https://cerbos.dev logo
Join Slack
Powered by
is it possible to call cerbos with a list of actio...
# help
j
is it possible to call cerbos with a list of actions and get back all resources with corresponding EFFECT_ALLOW for each action in the list?
a
The closest thing is the PlanResources API, which will give you back a query plan to match all the resources for which a particular action would be allowed. However, it only takes a single action at a time, not a list of actions, and you have to evaluate the resulting AST. If you have a relatively small set of resources and they are known ahead of time, then you can pass multiple resources and actions to a single CheckResources API call and get back all the corresponding decisions.
j
so in the example shown in the docs, when i call 
PlanResources
, i still need to supply a 
"resource": { }
JSON. how does that give back a query plan to match all the resources ?
can i not leave "resource" : {} as a blank key in the json?
a
Nope, you need to at least specify the 
kind
of resource, so that Cerbos knows which policies to use
j
hmmmmmm................
a
You can also specify some resource attributes, which is useful if you already know some criteria that you are filtering on.
j
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: asset_profile_assets
  version: development
  importDerivedRoles:
so in this case my kind would be asset_profile_assets then
that's bad for me because i've designed my policies such that each resource: <name> is a YAML file
and i have a llot of them!
i mean the way i've designed it is each YAML represents an API that users can call via a web app
oh wait.................i'm thinking about this wrongly i think. i just need a separate set of cerbos policies that are at a higher level then.
so my use case is this: web app team wants to know when user-john logs in, he should only see the component-x, y and z in the web app. components a, b, c should be hidden.
i would like to control that using cerbos. but web app team also wants to do global caching for user-john such that they want to call cerbos once when user logs on and get all the list of components that user-john is allowed to see.
that saves them from having to make a call to cerbos - once or each component being rendered in the UI
component-x can be supported by API-1, API-2, API3
why would i need 
PlanResources
api when i can simply call 
CheckResources
and get the same result?
a
Got it, yep sounds like you want 
CheckResources
.
j
because of 
KIND_*
returned by 
PlanResources
? i.e. the AST
i meani'm trying to figure out the use case for 
PlanResources
a
CheckResources
is for answering the question "can this principal do these actions to these resources?", which is the most common use case for authz. 
PlanResources
is to help answer the question "which resources can the principal do this action to?", which is useful for authorizing e.g. listing pages. You can turn the AST that it returns into a query for your database. If you were to use 
CheckResources
for this use case, you might have to load every row from your database, and feed them into Cerbos to filter them down into the list that the user is actually allowed to see.
j
aaaaha ok. that makes sense
although the point about "which resources can the principal do this action to" seems a bit odd when the word 
resources
is in the plural but the json payload only accepts a single kind?
a
Fair - perhaps it's more accurate to say that 
PlanResources
answers the question "under what conditions can this principal do this action to resources of this kind?", and it gives you one of three answers: "always" (
KIND_ALWAYS_ALLOWED
), "never" (
KIND_ALWAYS_DENIED
), or "it depends" (
KIND_CONDITIONAL
, with an AST of the conditions).
j
ok that was confusing for me at first but your 2nd explanation makes it crystal clear. thank you andrew!
a
No problem, happy to help 🙂
87 Views
Open in Slack
PreviousNext
Powered by