If I'm merging a silo, org, and project policy on the client in order to give a complete picture of the IAM situation for a project, I need to be able to fetch the current silo policy. Right now we have /policy for fleet policy and /silos/{silo_name}/policy for silo policy. But on the client I don't have the current silo name, or even the silo ID, so I have no way of fetching the silo policy. Here are some ways we might make that possible.
Decent options
- Move existing Fleet
/policy to /global/policy, have /policy return the policy for the current silo
- This is the best option for the client and seems most correct in general, but it may be blocked on the PR that does the
/global thing for all the relevant endpoints (early draft here), and it turns out that is a ton of work
- Add
/session/silo/policy or /session/policy or /silo/policy or something that returns the policy for the current silo
- Same as above from client POV
- Faster because not blocked on
/global work
- Trivial to switch server and client to use
/policy once /global work is done
Bad options
- Add silo ID to
/session/me and add /by-id/silos/{silo_id} endpoint
- Client gets silo ID from
/session/me, uses it to fetch silo, uses silo name to fetch policy
- Add silo ID to
/session/me and /by-id/silos/{silo_id}/policy
- Client gets silo ID from
/session/me, uses it to fetch policy directly. also 🤮 but it's one fewer request
- Add silo name to
/session/me, use existing /silos/{silo_name}/policy
- Not great because while
SiloUser has silo_id on it (see below), it does not have silo_name, and this is a pretty silly reason for a join
|
pub struct SiloUser { |
|
#[diesel(embed)] |
|
identity: SiloUserIdentity, |
|
|
|
pub silo_id: Uuid, |
If I'm merging a silo, org, and project policy on the client in order to give a complete picture of the IAM situation for a project, I need to be able to fetch the current silo policy. Right now we have
/policyfor fleet policy and/silos/{silo_name}/policyfor silo policy. But on the client I don't have the current silo name, or even the silo ID, so I have no way of fetching the silo policy. Here are some ways we might make that possible.Decent options
/policyto/global/policy, have/policyreturn the policy for the current silo/globalthing for all the relevant endpoints (early draft here), and it turns out that is a ton of work/session/silo/policyor/session/policyor/silo/policyor something that returns the policy for the current silo/globalwork/policyonce/globalwork is doneBad options
/session/meand add/by-id/silos/{silo_id}endpoint/session/me, uses it to fetch silo, uses silo name to fetch policy/session/meand/by-id/silos/{silo_id}/policy/session/me, uses it to fetch policy directly. also 🤮 but it's one fewer request/session/me, use existing/silos/{silo_name}/policySiloUserhassilo_idon it (see below), it does not havesilo_name, and this is a pretty silly reason for a joinomicron/nexus/db-model/src/silo_user.rs
Lines 14 to 18 in aff0d7a