Support for automatic fallback in case of list request without list privileges #56
Description
Current Behavior
When a client issues a list query, e.g. accounts and the user does not have the privileges to list accounts the gateway will respond with a forbidden.
Improved Behavior
There are several use cases where UI's may need to display "a list of items the user has access to" without granting permissions to list all of them.
The gateway should behave in the following manner:
- subject access review if the user has permissions to list the objects
- if yes continue as today
- if no
- We should support an RBAC and FGA mode with individual feature toggles:
- for the FGA mode:
- list all resources of that kind using the technical user
- issue a subjectaccessreview request for that particular resource if the user is allowed to GET the resource (create these requests in parallel not in sequence)
- for the RBAC mode:
- issue a SelfSubjectRulesReview and capture the resourceNames of the response. (example of a ui doing this: example
- get all resources the user has access to
- return the list of given items.
- for the FGA mode:
- We should support an RBAC and FGA mode with individual feature toggles:
This is an experimental / research feature and it would be good to hide it behind a feature flag for now.