Any thoughts on this approach? Or an alternative?
# communityj
Jack Archer
11/02/2021, 8:12 PMAny thoughts on this approach? Or an alternative?
e
Emre (Cerbos)
11/02/2021, 8:15 PM
With this approach or via the admin API, we highly recommend that you to also use the testing feature before deploying policies
j
Jack Archer
11/02/2021, 8:16 PMMakes sense - is there an alternative to securing the admin API besides basic auth?
e
Emre (Cerbos)
11/02/2021, 8:17 PM
Currently no. However, what would be your preferred method?
j
Jack Archer
11/02/2021, 8:17 PMHonestly not sure... maybe providing access to a JWT signing secret and allowing valid tokens as an alternative to basic auth
e
Emre (Cerbos)
11/02/2021, 8:18 PM
ok. We can definitely look into this. If you can think of any better approaches, please let us know.
👍 1
a
Alex Olivier (Cerbos)
11/02/2021, 9:11 PM
I take it you are using database storage for the policy store? If so, I advise against updating the policy store directly as Cerbos also stores metadata in there (versioning etc) along with the actual policies which will get out of sync.
What is your reason for considering this route, besides the basic auth point? It's not a model we've considered just yet but open to ideas
j
Jack Archer
11/03/2021, 1:26 AMMainly that basic auth doesnt' feel production appropriate even for intra-cluster communication
Jack Archer
11/03/2021, 1:26 AMso figured if we're using cerbos for read-only functionality, then we don't need the basic auth...
Jack Archer
11/03/2021, 1:27 AMcould handle writes using JWT-authenticated internal service
Jack Archer
11/03/2021, 1:31 AMI think basic JWT token authentication / validation would be better than basic auth... basically I think anything is better than basic auth
Jack Archer
11/03/2021, 1:32 AMI think in general the docs are good, but it would be helpful to have a separate
samples4 Views