Hello!
I’m trying to figure out how to implement a complicated authorization scheme and allow to change the rules at run-time (without altering code base). Currently I evaluating this for a DDD (CQRS\ES) application I’am planning but it is more general question I think.
So let’s imagine we have the next set of authorization rules in the specs:
It is possible to hard-code this rules but obviously I think it’s a dirty practice to put authorization code into the core domain for the one hand, and it will be non-trivial to support and extend this rules, especially when new domains, entities and\or attributes come to the scene.
So I think about ABAC with some kind of XACML implementation. In this case it would be possible to make policies like:
Policy name: List awaiting documents orders
Effect: Allow
Union: All
Rule 1: CommandOrQuery == ListOrders
Rule 2: Subject.Role == “Branch operator”
Rule 3: Object.Creator.Branch == Subject.Branch
Rule 4: Object.Status == “Documents required”
In case of commands Object-related rules become conditions, I believe.
Then it will be necessary to send the whole object and subject (user in our case) to the Application level authorization service like:
defmodule MyApp.Orders.Queries.ListOrders do
alias MyApp.Orders.Projections.{User, Order}
def execute(params, %User{} = user) do
case MyApp.SecurityDomain.can?(__MODULE__, Order, user) do
:not_authorized -> {:error, :not_authorized}
conditions -> params
|> Map.merge(conditions)
|> buildQuery()
|> runQuery()
end
end
end
defmodule MyApp.SecurityDomain do
def can?(MyApp.Orders.Queries.ListOrders, object, subject) do
...
end
end
Sure, there will be a lot of difficulties beginning from query builder, especially with rules\conditions like in my example (Order aggregation and projection must have a Creator
structure (even sub-aggregate probably) with Branch field) and so on, Order domain must follow User events and update appropriate local user aggregates etc etc.
But this will be let the security officers to create very flexible rules right at the run-time without developers intervention and downtime.
Of course I may over-complicate things and the same can be done much more easily. If so please let me know where can I read best practice and realization (especially in Elixir). Haven’t seen any examples of the more or less complete authorization system, all applications\articles I found have very simple auth part.
What do you think?