Google Zanzibar: Implementing the Check API and Expand API using .NET
In the previous articles we have seen how to implement a very simplified Relationship-based Access Control using a Google Zanzibar-like data model and some SQL queries. It worked good, and I quite like what we ended up with. But it doesn't let us define an effictive ACL, because at the moment we need to materialize all relations in the database.
But what about unions or intersections of permissions? What about expressing statements like: "If you are the editor of a Document, then you are also a viewer of a Document"? What about inheritance of permissions like: "If you are the viewer of a Folder, then you are also a viewer of the folders Documents"?
So in this article we will take a look at the Google Zanzibar's Namespace Configuration Language, and implement a simplified version of the Google Zanzibar Check API and Expand API.
We have previously written a T-SQL Function [Identity].[udf_RelationTuples_Check] to implement a function for checking if a User has a Relation to a given Object and thus has permission. It can be expressed in a few lines of SQL using a Common Table Expression (CTE).
.png)
