ACL application micro-lc

[giovanni-motterle-mia-care]

What product are you having troubles with?

Microfrontend Composer

What Console version are you using?

v13.0.5

Description

Hi, I was reading about ACL expessions in micro-lc , specifically the ones based on permissions.
Permissions ACLs are based on a request header that contains the permissions list. Isn't it a limitation using headers in this use case? I know headers size is limited (I think it's 8kb default on node and customizable).
Since I would prefer not using headers, i thought that custom caller property extraction would come handy.
I don't understand how to create a "user-defined custom function" though. Moreover, is it possible to make HTTP calls inside of it?

Thanks

Actual Outcome

No response

Expected Outcome

No response

[epessina]

Hi @giovanni-motterle-mia-care , thanks for reaching out!

To provide a custom extractor you need to mount a JS module that exports your function in the directory specified by the ACL_CONTEXT_BUILDER_PATH env variable (it defaults to /usr/src/app/config/acl-context-builder.js).

In Console, you need to create a new config map for your middleware instance with the JS file inside at the path specified in the variable above (if you use the default path remember to check the "Preserve files" box!).

The function exported by the file cannot make HTTP calls (its execution is sandboxed for safety reasons), so your permissions must be contained either in the headers or the query parameters. If you are hitting a size limit we can think of a solution

[giovanni-motterle-mia-care]

Hi, any updates on this? We are starting working with permissions in backoffice and for our use case we are already counting roles with a set of permissions with over 10k characters total

[epessina]

Hi @giovanni-motterle-mia-care, sorry for the late reply

Unfortunately, we won't be able to address this issue for another two or three weeks. If you need it sooner, feel free to open a PR to middleware. In particular, you need to work on the extact-acl.ts file to add the body of the request to the ACL context.

[giovanni-motterle-mia-care]

Hi, we are actually implementing a work-around to reduce the number of permissions of a user.
We are forwarding to middleware the intersections of permissions used by the particular configuration page the user is requesting and the user permissions.
In this way we are not reaching headers size limit.
Despite that, I think it's still a useful feature to add when you can.

[epessina]

Hi @giovanni-motterle-mia-care . For your information, version 3.3.1 of middleware is out with support to request.body as ACL context builder input.

[giovanni-motterle-mia-care]

Hi @epessina, thank you !