feat(control): scope usage/logs/catalogview reads to caller-owned rows#361
Merged
Conversation
Usage and log events carry the sha256 hash of the inbound bearer, so a
scoping Authorizer narrows every usage/logs read to events attributed
to relay-keys the caller owns: filters are forced (or intersected) to
the owned hash set, an empty owned set short-circuits to an empty
result, and /logs/{request_id} returns 404 for foreign or unattributed
records. Admins and the single-user default authorizer read the whole
stream unchanged.
catalogview.Service gains an optional Visible predicate, wired from
the request's Authorizer: policy-rooted projections resolve invisible
policies as not-found, and /hosts/{ref}/keys and /models/{ref}/policies
drop rows the caller may not see.
usage/logs move into the authorizer's scoped-read set now that their
handlers enforce row scoping (previously admin-only under the scoped
authorizer). No behavior change for the single-user default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #360, completing read-side scoping for the opt-in owner-scoped authorizer.
/logs/{request_id}returns 404 for foreign or unattributed records (gating the payload-body join too).catalogview.Servicegains an optionalVisiblepredicate, wired per-request from the Authorizer: policy-rooted projections resolve invisible policies as not-found;/hosts/{ref}/keysand/models/{ref}/policiesdrop rows the caller may not see.No behavior change with the default authorizer — covered by regression tests (unfiltered queries,
Visible=nilpath).Tested: unit coverage for the scope helpers and catalogview visibility, httptest coverage for the handlers (scoped-out short-circuit never touches the store; admin/single-user read unfiltered), full suite + lint-rules.