I am learning Ash for a new project. I am defining the multitenancy configuration, and I have a question about authorization.
From the docs:
If you want to enable running queries without a tenant as well as queries with a tenant, the global? option supports this. You will likely need to incorporate this ability into any authorization rules though, to ensure that users from one tenant can’t access other tenant’s data.
Can an authorization rule be created so only actors with the attribute is_superuser=true can get all the data? I miss an example of this.
What do you think is the best option?
Having one action with the proper authorization rules to be able to query with and without tenant
Create two read actions, one for retrieving all data (global? true) and another to use only with the tenant?
Yep! You would do this with a custom simple check.
defmodule MissingTenant do
use Ash.Policy.SimpleCheck
def match?(_, %{subject: subject}, _) do
{:ok, is_nil(subject.tenant)}
end
end
Then you can use this in your policies. With the introduction of policy groups, I’d suggest doing something along these lines:
policy_group action(:read) do
policy MissingTenant do
authorize_if actor_attribute_equals(:role, :admin)
end
policy always() do
general rules ....
end
end
It’s important to fully read the policies guides to understand how they work. All policies that apply to a request must pass, and policies fail if no check sets their status to authorized.
There is unfortunately no right or wrong answer here. They are both viable options. more and more specific actions can often simplify your application and authorization code. For reading, however, I often have fewer more flexible actions.
For your case, I’d suggest starting with the one read action that can have a tenant set or not, with policies ensuring only admins do that, and going from there
I am struggling with the docs. I didn’t know SimpleCheck could be used as a condition, and I couldn’t find anything like that in the docs.
After navigating some time over all the documentation, I saw that the arguments of match? are: actor, context and opts. But I didn’t know that subject is in the context, and I didn’t find it on the docs either. I don’t even know what subject is.
I understand your example, but I couldn’t have figured it out myself.
That is the main problem I have using Ash with as a beginner.