Channels
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    Should I just pop all the 'scopes' into
    attr
    and do configure with expr instead?
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    Hey! Yes that is how we would recommending that and using an expression to check if the action is in the list that the user has. This means you can change a users access without having to change/update principal polciies
    You can see an example of this in this demo https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    The reason I went the roles way was to utilize derived roles to make a sort of hierarchical permission system, which is very nice:
    apiVersion: api.cerbos.dev/v1
    derivedRoles:
      definitions:
        - name: report.read
          parentRoles:
            - report.read
            - report.delete
            - report.update
            - report.create
        - name: report.create
          parentRoles:
            - report.create

    I could do that with expr but it wouldnt be as clean
    Thanks for the link! I'll take a look 😎
    Oh I think I get the gist. So roles should be used for higher level stuff; right now I'd only have "USER" for instance.
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    Simpliest expression could be
    "report.read" in P.attr.permissions
    where you principal looks like
    {
      "id": "123",
      "roles": [
        "USER"
      ],
      "attr": {
        "permissions": [
          "reports.read",
          "reports.write"
        ]
      }
    }
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    We're using short lived JWT tokens inside our services, so the other handy thing about using expr is that I could1. Avoid extracting scopes from the jwt in the service 2. Bonus: Avoid doing jwk on the service-side and just check Cerbos for a bogus policy everyone has access to, effectively making Cerbos do both authz and authn
    pretty interesting
    So I could basically just call cerbos with the bearer token to see if its valid
    (given I don't have to check any authz stuff in that request, for instance just rendering a SPA)
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    You can definitely do that and a clever use of the JWT feature!
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    Amazing how such a simple to understand product can solve so much 😄
    thanks for your thoughts @User!
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    Glad to hear it! Let us know if we can help with anything else at all.
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    Will do 💯
    One thing: I like the cool 'WithPlaygroundInstance' option; but can I somehow use the playground with auxData?
    or is that just a limitation of the playground
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    (might need to scroll down)
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    doh, I just realized I sent an access token and not a jwt, thats probably why it complained about 'failed to extract auxData' 😂
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    Ah yes that would do it!
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    cerbos, err := client.New("localhost:3593", client.WithPlaintext(), client.WithPlaygroundInstance("[redacted]"))

    Seems it's still hitting my local cerbos. Whats the trick to make it use the playground? 😄
    got it, thanks!
    Just discovered your embedded testing framework. This is probably the best balance between hyperfocused functionality and embedded tooling I've ever seen in an open source project. Damn, good work!
  • Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    Thank you! We've been building this project with a hyper focus on the developer experience as we have all had to build authorization systems many times in our past and wanted to make sure there is an off the shelf solution that does it all.
  • Emre (Cerbos)

    Emre (Cerbos)

    1 month ago
    Hi @Rasmus Dencker can we quote you on that one?
  • Rasmus Dencker

    Rasmus Dencker

    1 month ago
    Sure @Emre (Cerbos) 😄