ReBAC: Updating user's entitlements fails silently

[huwshimi]

When updating a user's entitlements: PATCH /identities/{id}/entitlements there is no response body and no errors are returned.

For example the following gets a 200 OK response but does not create the relation:

{
  "patches": [
    {
      "entitlement": {
        "entity_type": "cloud",
        "entitlement": "administrator",
        "entity_id": "localhost"
      },
      "op": "add"
    }
  ]
}

But this succeeds:

{
  "patches": [
    {
      "entitlement": {
        "entity_type": "controller",
        "entitlement": "administrator",
        "entity_id": "d61369f7-7953-4a99-870a-4d046038fddc"
      },
      "op": "add"
    }
  ]
}

[kian99]

I've made a test for this but I can't seem to replicate it.
The test is an integration test but calls the handler directly in code (I haven't tried an actual HTTP call).
But it seems to work, I grant a user access to a "test-cloud" and then verify they have the expected access.

Why do you suggest the first block doesn't actually create the relation? Is it not showing up in one of the other calls?

[huwshimi]

Ah interesting, if I try and create that same relation again it says it already exists, so that call is succeeding.

However, the created relation is not included in the entitlements call e.g. /identities/{id}/entitlements.

{
    "_links": {
        "next": {
            "href": "/rebac/v1/identities/[email protected]/entitlements?nextToken=eyJraW5kIjoiY2xvdWQiLCJ0b2tlbiI6IiJ9"
        }
    },
    "_meta": {
        "pageToken": "",
        "size": 1
    },
    "data": [
        {
            "entitlement": "administrator",
            "entity_id": "3217dbc9-8ea9-4381-9e97-01eab0b3f6bb",
            "entity_type": "controller"
        }
    ],
    "message": "",
    "status": 200
}

[kian99]

Digging into this further, I can see why this is happening. In our implementation for pagination of OpenFGA results, we realised it is not trivial to fetch all the relations of a user. What OpenFGA offers is the ability to fetch the relations for a specific user + specific object. So "user" + "cloud" or "user" + "controller".

You'll notice the response from /identities/{id}/entitlements includes a next page with a "nextToken", in our implementation, we page over the combinations of "user" + and so a page can be empty but the next page might not be.

I think our expectation was to document this and have the client page over the results until they've either received as many results as they want to show in a page or until the nextPage token is empty.

Fortunately, if this behaviour is not aligned with other backend implementations of the rebac-admin-ui we can fairly easily do this pagination on the backend and return the expected result. Let me know what you think @huwshimi.

[huwshimi]

Thanks for figuring that out @kian99. It would be great if this could be handled by the backend if that's OK.

The future plan will be to update these endpoints with filtering, page-size etc. so it would be great for the backend to handle as much of that as possible.