akkaratanapatT
05/17/2023, 7:53 AM---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
importDerivedRoles:
- common_roles
resource: "album:object"
rules:
- actions: ['*']
effect: EFFECT_ALLOW
derivedRoles:
- owner
- actions: ['read:public']
effect: EFFECT_ALLOW
roles:
- user
- user2
condition:
match:
expr: request.resource.attr.public == true
- actions: ['read:private']
effect: EFFECT_ALLOW
derivedRoles:
- anyone
condition:
match:
expr: (request.resource.attr.share_list.exists(share, share.id == request.principal.id && share.read == true)) || (request.resource.attr.share_read_list.exists(share, share.id == request.principal.id))
- actions: ['write:private']
effect: EFFECT_ALLOW
derivedRoles:
- anyone
condition:
match:
expr: request.resource.attr.share_list.exists(share, share.id == request.principal.id && share.write == true) || (request.resource.attr.share_write_list.exists(share, share.id == request.principal.id))
request
const kind = "album:object";
const actions = ["read:public", "read:private", "write:private"];
{
principal: {
id: "alex",
roles: ["user", "user2"],
attributes: {
beta_tester: true,
team: "UTM",
},
},
resources: [
{
resource: {
kind: kind,
id: "video_file_port.mp4",
attributes: {
owner: "warradon",
public: false,
team: "UTM",
share_list: [
{
"id": "alex",
"read": true,
"write": true
},
{
"id": "bob",
"read": true,
"write": false
},
],
},
},
actions: actions,
},
{
resource: {
kind: kind,
id: "file2",
attributes: {
owner: "george",
public: true,
team: "UTM",
share_read_list: [
{
"id": "alex",
},
{
"id": "bob",
}
],
share_write_list: [
{
"id": "alex",
},
]
},
},
actions: actions,
},
],
}
share_list: [
{
"id": "alex",
"read": true,
"write": true
},
{
"id": "bob",
"read": true,
"write": false
},
]
Charith (Cerbos)
05/17/2023, 8:25 AMread
just means read and has no other conditions, then you probably don't even need Cerbos policies. However, if you have other requirements like "user could only read a file if they are logged in from this IP range" or "files with top secret classification requires a 2FA token" etc., then you could delegate those checks to Cerbos. Basically, you can send a principal attribute like permissions: ["read", "write", "delete"]
based on the ACL check and then have derived roles such as reader
, writer
, admin
that get activated from those values.akkaratanapatT
05/17/2023, 9:49 AMCharith (Cerbos)
05/17/2023, 10:01 AMalex|bob|charlie
.
I don't think you can avoid a database lookup for this use case either. Cerbos is stateless so you have to provide the data to it somehow. That has to come from some kind of a data store.akkaratanapatT
05/17/2023, 10:09 AMCharith (Cerbos)
05/17/2023, 10:18 AMmatches
operator. For example: P.id.matches("alex|bob")
. https://docs.cerbos.dev/cerbos/latest/policies/conditions.html#_stringsakkaratanapatT
05/17/2023, 10:35 AMCharith (Cerbos)
05/17/2023, 10:50 AMakkaratanapatT
05/17/2023, 11:03 AM