50 lines
1.4 KiB
Markdown
50 lines
1.4 KiB
Markdown
|
# CropLogic Authorization Service
|
||
|
|
|
||
|
|
This service runs OPA as a standalone authorization engine for `backend/access_control`.
|
||
|
|
|
||
|
|
## Run standalone
|
||
|
|
|
||
|
|
```bash
|
||
|
|
docker compose -f accsess/docker-compose.yaml up -d
|
||
|
|
```
|
||
|
|
|
||
|
|
## Decision endpoints
|
||
|
|
|
||
|
|
- Single feature: `POST /v1/data/croplogic/authz/decision`
|
||
|
|
- Batch features: `POST /v1/data/croplogic/authz/batch_decision`
|
||
|
|
|
||
|
|
The backend uses the batch endpoint and sends the farm context only. Users are treated as `farmer` by default inside the service, and features are allowed unless there is a feature-specific rule in `policies/authz.rego`.
|
||
|
|
|
||
|
|
## Example request
|
||
|
|
|
||
|
|
```bash
|
||
|
|
curl -s http://127.0.0.1:8181/v1/data/croplogic/authz/batch_decision \
|
||
|
|
-H 'Content-Type: application/json' \
|
||
|
|
-d @- <<'EOF'
|
||
|
|
{
|
||
|
|
"input": {
|
||
|
|
"resource": {
|
||
|
|
"farm_id": "farm-1001",
|
||
|
|
"subscription_plan_codes": ["gold"],
|
||
|
|
"farm_types": ["greenhouse"],
|
||
|
|
"crop_types": ["tomato"],
|
||
|
|
"cultivation_types": ["soil"],
|
||
|
|
"sensor_codes": ["sensor-7-in-1"],
|
||
|
|
"power_sensor": ["main-power"],
|
||
|
|
"customization": ["default-layout"]
|
||
|
|
},
|
||
|
|
"features": ["sensor-7-in-1"],
|
||
|
|
"action": "view"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
EOF
|
||
|
|
```
|
||
|
|
|
||
|
|
## Add new rules in code
|
||
|
|
|
||
|
|
Define feature-specific checks directly in `policies/authz.rego`.
|
||
|
|
|
||
|
|
- If a feature has no rule, every action is allowed.
|
||
|
|
- If a feature rule exists, its conditions are evaluated and any failing condition denies access.
|
||
|
|
- `sensor-7-in-1` currently requires `resource.sensor_codes` to include `sensor-7-in-1`.
|