Skip to content

[teams 4/5] SQL authorization #3525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: kim/teams-api-auth-cli
Choose a base branch
from
Open

[teams 4/5] SQL authorization #3525

wants to merge 1 commit into from

Conversation

@kim
Copy link
Contributor

@kim kim commented Oct 29, 2025
edited
Loading

Permissions for evaluating SQL/DML are not generally "actions", but more a set of permissions that are checked during evaluation.

To make this work with the teams feature, this patch extends AuthCtx to allow checking a set of permissions as mandated by the spec. This set is a bit more fine-grained than "is owner", so as to avoid baking in the concept of teams/collaborators, or assumptions about what a role might entail. Both are likely to evolve in the future, so evaluation of permissions / capabilities should be confined to the impl of the Authorization trait.

Unlike "actions", the AuthCtx must be able to evaluate permission checks quickly and without side-effects, nor can it enter an async context. In that sense, it is precomputed (if you will), and stored as a closure in the AuthCtx for external authorization.

A challenge posed is how to thread through the constructed AuthCtx for subscriptions.

A tempting approach would have been to equip the HostController with the ability to summon an AuthCtx. That, however, would have created a gnarly circular dependency, because the HostController also controls the controldb, which itself demands an AuthCtx.

Instead, the AuthCtx is obtained in the endpoint handler and passed to each method call that requires one. That's less pretty, but more effective.

@kim kim changed the title Teams-based authorization for SQL / subscriptions [teams 4/5] SQL authorization Oct 29, 2025
@kim kim marked this pull request as ready for review October 29, 2025 14:21
@kim kim mentioned this pull request Oct 29, 2025
Open
gefjon
gefjon approved these changes Oct 29, 2025
View reviewed changes
crates/core/src/sql/execute.rs
// An extra layer of auth is required for DML
if auth.caller != auth.owner {
if !auth.has_write_access() {
return Err(anyhow!("Only owners are authorized to run SQL DML statements").into());
Copy link
Contributor

@gefjon gefjon Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return Err(anyhow!("Only owners are authorized to run SQL DML statements").into());
return Err(anyhow!("Caller {} is not authorized to run SQL DML statements", auth.caller()).into());

@kim kim force-pushed the kim/teams-api-auth-cli branch from e1cab37 to 8a3885a Compare November 5, 2025 09:31
@kim kim force-pushed the kim/teams-sql-auth branch from ba3b3f9 to a5ec537 Compare November 5, 2025 09:31
@kim kim force-pushed the kim/teams-api-auth-cli branch from 8a3885a to fdba810 Compare November 5, 2025 12:05
@kim kim force-pushed the kim/teams-sql-auth branch from a5ec537 to fad1a63 Compare November 5, 2025 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gefjon gefjon gefjon approved these changes

@joshua-spacetime joshua-spacetime joshua-spacetime approved these changes

@bfops bfops Awaiting requested review from bfops

@cloutiertyler cloutiertyler Awaiting requested review from cloutiertyler

@jdetter jdetter Awaiting requested review from jdetter

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kim @gefjon @joshua-spacetime