Well-known Attributes #17
Conversation
guicassolato
added
RFC
guicassolato
force-pushed
the
rfc/well-known-attributes
branch
16 times, most recently
from
97de81f to
7642902
Compare
guicassolato
force-pushed
the
rfc/well-known-attributes
branch
6 times, most recently
from
36069ec to
2941f42
Compare
guicassolato
force-pushed
the
rfc/well-known-attributes
branch
from
2941f42 to
bb7f261
Compare
|
Overall, looking super good. Kuadrant's well known attributes are another value added by Kuadrant to be leveraged by users. |
Just to make it clear to all, these aren't spec'ed anywhere afaik, so that every other host might have a different set of those available... |
|
The wasm ones? Should we consider removing those or not adding the to the public facing docs? @guicassolato what if the public facing docs communicated only things like the request , auth and rate limit attributes? |
|
Some notes here from me, feel free to ignore for now, but I think we'll have to account for these:
|
|
@alexsnaps I am a fan on not making those wasm ones available. Or at least not documenting publicly for now. I can imagine you can get a long way with more complex use cases with the request , auth and rl properties @guicassolato WDYT |
I'm okay with omitting the Wasm attributes. What about the Proxy configuration ones? Do we need them? |
guicassolato
force-pushed
the
rfc/well-known-attributes
branch
from
8da8c0b to
b746211
Compare
I see you applied the same logic there, right? i.e. remove them until we actually have a use case that requires them? |
| @@ -547,11 +547,13 @@ Another experience learned from Authorino's Authorization JSON selectors is that | |||
| # Unresolved questions | |||
| [unresolved-questions]: #unresolved-questions | |||
|
|
|||
| 1. Can we make more attributes that are currently available to only one of the components common to both? | |||
| 1. How to deal with the differences regarding the availability and data types of the attributes across clients/hosts? | |||
There was a problem hiding this comment.
Thinking... should we only support (nested) Maps and "flatten" object structures down to these? So we'd have Strings, Numbers (i64?), arrays and nested maps... Would that be good enough... for now?
There was a problem hiding this comment.
Maps would only ever be Stringly key'able probably...
There was a problem hiding this comment.
should we only support (nested) Maps and "flatten" object structures down to these? So we'd have Strings, Numbers (i64?), arrays and nested maps... Would that be good enough... for now?
I think so.
I think we only (mainly?) have this problem in the Rust-based apps, and to retrieve the Metadata attributes, which, by transition, extends the problem to the Auth attributes as well, correct?
Specifically the metadata attribute, in the Envoy environment, is a Map of String → Struct, where Struct is itself another Map of String → Value and Value can be pretty much anything.
The main use case we have for metadata in the Rust-based chain of apps (i.e. wasm shim, Limitador) is essentially of the auth service passing data to the RL service. Then, there are the edge (?) cases of users who want to inject sources of metadata in the filter chain themselves (e.g. from a Lua filter, etc).
The kind of thing that one may want to export from the auth service to RL is hard to predict, but I would guess most of them is related to attributes of the identity/principal –– or what we will later abstract as auth.identity.* in the RLP (thus achieving consistency with the AuthPolicy).
I have no recollection of identity objects ever defined as Map structs other than by only having stringy keys, i.e. auth.identity: Map<String → Any> in virtually 100% of the cases. And the values themselves are rarely of complex types – some Arrays and nested Maps no more than a 2-level deep.
E.g.,
auth.identity.username: Stringauth.identity.verified_email: Booleanauth.identity.scopes: Array<String>auth.identity.access: Map<String → Map<String → Array<String>>>
Then we have other auth attributes (auth.(metadata|authorization|response.callbacks)) that are guaranteed to be Map<String → Any>. These are really open and the Any type becomes a problem.
Amongst all these known attributes, some could be used in conditions to be evaluated by the wasm shim, but, given the currently supported operators, not all of them.
As @alexsnaps pointed out, what is passed to Limitador in the RateLimitRequest is always String → String, although Integer literals can be already distinguished and (I'm guessing) Booleans should be easy to add support to if we want. Limitador also has its own set of operators, even though Kuadrant only needs == now. Still, this imposes a second level of constraints on the data types.
All this so far to explain (and agree) that the problem lies in the more complex data structures indeed.
Given, however:
- the use cases we know to exist,
- the operators we currently support,
- the protocol limitations we have, and
- the possibility the user almost always has to re-state the problem/implement the solution in a slight different way (e.g., in a AuthPolicy, in a Lua filter), to reduce it to an instance where only simple data types are employed,
...I think we do not need to support complex data structures. We can try to detect Numbers, maybe Booleans, but the rest can be always String.
A null value can be an empty string. Some meaning is lost in the process, but it's not the end of the world IMO (for this particular case). An Array is a String whose first character is a [ and the last is a ]; similarly, a Map starts with { and ends with }.
The user should have this in mind when defining conditions, qualifiers, or pretty much anything else that derives from Well-known attributes.
No description provided.