diff --git a/doc/user-guides/authzed.md b/doc/user-guides/authzed.md new file mode 100644 index 000000000..ee93ed54c --- /dev/null +++ b/doc/user-guides/authzed.md @@ -0,0 +1,371 @@ +# AuthPolicy Integration with Authzed/SpiceDB + +This guide explains how to configure permission requests for a Google Zanzibar-based [Authzed/SpiceDB](https://authzed.com) instance using gRPC. + +## Requisites + +- [Docker](https://docker.io) + +## Run the guide ① → ⑥ + +### ① Setup + +Clone the repo: + +```sh +git clone git@github.com:Kuadrant/kuadrant-operator.git && cd kuadrant-operator +``` + +Run the following command to create a local Kubernetes cluster with [Kind](https://kind.sigs.k8s.io/), install & deploy Kuadrant: + +```sh +make local-setup +``` + +Request an instance of Kuadrant in the `kuadrant-system` namespace: + +```sh +kubectl -n kuadrant-system apply -f - <&1 >/dev/null & +``` + +Create the permission schema: + +```sh +curl -X POST http://localhost:8443/v1/schema/write \ + -H 'Authorization: Bearer secret' \ + -H 'Content-Type: application/json' \ + -d @- << EOF +{ + "schema": "definition blog/user {}\ndefinition blog/post {\n\trelation reader: blog/user\n\trelation writer: blog/user\n\n\tpermission read = reader + writer\n\tpermission write = writer\n}" +} +EOF +``` + +Create the relationships: + +- `blog/user:emilia` → `writer` of `blog/post:1` +- `blog/user:beatrice` → `reader` of `blog/post:1` + +```sh +curl -X POST http://localhost:8443/v1/relationships/write \ + -H 'Authorization: Bearer secret' \ + -H 'Content-Type: application/json' \ + -d @- << EOF +{ + "updates": [ + { + "operation": "OPERATION_CREATE", + "relationship": { + "resource": { + "objectType": "blog/post", + "objectId": "1" + }, + "relation": "writer", + "subject": { + "object": { + "objectType": "blog/user", + "objectId": "emilia" + } + } + } + }, + { + "operation": "OPERATION_CREATE", + "relationship": { + "resource": { + "objectType": "blog/post", + "objectId": "1" + }, + "relation": "reader", + "subject": { + "object": { + "objectType": "blog/user", + "objectId": "beatrice" + } + } + } + } + ] +} +EOF +``` + +### ④ Create an `AuthPolicy` + +Store the shared token for Authorino authentication with the SpiceDB instance (must be created in the same namespace as the Kuadrant CR): + +```sh +kubectl -n kuadrant-system apply -f -<