Jesum Yip
04/14/2023, 9:25 AMAndrew Haines (Cerbos)
04/14/2023, 9:36 AMJesum Yip
04/14/2023, 9:38 AMPlanResources
, i still need to supply a "resource": { }
JSON. how does that give back a query plan to match all the resources ?Andrew Haines (Cerbos)
04/14/2023, 9:39 AMkind
of resource, so that Cerbos knows which policies to useJesum Yip
04/14/2023, 9:40 AMAndrew Haines (Cerbos)
04/14/2023, 9:40 AMJesum Yip
04/14/2023, 9:41 AMapiVersion: api.cerbos.dev/v1
resourcePolicy:
resource: asset_profile_assets
version: development
importDerivedRoles:
so in this case my kind would be asset_profile_assets thenPlanResources
api when i can simply call CheckResources
and get the same result?Andrew Haines (Cerbos)
04/14/2023, 9:48 AMCheckResources
.Jesum Yip
04/14/2023, 9:48 AMKIND_*
returned by PlanResources
? i.e. the ASTPlanResources
Andrew Haines (Cerbos)
04/14/2023, 9:54 AMCheckResources
is for answering the question "can this principal do these actions to these resources?", which is the most common use case for authz.
PlanResources
is to help answer the question "which resources can the principal do this action to?", which is useful for authorizing e.g. listing pages. You can turn the AST that it returns into a query for your database. If you were to use CheckResources
for this use case, you might have to load every row from your database, and feed them into Cerbos to filter them down into the list that the user is actually allowed to see.Jesum Yip
04/14/2023, 9:57 AMresources
is in the plural but the json payload only accepts a single kind?Andrew Haines (Cerbos)
04/14/2023, 10:00 AMPlanResources
answers the question "under what conditions can this principal do this action to resources of this kind?", and it gives you one of three answers: "always" (KIND_ALWAYS_ALLOWED
), "never" (KIND_ALWAYS_DENIED
), or "it depends" (KIND_CONDITIONAL
, with an AST of the conditions).Jesum Yip
04/14/2023, 10:02 AMAndrew Haines (Cerbos)
04/14/2023, 10:02 AM