UPDATE
This commit is contained in:
@@ -0,0 +1,49 @@
|
||||
# CropLogic Authorization Service
|
||||
|
||||
This service runs OPA as a standalone authorization engine for `backend/access_control`.
|
||||
|
||||
## Run standalone
|
||||
|
||||
```bash
|
||||
docker compose -f accsess/docker-compose.yaml up -d
|
||||
```
|
||||
|
||||
## Decision endpoints
|
||||
|
||||
- Single feature: `POST /v1/data/croplogic/authz/decision`
|
||||
- Batch features: `POST /v1/data/croplogic/authz/batch_decision`
|
||||
|
||||
The backend uses the batch endpoint and sends the farm context only. Users are treated as `farmer` by default inside the service, and features are allowed unless there is a feature-specific rule in `policies/authz.rego`.
|
||||
|
||||
## Example request
|
||||
|
||||
```bash
|
||||
curl -s http://127.0.0.1:8181/v1/data/croplogic/authz/batch_decision \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d @- <<'EOF'
|
||||
{
|
||||
"input": {
|
||||
"resource": {
|
||||
"farm_id": "farm-1001",
|
||||
"subscription_plan_codes": ["gold"],
|
||||
"farm_types": ["greenhouse"],
|
||||
"crop_types": ["tomato"],
|
||||
"cultivation_types": ["soil"],
|
||||
"sensor_codes": ["sensor-7-in-1"],
|
||||
"power_sensor": ["main-power"],
|
||||
"customization": ["default-layout"]
|
||||
},
|
||||
"features": ["sensor-7-in-1"],
|
||||
"action": "view"
|
||||
}
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
## Add new rules in code
|
||||
|
||||
Define feature-specific checks directly in `policies/authz.rego`.
|
||||
|
||||
- If a feature has no rule, every action is allowed.
|
||||
- If a feature rule exists, its conditions are evaluated and any failing condition denies access.
|
||||
- `sensor-7-in-1` currently requires `resource.sensor_codes` to include `sensor-7-in-1`.
|
||||
Reference in New Issue
Block a user