Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Convert rego queries into SQL clauses#4225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 20 commits intomainfromstevenmasley/rego_to_sql
Oct 4, 2022

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedSep 27, 2022
edited
Loading

What this does

CurrentlyFilter works by querying all resources of a given type, then callingAuthorize() on each element in the list. This would not work with pagination.

This feature takes the queries resulting from partial execution, and returns a SQL clause that can be added into aWHERE statement of a SQL query. The results are equivalent to all authorized objects in the originalFilter call.

This PR only implements this for listing workspaces. This technique can be copied easily to other listing (templates, users, etc). I just started with the one with the largest lists and the one we will likely paginate first.

Example

Partial execution returns these queries. If either is true, the user in question can read the object.

+---------+--------------------------------------------------------------------+| Query 1 | input.object.org_owner != ""                                       ||         | input.object.org_owner in {"19a3d781-9e53-4608-948e-ac084470cd99"} ||         | input.object.owner != ""                                           ||         | "me" = input.object.owner                                          |+---------+--------------------------------------------------------------------+| Query 2 | input.object.org_owner = ""                                        ||         | input.object.owner != ""                                           ||         | "me" = input.object.owner                                          |+---------+--------------------------------------------------------------------+

This code converts these rego queries into the following SQL:

SELECT*FROM workspacesWHERE-- SQL generated below this line(    (input.object.org_owner!=''ANDinput.object.org_owner= ANY(ARRAY ['a207e4ff-2cf4-44be-aadd-8f866452e3b1'])ANDinput.object.owner!=''AND'me'=input.object.owner    )OR    (input.object.org_owner=''ANDinput.object.owner!=''AND'me'=input.object.owner    ))

Long Rego Query Example

+---------+--------------------------------------------------------------------+| Query 1 | input.object.org_owner != ""                                       ||         | input.object.org_owner in {"19a3d781-9e53-4608-948e-ac084470cd99"} ||         | input.object.owner != ""                                           ||         | "me" = input.object.owner                                          |+---------+--------------------------------------------------------------------+| Query 2 | input.object.org_owner = ""                                        ||         | input.object.owner != ""                                           ||         | "me" = input.object.owner                                          |+---------+--------------------------------------------------------------------+| Query 3 | input.object.org_owner != ""                                       ||         | input.object.org_owner in {"19a3d781-9e53-4608-948e-ac084470cd99"} ||         | input.object.org_owner != ""                                       ||         | "read" in input.object.acl_group_list.allUsers                     |+---------+--------------------------------------------------------------------+| Query 4 | input.object.org_owner != ""                                       ||         | input.object.org_owner in {"19a3d781-9e53-4608-948e-ac084470cd99"} ||         | input.object.org_owner != ""                                       ||         | "*" in input.object.acl_group_list.allUsers                        |+---------+--------------------------------------------------------------------+| Query 5 | input.object.org_owner = ""                                        ||         | input.object.org_owner != ""                                       ||         | "read" in input.object.acl_group_list.allUsers                     |+---------+--------------------------------------------------------------------+| Query 6 | input.object.org_owner = ""                                        ||         | input.object.org_owner != ""                                       ||         | "*" in input.object.acl_group_list.allUsers                        |+---------+--------------------------------------------------------------------+| Query 7 | "read" in input.object.acl_user_list.me                            |+---------+--------------------------------------------------------------------+| Query 8 | "*" in input.object.acl_user_list.me                               |**+---------+--------------------------------------------------------------------+**

Future Work

Implement this technique for other list calls.

)

// AuthorizedGetWorkspaces returns all workspaces that the user is authorized to access.
func (q *sqlQuerier) AuthorizedGetWorkspaces(ctx context.Context, arg GetWorkspacesParams, authorizedFilter rbac.AuthorizeFilter) ([]Workspace, error) {
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I wish we could add hooks into SQLc to do this. Kinda sucks to have to copy the original function and call it like this.

@EmyrkEmyrk marked this pull request as ready for reviewSeptember 29, 2022 00:37
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This looks good to me, but I'll defer to other folks who are working on v2.

This solves it without proper types in our AST.Might bite the bullet and implement some better types
Copy link
Member

@kylecarbskylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

These tests are surprisingly simple to follow, or at least much simpler than I would have expected interfacing with Rego to be.

My primary concern is the query separation between generated and non-generated. I'd love if we could have a single query (maybe even for just getting a single?) that used the same authorization flow, but maybe that's just unreasonable.

eg.

  • GetWorkspaceByID
  • GetWorkspaces
  • GetWorkspaceByOwnerAndName

Could all be replaced by this?

// AuthorizedGetWorkspaces returns all workspaces that the user is authorized to access.
// This code is copied from `GetWorkspaces` and adds the authorized filter WHERE
// clause.
func (q *sqlQuerier) AuthorizedGetWorkspaces(ctx context.Context, arg GetWorkspacesParams, authorizedFilter rbac.AuthorizeFilter) ([]Workspace, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I might change the wording of this. Prefixing withAuthorized makes me think that I'm authorized to get workspaces, not that the workspaces returned I'm authorized to access.

Thoughts onGetAuthorizedWorkspaces instead?

Emyrk reacted with thumbs up emoji
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is it possible for us to get rid ofGetWorkspaces in its entirety? There doesn't seem much of a point in getting workspaces that the user doesn't have access to.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@kylecarbs that is a good question. For system level things there might be a need? But we can always add back "GetWorkspaces" later.

I was using SQLc's generated code to make this function. To get rid ofGetWorkspaces would be to remove all those SQLc calls. I guess that is ok? It is nice to use it to generate most of this code, it just can't support the dynamic parts of the query.

@Emyrk
Copy link
MemberAuthor

AuthorizedGetWorkspaces

This change is only made for "listing" objects, for singular objects running the rego on the returned object is easier. So if we implemented this for the singular too, I would not convert to SQL, I would just call the sqlc code and runAuthorize() on that returned object.

I wish there was a way to integrate this into SQLc, as it is a great tool, it just doesn't support this use case.

My goal for this PR was to implement this functionality to make this possible. We next implement it for the 2/3 list queries that are "slow" with theFilter. It is really only needed in 2/3 places to support that dashboard "List all that I can view" view.

@EmyrkEmyrk merged commitcd4ab97 intomainOct 4, 2022
@EmyrkEmyrk deleted the stevenmasley/rego_to_sql branchOctober 4, 2022 15:35
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@johnstcnjohnstcnjohnstcn left review comments

@coadlercoadlercoadler left review comments

@kylecarbskylecarbskylecarbs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

4 participants
@Emyrk@johnstcn@coadler@kylecarbs
[8]ページ先頭
©2009-2025 Movatter.jp