Skip to content

Baton IDs

Jump to bottom
Geoff Greer edited this page May 30, 2024 · 5 revisions

Description

Currently, each connector specifies its own ID format for resources, entitlements, and grants. This causes some problems.

Problems with the Status Quo

  • Because each connector generates and parses its own IDs, occasionally a connector has bugs parsing/generating.
  • Some connectors need to know the parent resources when granting/revoking. For example: Adding or removing someone from a Github Team requires knowing the Github Org that the team belongs to. We can read this from the c1z, but if the connector is being used as a library, we might not have the parent resource info available.
  • While the IDs are pretty similar across most connectors, the occasional differences can confuse people.

Requirements

  • Versioned
  • Short
  • Human readable
  • Given just an ID, can determine whether it's a resource, an entitlement, or a grant.
  • Contains all the info needed to read or mess with the relevant resource/entitlement/grant.
  • Can contain parent resource info (so grant/revoke always works)

Format

Resource: bid:r:<parent_resource_type>/<parent_resource_id>/<resource_type>/<resource_id>

Entitlement: bid:e:<parent_resource_type>/<parent_resource_id>/<resource_type>/<resource_id>:<entitlement_slug>

Grant: bid:g:<entitlement_parent_resource_type>/<entitlement_parent_resource_id>/<entitlement_resource_type>/<entitlement_resource_id>:<entitlement_slug>:<principal_parent_resource_type>/<principal_parent_resource_id>/<principal_resource_type>/<principal_resource_id>

Trailing colons and slashes are omitted. Empty values in the middle must still have colons. Colons and slashes in values are escaped with backslash. Backslash is escaped with backslash.

Examples

Resource

type user, id 1234. parent resource type group, id 5678

bid:r:group/5678/user/1234

type user, id 1234. no parent resource

bid:r:user/1234

Entitlement

type team, id 5678, slug member. parent resource type org, id 9012

bid:e:org/9012/team/5678:member

Entitlement: type team, id 5678, slug: member. no parent resource

bid:e:team/56768:member

Grant

entitlement type team, id 5678, slug member. parent resource type org, id 9012. principal type user, id 1234, parent resource type team, id 5678

bid:g:org/9012/team/5678:member:team/5678/user/1234

entitlement type team, id 5678, slug member. no parent resource. principal type user, id 1234, no parent resource

bid:g:team/5678:member:user/1234

Clone this wiki locally