Allow CRD authors to declare which FGA relations the security-operator should generate for their type, replacing or extending the hardcoded default set (get, update, delete, patch). Today the operator generates the same four relations for every CRD it discovers via discoverAndRender() in authorization_model.go. There is no way to express domain-specific relations on the CRD itself — those require a separate AuthorizationModel CR.
Introduce a annotation that CRD authors can set to declare their desired FGA relations. E.g.:
metadata:
annotations:
platform-mesh.io/fga-relations: |
define codeviewer: [user] or member
define admin: [user] or owner
define scan: [user] or memberIf the annotation is absent the operator falls back to the current default four-relation set.
Allow CRD authors to declare which FGA relations the security-operator should generate for their type, replacing or extending the hardcoded default set (
get,update,delete,patch). Today the operator generates the same four relations for every CRD it discovers viadiscoverAndRender()inauthorization_model.go. There is no way to express domain-specific relations on the CRD itself — those require a separateAuthorizationModelCR.Introduce a annotation that CRD authors can set to declare their desired FGA relations. E.g.:
If the annotation is absent the operator falls back to the current default four-relation set.