#help
Title
r
Rasmus Dencker
05/25/2022, 1:23 PMShould I just pop all the 'scopes' into
attra
Alex Olivier (Cerbos)
05/25/2022, 1:26 PM
Hey!
Yes that is how we would recommending that and using an expression to check if the action is in the list that the user has.
This means you can change a users access without having to change/update principal polciies
You can see an example of this in this demo https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5
r
Rasmus Dencker
05/25/2022, 1:26 PMThe reason I went the roles way was to utilize derived roles to make a sort of hierarchical permission system, which is very nice:
Copy code
apiVersion: api.cerbos.dev/v1
derivedRoles:
definitions:
- name: report.read
parentRoles:
- report.read
- report.delete
- report.update
- report.create
- name: report.create
parentRoles:
- report.createI could do that with expr but it wouldnt be as clean
Thanks for the link! I'll take a look 😎
Oh I think I get the gist. So roles should be used for higher level stuff; right now I'd only have "USER" for instance.
👍 1
a
Alex Olivier (Cerbos)
05/25/2022, 1:29 PM
Simpliest expression could be
"report.read" in P.attr.permissions Copy code
{
"id": "123",
"roles": [
"USER"
],
"attr": {
"permissions": [
"reports.read",
"reports.write"
]
}
}r
Rasmus Dencker
05/25/2022, 1:31 PMWe're using short lived JWT tokens inside our services, so the other handy thing about using expr is that I could
1. Avoid extracting scopes from the jwt in the service
2. Bonus: Avoid doing jwk on the service-side and just check Cerbos for a bogus policy everyone has access to, effectively making Cerbos do both authz and authn
pretty interesting
So I could basically just call cerbos with the bearer token to see if its valid
(given I don't have to check any authz stuff in that request, for instance just rendering a SPA)
a
Alex Olivier (Cerbos)
05/25/2022, 1:37 PM
You can definitely do that and a clever use of the JWT feature!
r
Rasmus Dencker
05/25/2022, 1:38 PMAmazing how such a simple to understand product can solve so much 😄
😍 1
thanks for your thoughts @Alex Olivier (Cerbos)!
a
Alex Olivier (Cerbos)
05/25/2022, 1:41 PM
Glad to hear it! Let us know if we can help with anything else at all.
r
Rasmus Dencker
05/25/2022, 1:47 PMWill do 💯
One thing: I like the cool 'WithPlaygroundInstance' option; but can I somehow use the playground with auxData?
or is that just a limitation of the playground
a
Alex Olivier (Cerbos)
05/25/2022, 1:55 PM
There is an aux data section in the right sidebar
(might need to scroll down)
r
Rasmus Dencker
05/25/2022, 1:56 PMdoh, I just realized I sent an access token and not a jwt, thats probably why it complained about 'failed to extract auxData' 😂
a
Alex Olivier (Cerbos)
05/25/2022, 1:56 PM
Ah yes that would do it!
r
Rasmus Dencker
05/25/2022, 2:11 PM Copy code
cerbos, err := client.New("localhost:3593", client.WithPlaintext(), client.WithPlaygroundInstance("[redacted]"))Seems it's still hitting my local cerbos. Whats the trick to make it use the playground? 😄
a
Alex Olivier (Cerbos)
05/25/2022, 2:13 PM
if you press “try the API” and goto the Go tab it will show you then client config
r
Rasmus Dencker
05/25/2022, 2:14 PMgot it, thanks!
Just discovered your embedded testing framework. This is probably the best balance between hyperfocused functionality and embedded tooling I've ever seen in an open source project. Damn, good work!
❤️ 2
a
Alex Olivier (Cerbos)
05/25/2022, 2:44 PM
Thank you! We've been building this project with a hyper focus on the developer experience as we have all had to build authorization systems many times in our past and wanted to make sure there is an off the shelf solution that does it all.
e
Emre (Cerbos)
05/25/2022, 2:45 PM
Hi @Rasmus Dencker can we quote you on that one?
r
Rasmus Dencker
05/25/2022, 3:50 PMSure @Emre (Cerbos) 😄
11 Views