# Grants Language Specification

This file contains the reference and examples for the grants domain-specific language (DSL).

# Overview

The grants DSL is used to describe the access context under which a Parcel app or identity may access a document. It is designed with the attribute-based access control (opens new window) (ABAC) paradigm in mind.

A condition in Parcel is a JSON object written using the grants DSL specification. Whenever a data access attempt occurs, Parcel checks if the access context satisfies the condition before releasing keys to the requester.

# Specification

When writing a condition, the grants DSL supports two types of keys: selectors and logical operators. We define a clause as a JSON object with either a selector or logical operator as its single key, along with the associated value.

The associated value must be either a relational operation or an array operation. Relational operations are used to constrain single-valued access context attributes, while array operations are used to constrain array-valued access context attributes.

Both relational operations and array operations are specified as JSON objects with a single key representing the operator and the corresponding value representing the operand. The operand for relational operations will be a standard primitive data type or array. For array operations, the operand will be a relational operation.

For example, in the following clause:

{ 'document.id': { $eq: 'DSgUhs1oiQ8vr5pQH8pgfgs' } }

'document.id' is a selector and { $eq: 'DSgUhs1oiQ8vr5pQH8pgfgs' } is a relational operation with $eq as the operator and 'DSgUhs1oiQ8vr5pQH8pgfgs' as the operand.

Clauses can be nested, and every condition must itself be a clause.

# Relational Operators

The grants DSL supports the following relational operators:

  • $eq - Checks if the specified operand is equal to the corresponding access context attribute. The operand must be a primitive type.
  • $ne - Checks if the specified operand is not equal to the corresponding access context attribute. The operand must be a primitive type.
  • $gte - Checks if the specified operand is greater than or equal to the corresponding access context attribute. The operand must be a primitive type.
  • $gt - Checks if the specified operand is strictly greater than the corresponding access context attribute. The operand must be a primitive type.
  • $lte - Checks if the specified operand is less than or equal to the corresponding access context attribute. The operand must be a primitive type.
  • $lt - Checks if the specified operand is strictly less than the corresponding access context attribute. The operand must be a primitive type.
  • $in - Checks if the corresponding access context attribute is a member of the provided operand. The operand must be an array type.
  • $nin - Checks if the corresponding access context attribute is not a member of the provided operand. The operand must be an array type.

These can be used to construct relational operations such as { $eq: 'bash' } as we saw in the Constraining Data Access Tutorial.

# Array Operators

The grants DSL supports the following array operators:

  • $any - Checks if the specified operand is satisfied by any of the values in the corresponding access context attribute. The operand must be a relational operator.
  • $all - Checks if the specified operand is satisfied by all of the values in the corresponding access context attribute. The operand must be a relational operator.
  • $size - Checks if the specified operand is satisfied by the length of the values in the corresponding access context attribute. The operand must be a relational operator.

These can be used to construct array operations such as { '$any': { '$eq': 'for-sharing' } }.

# Selectors

By now, you should have a good handle on how to specify the value for a clause with relational and array operations. These are sufficient for specifying how to operate on access context attributes when evaluating a condition.

Now let's talk about the key for a clause, which is used for specifying what access context attributes to operate on. Selectors are the basic unit of determining this contextual what.

The grants DSL supports the following selectors, which have been categorized below as per standard ABAC attribute categorization:

# Subject Selectors

  • identity.id - Selects the Parcel ID of the identity requesting access.

# Action Selectors

  • job.spec.image - Selects the job image (and image digest) that a Parcel worker will execute when using the requested input documents.
  • job.spec.inputs - Selects the input document filepaths for the requested job.
  • job.spec.outputs - Selects the output document filepaths for the requested job.
  • accessTime - Selects the ISO 8601 time of document access.

# Object Selectors

  • document.id - Selects the Parcel ID of the requested document.
  • document.creator - Selects the Parcel ID of the identity which created the requested document.
  • document.title - Selects the (creator-specified) title of the requested document.
  • document.tags - Selects the (creator-specified) array of metadata tags for the requested document.

# Environment Selectors

The grants DSL does not yet support any environmental selectors. In the future, support for constraining attributes of Parcel workers permissioned to execute compute jobs will be added here.

# Logical Operators

Logical operators are the second type of key that can be specified when writing a clause, and operate on child clauses.

The grants DSL supports the following logical operators:

  • $and, which takes a JSON array of clauses as its value. All clauses in this array must be satisfied for the $and clause as a whole to be satisfied.
  • $or, which takes a JSON array of clauses as its value. Any clause in this array must be satisfied for the $or clause as a whole to be satisfied.
  • $nor, which takes a JSON array of clauses as its value. All clauses in this array must not be satisfied for the $nor clause as a whole to be satisfied.
  • $not which should take a single clause as its value. This single clause should not be satisfied for the $not clause as a whole to be satisfied.

These of course correspond to their natural boolean expression equivalents.

# Examples

Listed below are some common grant conditions written with the grants DSL.

  • Constrain access to a specific job, for a specific input document.
{
  $and: [
    {
      'document.id': {
        $eq: 'DSgUhs1oiQ8vr5pQH8pgfgs',
      },
    },
    {
      'job.spec.image': {
        $eq: 'bash@sha256:137d3e8797d78ab61c3bc4d599ff34dc7fcfbfca4a031c49ca83efed6792ab15',
      },
    },
  ],
}

where the operand is specified by including both the image name (bash) and the image digest sha256:137d3e8797d78ab61c3bc4d599ff34dc7fcfbfca4a031c49ca83efed6792ab15.

  • Constrain access to one of a few specific titled documents.
{
  'document.title': {
    $in: [ 'document-1', 'document-2', 'document-3' ],
  },
}
  • Constrain access to documents that have been tagged with a specific identifier.
{
  'document.tags': {
    $any: { $eq: 'for-sharing' },
  },
}
  • Constrain access to documents within a specific time window.
{
  $and: [
    { 'accessTime': { $gte: '2021-01-01' } },
    { 'accessTime': { $lt: '2021-01-05' } },
  ],
}