After reading the (very clear) docs I have a question:
Could Cerbos answer the question: ‘to which tenants does this user have access?’. Our use case is a GQL frontend gateway that talks to unopiniated grpc backend microservices. We are exploring the pattern of having the external client sending an unfiltered request (/devices, without specifying tenantIDs) to the gateway. This GW should then enforce RBAC and make a filtered request to the /devices backend, containing only the tenants this user has access to.
Very nice, thanks for clarifying! Is it a huge performance penalty, compared to asking a specific authZ question?
Cerbos must get the data it evaluates in the policy engine from the requesting client, or have it stored in the storage backend. I have some food for thought now, thanks
08/11/2022, 7:24 AM
Producing the query plan does not have a performance penalty. It's not massively different from a standard access decision. We are just returning the unknown variables and the conditions they must satisfy back to you.
To be clear, Cerbos storage backend only stores policies. It never stores or has access to your own data.