https://cerbos.dev logo
#community
Title
# community
v

Vishal Augustine

08/11/2023, 1:20 PM
Hi, are there any examples of ABAC implementation using cerbos. Any example in git?
a

Alex Olivier (Cerbos)

08/11/2023, 1:23 PM
Plenty! Here is a reference getting started repo that implements a CRUD API https://github.com/cerbos/example-cerbos-policy-repository/tree/main What is your use case?
j

Jesum Yip

08/11/2023, 1:24 PM
That's a broad question. What exactly do you mean?
v

Vishal Augustine

08/11/2023, 1:27 PM
We have authentication and RBAC done using keycloak. We want to try out ABAC with cerbos. Or move the whole authorization to cerbos. Before we take the jump, we want to see how it works with cerbos.
j

Jesum Yip

08/11/2023, 1:28 PM
In a nutshell - you write yaml files, cerbos reads them, these yaml files contain all the "if-then-else" rules. Your application then calls cerbos REST api to evaluate the rules and get a response back saying access allowed or access denied.
v

Vishal Augustine

08/11/2023, 1:30 PM
Thanks for sharing the link. Will check the details to understand more.
Any AWS type ABAC examples with cerbos?
a

Alex Olivier (Cerbos)

08/11/2023, 2:51 PM
Sorry, what do you mean by AWS examples?
v

Vishal Augustine

08/17/2023, 6:58 AM
In AWS, they use key-value pair for tag to decide the access control in ABAC. A good example is below:- The value of the "access-project" key is checked to take a decision.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TutorialAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::account-ID-without-hyphens:role/access-*",
"Condition": {
"StringEquals": {
"iam:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
"iam:ResourceTag/access-team": "${aws:PrincipalTag/access-team}",
"iam:ResourceTag/cost-center": "${aws:PrincipalTag/cost-center}"
}
}
}
]
}
The doubt is: In cerbos, does it use key-value pairs of tags? Or any examples projects like above? Which I can take a look at? PS: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
3 Views