s
sdktr
1 month ago
π!
After reading the (very clear) docs I have a question:
Could Cerbos answer the question: βto which tenants does this user have access?β. Our use case is a GQL frontend gateway that talks to unopiniated grpc backend microservices. We are exploring the pattern of having the external client sending an unfiltered request (/devices, without specifying tenantIDs) to the gateway. This GW should then enforce RBAC and make a filtered request to the /devices backend, containing only the tenants this user has access to.
Charith (Cerbos)
1 month ago
π If I understand your question correctly, I think you're asking whether it's possible to lookup a list of things that a particular user has access to. You certainly can. Cerbos is stateless and doesn't have access to your data. But, what you can do is to ask Cerbos to produce a query plan for you based on the access policies that are in effect. You can then use that query plan to construct a query for your data store and fetch the data you need. You can read more about that in the following links:
https://docs.cerbos.dev/cerbos/latest/api/index.html#resources-query-plan
https://cerbos.dev/blog/filtering-data-using-authorization-logic
s
sdktr
1 month ago
Very nice, thanks for clarifying! Is it a huge performance penalty, compared to asking a specific authZ question?
Cerbos must get the data it evaluates in the policy engine from the requesting client, or have it stored in the storage backend. I have some food for thought now, thanks
Charith (Cerbos)
1 month ago
Producing the query plan does not have a performance penalty. It's not massively different from a standard access decision. We are just returning the unknown variables and the conditions they must satisfy back to you.
To be clear, Cerbos storage backend only stores policies. It never stores or has access to your own data.
View count: 1
Join thread in Slack