is it possible to have a resource rule where we can compare Cerbos Community #help

is it possible to have a resource rule where we ca...

Karl Azzam

01/11/2024, 12:34 AM

is it possible to have a resource rule where we can compare the path parameter to one of the jwt claim values. i.e. the path parameter for this request = foo, the claim user = foo would be valid.

Dennis (Cerbos)

01/11/2024, 12:45 AM

1. You can pass the path parameter as a resource/principal attribute. 2. The rule can compare the attribute value with the claim value.

Karl Azzam

01/11/2024, 1:09 AM

hmm can you give an example for part 1 please

Karl Azzam

01/11/2024, 1:11 AM

lets say the resource path is /api/v1/get/{pathParam}

Dennis (Cerbos)

01/11/2024, 1:30 AM

Which programming language are you using?

Dennis (Cerbos)

01/11/2024, 1:30 AM

for your service

Karl Azzam

01/11/2024, 1:40 AM

kotlin

Dennis (Cerbos)

01/11/2024, 1:49 AM

Sorry, I’m not a Java/Kotlin dev, but here’s an example from the Cerbos Java SDK readme:

Copy code

CheckResult result=client.check(
    Principal.newInstance("john","employee")
        .withPolicyVersion("20210210")
        .withAttribute("department",stringValue("marketing"))
        .withAttribute("geography",stringValue("GB")),
    Resource.newInstance("leave_request","xx125")
        .withPolicyVersion("20210210")
        .withAttribute("department",stringValue("marketing"))
        .withAttribute("geography",stringValue("GB"))
        .withAttribute("owner",stringValue("john")),
    "view:public","approve");

if(result.isAllowed("approve")){ // returns true if `approve` action is allowed
    ...
}

You need to use the

withAttribute

method to add a resource attribute with the path parameter value. How you read it depends on your web framework.

Karl Azzam

01/11/2024, 1:52 AM

currently all we do is call cerbos via grpc to get a decision, if decision is not equal to EFFECT_ALLOW, return a 401

Karl Azzam

01/11/2024, 1:52 AM

running it as a sidecar container for each kotlin backend service

Karl Azzam

01/11/2024, 1:53 AM

we do all the condition logic in the resource policy yaml via the rules, i was looking more so on how to add a rule that checks the ~~query~~ path param and compares to the claim value. What im really stuck on is getting the ~~query~~ path param value

Karl Azzam

01/11/2024, 1:55 AM

i said query param, meant path path sorry

Dennis (Cerbos)

01/11/2024, 2:00 AM

So a Kotlin backend service receives a request (R), and then it sends an authorisation request (A) to Cerbos PDP. Are you asking how to read the path parameter of the request R?

Karl Azzam

01/11/2024, 2:01 AM

correct

Karl Azzam

01/11/2024, 2:01 AM

inside a resource policy yaml

Dennis (Cerbos)

01/11/2024, 2:01 AM

I see. No, sorry, it’s not possible.

Karl Azzam

01/11/2024, 2:01 AM

gotcha, thanks!

Open in Slack

Previous Next