kcp icon indicating copy to clipboard operation
kcp copied to clipboard
verified publisher icon kcp-dev

feature: Delegated Claimed Permissions

Open stevekuznetsov opened this issue 3 years ago • 2 comments

Feature Description

As a service provider that owns multiple APIExports, if a user accepts a PermissionClaim on one of my exports, I should be able to delegate this permission to other exports I own.

Proposed Solution

Lots to design here. Specifically:

  • We need some mechanism to determine shared ownership of multiple APIExports with potentially different identities (keep in mind that we might get per-resource identities as well in #2011 ).
  • We need a mechanism for the service provider to show their intent to delegate these claimed permissions
  • Once we have that, we can determine in the APIBinding reconciler that a new claim should be accepted on some delegate APIExport

Alternative Solutions

No response

Want to contribute?

  • [ ] I would like to work on this issue.

Additional Context

No response

stevekuznetsov avatar Sep 16 '22 15:09 stevekuznetsov

This would be extremely helpful for some of our use cases. I'd be happy to work on this -- I'm wondering if we would consider introducing something like an APIExportGroup?

hasheddan avatar Oct 04 '22 15:10 hasheddan

Would the group be solving the first bullet point in my list above? I think we were hoping for a cryptography-based approach given that we expect APIExports to have globally-unique identifiers via secret data.

stevekuznetsov avatar Oct 04 '22 16:10 stevekuznetsov