Extensibility: Authorization

Meshery features an extensible authorization system that offers the ability to deliver fine-grained access control across it’s web-based user interface, Meshery UI.

Authorization Keys

The extensible authorization system consistes of a large set of keys. Each key uniquely represents a specific capability, for example, the ability to view a Connection, edit or delete a Connection. With the help of these keys, the system evaluates the permissions during runtime and renders UI both helping offer a secure management system and a customizable user experience.

Note

The extensible authorization system is available to both Local and Remote Providers. Depending upon your chosen Remote Provider, keys, clustering of them, assigning them to user groups, not just individual users or to user roles may be offered.

Authorization Framework

Meshery utilizes CASL (JS-based permission framework) to evaluate any given user’s set of session keys against the built-in keyhooks populated through each invidual Meshery UI page. This allows for granular control over the UI, empowering you to tailor your Meshery experience to your organization’s needs by limiting access to specific features and functionalities based on the user’s assigned keys.

Introduction to CASL.js

CASL.js is an isomorphic authorization JavaScript library which restricts what resources a given client is allowed to access. It’s designed to be incrementally adoptable and can easily scale between a simple claim based and fully featured subject and attribute based authorization. It makes it easy to manage and share permissions/keys across UI components, API services, and database queries.

An example of how CASL evaluate permission in UI.


<React.Fragment>
	{!CAN(keys.DELETE_CONNECTION.action, keys.DELETE_CONNECTION.subject) && (
		<Button id="delete-connection">Delete<Button/>
	)}
</React.Fragment>

Once a user has logged in, the backend will send a response with the permissions that the user has. Those permissions will be used to create abilities on the frontend, CASL gets updated with those abilities. The UI maintains a constant file containing all allowed permissions, referred to as keys. With the help of these keys, CAN function evaluates the permissions during runtime and renders UI.

Authorization using Local Provider

Meshery’s built-in identity provider, “Local” Provider, operates with a large set of predefined keys interspersed throughout Meshery UI and persisted in Meshery Database. These keys are used to evaluate the permissions of a given user and render the UI accordingly. The keys are grouped into three categories: action, subject, and object.

Discussion Forum

Don't find an answer to your question here? Ask on the Discussion Forum.

Suggested Reading

  • Extensibility: Meshery Adapters - Meshery architecture is extensible. Meshery provides several extension points for working with different cloud native infrastructure via adapters, load generators and providers.
  • Extensibility: APIs - Meshery architecture is extensible, offering an array of extension points and REST and GraphQL APIs.
  • Extensibility: Meshery Integrations - Meshery architecture is extensible. Meshery provides several extension points for working with different cloud native projects via adapters, load generators and providers.
  • Extensibility: Load Generators - Meshery offers support for more types of Kubernetes and cloud native infrastructure than any other project or product in the world. Meshery uses adapters for more deeply managing specific types of infrastructure.
  • Extensibility: Providers - Meshery uses adapters to enrich the level of depth by which it manages cloud native infrastructure.
  • Extensibility: UI - Meshery offers support for more adapters than any other project or product in the world. Meshery UI has a number of extension points that allow for users to customize their experience with third-party plugins.