CosmosDB grant permission to multiple resources?

0
votes

I am trying to understand how, using DocumentDB, I can grant permission to multiple resources. It's unclear to me how I would go about this or if it's currently possible.

https://docs.microsoft.com/en-us/azure/cosmos-db/mobile-apps-with-xamarin

In their docs here they state

If you want two users to have access to the same to-do list, you can add additional permissions to the access token in Resource Token Broker.

The Resource Token Broker is linked below:

https://github.com/Azure/azure-documentdb-dotnet/blob/master/samples/xamarin/UserItems/ResourceTokenBroker/ResourceTokenBroker/Controllers/ResourceTokenController.cs#L153-L159

And I assume they specifically mean this:

using Microsoft.Azure.Documents;

Permission p = new Permission
{
    PermissionMode =  PermissionMode.All,
    ResourceLink = collection.SelfLink,
    ResourcePartitionKey = new PartitionKey(userId),
    Id = permissionId //needs to be unique for a given user
};

However, this snippet only support the one partition key. Which is what I want to do, grant permissions for multiple partition keys in a collection.

This is there call where I assume the token is created:

permission = await Client.CreatePermissionAsync(UriFactory.CreateUserUri(databaseId, userId), p);

But again, it looks like a singular permission. Which would mean you'd have to create N permissions and each time you went to access one of those resources, you'd need to request the Token from the Resource Broker? In other words, if I grant permission to 5 resources, when my client goes to the Resource Broker, I need to return 5 tokens?

Is there no way to say: This Resource Token grants PermissionMode.All permissions to all of these resources?

1
azurepermissionsazure-cosmosdb
This doesn't work. See stackoverflow.com/questions/47001220/…. - Mark

1 Answers

0
votes

if I grant permission to 5 resources, when my client goes to the Resource Broker, I need to return 5 tokens?

DocumentClient class has four constructors and two of these constructors support the provision of several resource keys allowing the resulting DocumentClient object to be used to authenticate operations against multiple resources. You could grant permissions on multiple resources for a user in your Resource Token Broker API and return a list of permission objects (instead of a single resource token) to the client app.

FeedResponse<Permission> permFeed = await client.ReadPermissionFeedAsync(UriFactory.CreateUserUri("dbid", " userId")); 

List<Permission> permList = permFeed.ToList();

The client app could initialize an instance of the DocumentClient class and pass permList after the client app get it.

var client = new DocumentClient(new Uri(EndpointUri), permList);