Description
For eventing rbac support, user who creates/deploys function will own the function and all the dcp, metadata ops will be done using users permission. So if user lost his permission or got deleted eventing needs to undeploy functions.
Since cbauth don't give notification when user lost their permission, eventing will poll for permission of the user.
cbauth currently exposes IsAllowed(permission) to check if user still has the permission or not.
https://github.com/couchbase/cbauth/blob/7b0c203a21afbd59127e8722950a7145ef18fd2a/cbauth.go#L104
Steps to check permission for a particular user:
1. Create http.Request with "@eventing" credentials(can be done only once).
2. Add "cb-on-behalf-of" header with user and domain
3. Call AuthWebCreds(req)
4. creds.IsAllowed(permission)
Requesting "IsAllowedUser(user, domain, permission) (bool, error)"
api to check for the permission for a user which can eliminate step 2,3 (maybe only exposed to known users).
With polling, there will be a delta between 2 checks. This can cause user getting removed and then again new user getting created with the same name and domain between 2 checks. Currently there is no way for eventing to detect whether thats a same user or not.
Requesting "UserId(username, domain) string" which gives the userid for a particular user and that can be used to verify its the same user or not.