generated from coulomb/repo-seed
tegwick
82177d88a9
Closes FLEX-WP-0005 T04. Validates ADR-003's commitment to shape the
standalone core for cheap Topaz adapter work.
Spike output:
- docs/topaz-mapping-spike.md — vocabulary map (subject, group, tenant,
knowledge_base, document, plus parent / owner_team / reader / steward /
member relations), Rego module shape, decision envelope, wire-protocol
ranking (gRPC primary, REST fallback, embedding rejected), schema
restatement recommendation, implications for FLEX-WP-0002 / 0004.
- examples/topaz/ — runnable docker-compose deploying Topaz with the
flex-auth-shaped manifest. seed and probe one-shots cover three
scenarios: alice (steward) allow, bob (group→reader) allow, eve
(outsider) deny. End-to-end green on 2026-05-16:
probe: steward-allow OK (check=true)
probe: reader-allow OK (check=true)
probe: outsider-deny OK (check=false)
probe: all checks passed
Key findings recorded as Implementation Notes in the spike doc:
- Rego input contract bridging (Topaz raw shape ↔ flex-auth canonical
shape) is adapter scope, not core scope.
- Topaz identity objects are a Topaz convention; the adapter
materializes them at directory import time.
- Directory-only permission resolution is sufficient for the common
case; Rego is reserved for context-dependent decisions.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
69 lines
2.1 KiB
YAML
69 lines
2.1 KiB
YAML
# Runnable Topaz example for the flex-auth alignment spike.
|
|
#
|
|
# Boot order:
|
|
# 1. topaz — runs topazd with the spike config; serves authorizer
|
|
# on :8282 (gRPC) and :8383 (REST), directory on :9292
|
|
# (gRPC) and :9393 (REST), health on :9494.
|
|
# 2. seed — one-shot container that pushes the manifest and seeds
|
|
# directory objects/relations via REST. Exits on success.
|
|
# 3. probe — one-shot container that runs three authorizer checks
|
|
# (steward allow, reader allow, outsider deny) and exits
|
|
# non-zero if any decision is unexpected.
|
|
#
|
|
# Usage:
|
|
# docker compose up --abort-on-container-exit --exit-code-from probe
|
|
#
|
|
# See docs/topaz-mapping-spike.md and README.md.
|
|
|
|
services:
|
|
topaz:
|
|
image: ghcr.io/aserto-dev/topaz:latest
|
|
command: ["run", "--config-file", "/cfg/config.yaml", "--bundle", "/bundle"]
|
|
ports:
|
|
- "127.0.0.1:8282:8282" # authorizer gRPC
|
|
- "127.0.0.1:8383:8383" # authorizer REST
|
|
- "127.0.0.1:9292:9292" # directory gRPC
|
|
- "127.0.0.1:9393:9393" # directory REST
|
|
- "127.0.0.1:9494:9494" # health
|
|
volumes:
|
|
- ./cfg:/cfg:ro
|
|
- ./bundle:/bundle:ro
|
|
- topaz-db:/db
|
|
- topaz-certs:/certs
|
|
healthcheck:
|
|
# Topaz's image has no curl/wget; nc is in busybox. Probe TCP on
|
|
# the authorizer REST port — the gateway only listens once the
|
|
# backing gRPC service is ready.
|
|
test: ["CMD-SHELL", "nc -z 127.0.0.1 8383 || exit 1"]
|
|
interval: 2s
|
|
timeout: 2s
|
|
retries: 30
|
|
|
|
seed:
|
|
image: alpine:3.20
|
|
depends_on:
|
|
topaz:
|
|
condition: service_healthy
|
|
volumes:
|
|
- ./data:/data:ro
|
|
- ./scripts:/scripts:ro
|
|
- ./manifest.yaml:/manifest.yaml:ro
|
|
entrypoint: ["/bin/sh", "/scripts/seed.sh"]
|
|
environment:
|
|
DIRECTORY_REST: "http://topaz:9393"
|
|
|
|
probe:
|
|
image: alpine:3.20
|
|
depends_on:
|
|
seed:
|
|
condition: service_completed_successfully
|
|
volumes:
|
|
- ./scripts:/scripts:ro
|
|
entrypoint: ["/bin/sh", "/scripts/probe.sh"]
|
|
environment:
|
|
AUTHORIZER_REST: "http://topaz:8383"
|
|
|
|
volumes:
|
|
topaz-db:
|
|
topaz-certs:
|