I've looked at your API documentation here: <https...
# communityf
Fatih Kaya
09/20/2021, 2:34 PMI've looked at your API documentation here: https://docs.cerbos.dev/cerbos/0.6.0/api/index.html
I couldn't see any way to get the CEL expressions for a given action, is there any endpoint for this? There is a check endpoint but I think accessing the CEL expression may allow me to automatically fetch necessary data for the permission check request.
a
Alex Olivier (Cerbos)
09/20/2021, 2:47 PM
Have you looked at the Admin API? https://docs.cerbos.dev/cerbos/0.6.0/api/admin_api.html
We have purposefully separated out the authz checking vs the management API.
Fetching the CEL to dynamically build the query is an interesting use case we have been thinking about a bit
f
Fatih Kaya
09/20/2021, 2:51 PMI read the admin api endpoints but I saw only add and update endpoints for the policies. It'd be great to be able to get the CEL that's about to be evaluated. I think it'd allow developers to automate much more parts of the API that they are developing.
a
Alex Olivier (Cerbos)
09/20/2021, 2:56 PM
That is the current status - listing is coming soon. We are developing in the Open and all the current work streams are on our Git repo https://github.com/cerbos/cerbos/issues
Feel free to add in any comments you have on there and I will ensure we get onto priority items ASAP
f
Fatih Kaya
09/20/2021, 3:00 PMThank you for information. Are you open to PRs about the endpoint for fetching CEL dynamically?
a
Alex Olivier (Cerbos)
09/20/2021, 3:03 PM
Absolutely open to PRs and collaboration on issues - you can also contact our engineers here including our CTO @Charith (Cerbos)
c
Charith (Cerbos)
09/20/2021, 3:12 PM
Definitely open to PRs but please raise an issue first and describe the problem so that we can all agree on the best way to tackle it before you do a lot of work.
Charith (Cerbos)
09/20/2021, 3:14 PM
I am a bit confused by what you mean by "fetching CEL dynamically" though. Do you mean, grabbing the whole policy from the endpoint and parsing it to find all conditions?
f
Fatih Kaya
09/20/2021, 3:27 PMNope, I mean fetching the final CEL that will be evaluated by cerbos to determine if the given principal is authorized to perform the specified action.
c
Charith (Cerbos)
09/20/2021, 3:30 PM
Oh I see. That would require us to do a partial evaluation of policies.
Charith (Cerbos)
09/20/2021, 3:32 PM
The tricky thing here is that how the policy evaluates is not deterministic. It depends on which derived roles get activated -- which can contain conditions as well.
f
Fatih Kaya
09/20/2021, 3:39 PMI see. so there are multiple CELs involved in a single check. and some CELs depends on the results of the previous CELs, right?
c
Charith (Cerbos)
09/20/2021, 3:39 PM
Yes, that's right
f
Fatih Kaya
09/20/2021, 4:46 PMWhat would the list endpoint do? I think fetching necessary data for all of the possible CELs could be the best choice at the moment. Because data fetches are much less likely to be a bottleneck when compared to implementing partial fetches for the every auth check step.
c
Charith (Cerbos)
09/20/2021, 4:51 PM
So, the list endpoint is currently under development. When it's done, it'll allow listing and filtering policies that are on the repository.
Charith (Cerbos)
09/20/2021, 4:56 PM
I think your idea is clever. But, I think you'll end up having to replicate a lot of the work that's done by the Cerbos engine. You'll have to parse policies, understand evaluation order (priority, version handling), handle imports and more.
7 Views