:wave:! After reading the (very clear) docs I have...
# community
s
πŸ‘‹! After reading the (very clear) docs I have a question: Could Cerbos answer the question: β€˜to which tenants does this user have access?’. Our use case is a GQL frontend gateway that talks to unopiniated grpc backend microservices. We are exploring the pattern of having the external client sending an unfiltered request (/devices, without specifying tenantIDs) to the gateway. This GW should then enforce RBAC and make a filtered request to the /devices backend, containing only the tenants this user has access to.
c
πŸ‘‹ If I understand your question correctly, I think you're asking whether it's possible to lookup a list of things that a particular user has access to. You certainly can. Cerbos is stateless and doesn't have access to your data. But, what you can do is to ask Cerbos to produce a query plan for you based on the access policies that are in effect. You can then use that query plan to construct a query for your data store and fetch the data you need. You can read more about that in the following links: https://docs.cerbos.dev/cerbos/latest/api/index.html#resources-query-plan https://cerbos.dev/blog/filtering-data-using-authorization-logic
s
Very nice, thanks for clarifying! Is it a huge performance penalty, compared to asking a specific authZ question?
Cerbos must get the data it evaluates in the policy engine from the requesting client, or have it stored in the storage backend. I have some food for thought now, thanks
c
Producing the query plan does not have a performance penalty. It's not massively different from a standard access decision. We are just returning the unknown variables and the conditions they must satisfy back to you.
πŸ‘ 1
To be clear, Cerbos storage backend only stores policies. It never stores or has access to your own data.
πŸ‘ 1