This experiment adds support for querying relations from Authzed / SpiceDB via GRPC to check resource level permissions as custom builtin commands for Open Policy Agent.
Currently only one command is supported:
authzed.check_permission("SUBJECT", "PERMISSION", "RESOURCE_ID") -> bool
Note this example uses Go 1.19
go get
go build
Start authzed demo environment
docker compose -f demo/docker-compose.yml up -d
Run custom Open Policy Agent with authzed plugin enabled
./custom-opa-spicedb run \
--set plugins.authzed.endpoint=localhost:50051 \
--set plugins.authzed.token=foobar \
--set plugins.authzed.insecure=true
Query relations against authzed See the example RBAC schema for reference.
> authzed.check_permission("user:tom", "view", "document:firstdoc")
true
> authzed.check_permission("user:tom", "edit", "document:firstdoc")
true
> authzed.check_permission("user:fred", "edit", "document:firstdoc")
false
> exit
Stop demo environment
docker compose -f demo/docker-compose.yml down