JAAS: Authorisation Data¶
JAAS uses a Relationship-Based Access Control (ReBAC) scheme for authorisation purposes. This document provides the information about the authorisation data structure.
Hint
For an explanation on Relationship-Based Access Control (ReBAC) check out this explanation topic.
Hint
As a reference on JAAS authorisation model, check out this reference topic.
Tuples¶
Simply, JAAS authorisation data is the set of relationships established between different entities. In ReBAC, a tuple is a plain data structure that represents the relationship between two entities. So, a tuple has three components:
Entity A (or Object): the entity that receives (or uses) the relation.
Relation: the type of relationship.
Entity B (or Target): the entity that provides the relation.
Note
JAAS terminology is slightly different from OpenFGA. In OpenFGA, Entity A and Entity B are called User and Object, but in JAAS, they are called Object and Target (object).
For example, if a user named alice@canonical.com has the member relationship with a group named foo, then the tuple that represents this relation will look like this:
object: user:[email protected]
relation: member
target: group:foo
This reads as: “an entity of type user, named alice@canonical.com, has the member relationship to an entity of type group, named foo.
Manipulating tuples¶
Hint
For a tutorial on managing users/groups permissions, check out this topic.
To manipulate the tuples (i.e. add/remove relations between different resources), you can use the jimmctl auth commands. For example, the command below adds the tuple discussed in the last example:
jimmctl auth relation add [email protected] member group-foo
To check if a specific tuple exists, you use the relation check command:
jimmctl auth relation check [email protected] member group-foo
You can also remove a tuple with a similar syntax:
jimmctl auth relation remove [email protected] member group-foo