Jesum Yip
12/13/2021, 4:25 AMJesum Yip
12/13/2021, 4:27 AMJesum Yip
12/13/2021, 4:28 AMJesum Yip
12/13/2021, 4:29 AMDennis (Cerbos)
Dennis (Cerbos)
Dennis (Cerbos)
Dennis (Cerbos)
- actions: ["view"]
effect: EFFECT_ALLOW
roles: ["user"]
condition:
match:
expr: request.aux_data.jwt.is_internal_user == "TRUE"
Dennis (Cerbos)
- name: internal_user
parentRoles: ["user"]
condition:
match:
expr: request.aux_data.jwt.is_internal_user == "TRUE"
Dennis (Cerbos)
internal_user
instead of checking this claim again.Charith (Cerbos)
assume further I don't need to verify the jwt against the well-known jwks endpoint of the token issuerThat depends on your risk profile. If you're absolutely sure that internal traffic can be trusted and there's no risk of replay attacks, you can disable JWT verification on the Cerbos end.
Jesum Yip
12/13/2021, 12:37 PMJesum Yip
12/13/2021, 12:38 PMJesum Yip
12/13/2021, 12:38 PMCharith (Cerbos)
user
and then he created a derived role to codify the fact that internal_user
must also have a JWT field set to a particular value.Jesum Yip
12/13/2021, 1:51 PMCharith (Cerbos)
Jesum Yip
12/14/2021, 2:02 PMJesum Yip
12/14/2021, 2:03 PMCharith (Cerbos)
So in that URL, the principal "Alicia" is trying to "view" the resource type called "album:object" of which there is one instance called "XX125". Is this correct?Correct
Why is it a good idea to define a derived role?So that you can define it once and reuse it in your policy rules. Then, if you ever want to change it, you only have to change it in one place and not on every policy file.
Jesum Yip
12/14/2021, 2:25 PMJesum Yip
12/14/2021, 2:34 PMJesum Yip
12/14/2021, 2:35 PMJesum Yip
12/14/2021, 2:35 PMJesum Yip
12/14/2021, 2:36 PMJesum Yip
12/14/2021, 2:37 PMCharith (Cerbos)
roles
in the request (referenced in the derived role as parentRoles
) and if that matches, it will evaluate the condition and if that returns a truth value as well, the derived role becomes "active"Charith (Cerbos)
user
as one of the roles in principal.roles
field and a JWT with internal_user=TRUE
to activate the derived role definition aboveJesum Yip
12/14/2021, 3:05 PM