) create mode 100644 docs/diagrams/openfga-tuples.yml diff --git a/docs/diagrams/openfga-tuples.yml b/docs/diagrams/openfga-tuples.yml new file mode 100644 index 0000000..f464d95 --- /dev/null +++ b/docs/diagrams/openfga-tuples.yml @@ -0,0 +1,85 @@ +tuples: + # Admin granting full control over all blobs + - user: "user:AdminUser" + relation: "admin" + object: "blob:Blob1" + + # Owner managing their own blob + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob1" + + # Owner granting permission to a grantee to download a blob + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob1" + + # Owner granting permission to a grantee to view a blob + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob1" + + # Grantee granted permission to download the blob + - user: "user:GranteeUser" + relation: "grantee" + object: "blob:Blob1" + + # Grantee granted permission to view the blob + - user: "user:GranteeUser" + relation: "grantee" + object: "blob:Blob1" + + # Owner performing cryptographic action (create own keys) + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob1" + + # Owner encrypting a file (blob) + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob1" + + # Owner generating signature for their own file (blob) + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob1" + + # Grantee verifying the signature of the file (blob) + - user: "user:GranteeUser" + relation: "grantee" + object: "blob:Blob1" + + # Admin granting full permissions for cryptographic actions + - user: "user:AdminUser" + relation: "admin" + object: "blob:Blob1" + + # Admin granting full permissions to view and manage all blobs + - user: "user:AdminUser" + relation: "admin" + object: "blob:Blob2" + + # Owner granting access to download a specific file to a grantee + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob2" + + # Owner granting access to view a specific file to a grantee + - user: "user:OwnerUser" + relation: "owner" + object: "blob:Blob2" + + # Grantee being allowed to download a blob with permissions granted + - user: "user:GranteeUser" + relation: "grantee" + object: "blob:Blob2" + + # Grantee being allowed to view a blob with permissions granted + - user: "user:GranteeUser" + relation: "grantee" + object: "blob:Blob2" + + # Example of an Admin performing an action that is beyond a normal user + - user: "user:AdminUser" + relation: "admin" + object: "blob:Blob3" diff --git a/docs/diagrams/openfga.dsl b/docs/diagrams/openfga.dsl index 9aaaaf0..549db05 100644 --- a/docs/diagrams/openfga.dsl +++ b/docs/diagrams/openfga.dsl @@ -3,33 +3,36 @@ model type user +type user_group + relations + define owner: [user] + define grantee: [user] # A user who has been granted permissions for an owner's blob + define admin: [user] # Admin can manage all blobs, including cryptographic actions + type blob relations - # Permissions related to blob management + # Permissions related to file management define can_manage_all_blobs: admin define can_manage_own_blobs: owner define can_download_blobs_with_given_permission: grantee define can_view_blobs_with_given_permission: grantee # Cryptographic actions - define can_manage_all_keys: admin define create_own_cryptographic_keys: owner - define encrypt_decrypt_own_blobs: owner - define generate_signature_for_own_blobs: owner - define verify_blob_signature: owner or grantee # Public key verification is possible for grantee + define encrypt_decrypt_own_files: owner + define generate_signature_for_own_files: owner + define verify_file_signature: owner or grantee # Public key verification is possible for grantee # Access control for owners and grantees define can_grant_access_to_download_owned_blobs: owner define can_grant_access_to_view_owned_blobs: owner # Ownership and user roles - define owner: [user] - define grantee: [user] # A user who has been granted permissions for an owner's blob - define admin: [user] # Admin can manage all blobs, including cryptographic actions + define owner: [user, user_group#owner] + define grantee: [user, user_group#grantee] # A user who has been granted permissions for an owner's blob + define admin: [user, user_group#admin] # Admin can manage all blobs, including cryptographic actions # Additional clarifications # - Admin has full control over all blobs # - Owner controls access to their own blob, including granting permissions - # - Grantee has permission to download or view blobs if granted by the owner - - # In order to visualize the relationship based model visit https://play.fga.dev/sandbox/?store=github and paste in this content + # - Grantee has permission to download or view blobs if granted by the owner \ No newline at end of file