Skip to content

[teams 4/5] SQL authorization #3525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kim merged 2 commits into from
Nov 11, 2025
Merged

[teams 4/5] SQL authorization #3525

kim merged 2 commits into from
Nov 11, 2025

Conversation

@kim
Copy link
Contributor

@kim kim commented Oct 29, 2025
edited
Loading

Permissions for evaluating SQL/DML are not generally "actions", but more a set of permissions that are checked during evaluation.

To make this work with the teams feature, this patch extends AuthCtx to allow checking a set of permissions as mandated by the spec. This set is a bit more fine-grained than "is owner", so as to avoid baking in the concept of teams/collaborators, or assumptions about what a role might entail. Both are likely to evolve in the future, so evaluation of permissions / capabilities should be confined to the impl of the Authorization trait.

Unlike "actions", the AuthCtx must be able to evaluate permission checks quickly and without side-effects, nor can it enter an async context. In that sense, it is precomputed (if you will), and stored as a closure in the AuthCtx for external authorization.

A challenge posed is how to thread through the constructed AuthCtx for subscriptions.

A tempting approach would have been to equip the HostController with the ability to summon an AuthCtx. That, however, would have created a gnarly circular dependency, because the HostController also controls the controldb, which itself demands an AuthCtx.

Instead, the AuthCtx is obtained in the endpoint handler and passed to each method call that requires one. That's less pretty, but more effective.

@kim kim changed the title Teams-based authorization for SQL / subscriptions [teams 4/5] SQL authorization Oct 29, 2025
@kim kim marked this pull request as ready for review October 29, 2025 14:21
@kim kim mentioned this pull request Oct 29, 2025
Merged
gefjon
gefjon approved these changes Oct 29, 2025
View reviewed changes
@kim kim force-pushed the kim/teams-api-auth-cli branch from e1cab37 to 8a3885a Compare November 5, 2025 09:31
@kim kim force-pushed the kim/teams-sql-auth branch from ba3b3f9 to a5ec537 Compare November 5, 2025 09:31
@kim kim force-pushed the kim/teams-api-auth-cli branch from 8a3885a to fdba810 Compare November 5, 2025 12:05
@kim kim force-pushed the kim/teams-sql-auth branch from a5ec537 to fad1a63 Compare November 5, 2025 12:05
@kim kim force-pushed the kim/teams-api-auth-cli branch from fdba810 to 2ef3f78 Compare November 10, 2025 10:46
@kim kim force-pushed the kim/teams-sql-auth branch from 73b1012 to b07c9b2 Compare November 10, 2025 10:46
@kim kim force-pushed the kim/teams-api-auth-cli branch from 2ef3f78 to 693699c Compare November 10, 2025 11:35
@kim kim force-pushed the kim/teams-sql-auth branch from b07c9b2 to 0ec430c Compare November 10, 2025 11:35
@bfops bfops added the release-any To be landed in any release window label Nov 10, 2025
@kim kim force-pushed the kim/teams-api-auth-cli branch from 693699c to 1d72771 Compare November 11, 2025 12:55
Base automatically changed from kim/teams-api-auth-cli to master November 11, 2025 15:09
@kim @gefjon
Teams-based authorization for SQL / subscriptions
afcbaab 
Update crates/core/src/sql/execute.rs

Co-authored-by: Phoebe Goldman <phoebe@clockworklabs.io>
Signed-off-by: Kim Altintop <kim@eagain.io>
@kim kim force-pushed the kim/teams-sql-auth branch from 0ec430c to afcbaab Compare November 11, 2025 18:25
@kim kim enabled auto-merge November 11, 2025 18:26
@kim kim added this pull request to the merge queue Nov 11, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 11, 2025
@kim kim added this pull request to the merge queue Nov 11, 2025
Merged via the queue into master with commit 310d8eb Nov 11, 2025
24 of 25 checks passed
@kim kim deleted the kim/teams-sql-auth branch November 11, 2025 21:09
@kim kim mentioned this pull request Nov 12, 2025
Closed
drogus pushed a commit that referenced this pull request Nov 12, 2025
@kim
[teams 5/5] Identity routes (#3526)
3ea5fde 
Introduces a "routes struct" for the `/identity` endpoints, much like
the `DatabaseRoutes`.
This is useful for overriding individual handlers.

See companion for motivation.

Depends-on: #3525
@egormanga egormanga mentioned this pull request Nov 12, 2025
Open
4 tasks
egormanga added a commit to egormanga/SpacetimeDB that referenced this pull request Nov 22, 2025
@egormanga
Adjusted for Teams support. See clockworklabs#3525
d1ea89b
egormanga added a commit to egormanga/SpacetimeDB that referenced this pull request Nov 22, 2025
@egormanga
Adjusted for Teams support. See clockworklabs#3525
1d96cdd
egormanga added a commit to egormanga/SpacetimeDB that referenced this pull request Nov 22, 2025
@egormanga
Adjusted for Teams support. See clockworklabs#3525
38f9471
egormanga added a commit to egormanga/SpacetimeDB that referenced this pull request Dec 11, 2025
@egormanga
Adjusted for Teams support. See clockworklabs#3525
caee409
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gefjon gefjon gefjon approved these changes

@joshua-spacetime joshua-spacetime joshua-spacetime approved these changes

@bfops bfops Awaiting requested review from bfops

@cloutiertyler cloutiertyler Awaiting requested review from cloutiertyler

@jdetter jdetter Awaiting requested review from jdetter

Assignees

No one assigned

Labels

release-any To be landed in any release window

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kim @gefjon @joshua-spacetime @bfops