Authorization design

[infogulch]

Hi! I'd like to discuss potential authorization designs.

I think cozodb should consider Authentication (i.e. proof of a user's status) as out-of-scope, or rather, an application-level design decision. However, given a user name or id was already verified it could be used as a parameter to queries that apply access control internally.

In the HN discussion of the recent blog post / release someone asked about data security, and one of the replies mentioned the palantir access control design (slides). While this looks neat unfortunately this design does not seem to be well specified so I'm unsure how one would go about implementing it.

Another option could be to model authorization after Google's Zanzibar paper ¹ or authzed's spicedb which is an open-source implementation of it ². In particular, the Developing a Schema guide may help model a useful authorization schema. The biggest challenge for this design may be orienting the general schema around 'subject'/'object' resources, and relating those resources to cozo relations.

Excerpt from authzed's Developing a Schema:

The final step in translating is to link the object references by the relation we've created:

document:specificdocument#reader@user:specificuser
|_______________________| |____| |_______________|
        resource         relation     subject

To connect our two object references via our relation reader, we use the syntax # and @ to create the final relationship string.

We now have a valid [relationship] representing that specificuser can view specificdocument, which we can place into the "Test Data" tab of the Playground:

Honestly this seems eminently implementable in cozoscript today, so maybe all we would need is some examples of how to implement authorization with your own schema, and no changes to cozodb itself would be necessary.

Footnotes

1. https://zanzibar.tech/ ↩

2. https://github.com/authzed/spicedb ↩

[gisborne]

It would be amazing to support having many (100s of thousands) of accounts that are surfaced in Datalog.

This would make eg multi-tenant applications much easier.

[infogulch]

I suspect the question of the cozodb's ability to scale the number of users just comes down to its ability to scale querying across relations in general.

[aramallo]

I am new to Cozo and Rust, so no chance I can contribute yet, but I think implementing AuthZ using anything but ReBAC would be a shame given that we have Datalog :-)