Kessel Relations API is a Zanzibar-inspired frontend for relationship-based access control (ReBAC).
To get necessary build and generation dependencies:
make init
make build
(Configs must be specified to run binary, e.g. ./bin/kessel-relations -conf configs, or run make target, below.)
make run
# Create a template project
kratos new server
cd server
# Add a proto template
kratos proto add api/server/server.proto
# Generate the proto code
kratos proto client api/server/server.proto
# Generate the source code of service by proto file
kratos proto server api/server/server.proto -t internal/service
go generate ./...
go build -o ./bin/ ./...
./bin/server -conf ./configs
# Generate API files (include: pb.go, http, grpc, validate, swagger) by proto file
make api
# Generate config code
make config
# Generate all files
make all
# install wire
go get github.com/google/wire/cmd/wire
# generate wire
cd cmd/server
wire
make spicedb-up
This is a good option for keeping spicedb running in the background while the relations-api service is run via
make run, the binary or via the IDE (run/debug) during local development.
make relations-api-up
This runs everything and is a good option for testing a built relations-api container image with the running binary.
make spicedb-down
make relations-api-down
make kind/relations-api
# build
docker build -t <your-docker-image-name> .
# run
docker run --rm -p 8000:8000 -p 9000:9000 -v </path/to/your/configs>:/data/conf <your-docker-image-name>NOTE: The minimum required version of bonfire is specified in the MIN_BONFIRE_VERSION variable in the deploy.sh script Bonfire could be upgraded by command:
pip install --upgrade crc-bonfireLatest version of bonfire could be found here.
You should have logged into a valid openshift cluster using the oc login command
oc login --token=<token> --server=<openshift server>
-
Create a config map inside a local temp directory. You can leverage the template here. The template can be used to inject any schema definition file you like by providing the contents of a schema definition file as the parameter.
# Example, create a configmap using the current default schema TEMP_DIR=$(mktemp -d) # SCHEMA_FILE can be a path to any desired schema definition file in yaml format SCHEMA_FILE=./deploy/schema.yaml oc process --local \ -f deploy/schema-configmaps/schema-configmap-template.yaml \ -p SCHEMA="$(cat ${SCHEMA_FILE})" \ -o yaml > $TEMP_DIR/schema-configmap.yaml
-
Run the following command:
bonfire deploy relations --import-configmaps --configmaps-dir $TEMP_DIR
Note: the deploy script assumes you have a valid oc login and the necessary tools are in place.
The deploy script under the deploy folder, will deploy all the needed components.
./deploy.sh
- Creates a postgres pod and service (Note: No PVC)
- Creates a spiceDB secret - that contains: a preshared key and Postgres connection URI
- Creates a Configmap object - that serves as a bootstrap schema for spiceDB (by default it uses the schema.yaml file under deploy)
- Creates the spiceDB service
- Creates the relations service
You should be able to use the public route (relations-*) created by the clowder in your namespace, to use the service.
This is demonstrating calling relationship api from rbac service in ephemeral environment.
./deploy.sh rbac <path_to_local_copy_of_relations-api>
path_to_local_copy_of_insights_rbac is this repository
Example:
./deploy.sh rbac /Projects/insights-rbac
- Updates config bonfire file and add rbac component
- Deploys rbac together with relationships application
- Hardcoded image is used with grpc client for calling relationships