https://cerbos.dev logo
Join Slack
Powered by
Should I just pop all the 'scopes' into `attr` and...
# help
r
Should I just pop all the 'scopes' into 
attr
and do configure with expr instead?
a
Hey! Yes that is how we would recommending that and using an expression to check if the action is in the list that the user has. This means you can change a users access without having to change/update principal polciies
You can see an example of this in this demo https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5
r
The reason I went the roles way was to utilize derived roles to make a sort of hierarchical permission system, which is very nice:
Copy code
apiVersion: api.cerbos.dev/v1
derivedRoles:
  definitions:
    - name: report.read
      parentRoles:
        - report.read
        - report.delete
        - report.update
        - report.create
    - name: report.create
      parentRoles:
        - report.create
I could do that with expr but it wouldnt be as clean
Thanks for the link! I'll take a look 😎
Oh I think I get the gist. So roles should be used for higher level stuff; right now I'd only have "USER" for instance.
👍 1
a
Simpliest expression could be 
"report.read" in P.attr.permissions
where you principal looks like
Copy code
{
  "id": "123",
  "roles": [
    "USER"
  ],
  "attr": {
    "permissions": [
      "reports.read",
      "reports.write"
    ]
  }
}
r
We're using short lived JWT tokens inside our services, so the other handy thing about using expr is that I could 1. Avoid extracting scopes from the jwt in the service 2. Bonus: Avoid doing jwk on the service-side and just check Cerbos for a bogus policy everyone has access to, effectively making Cerbos do both authz and authn
pretty interesting
So I could basically just call cerbos with the bearer token to see if its valid
(given I don't have to check any authz stuff in that request, for instance just rendering a SPA)
a
You can definitely do that and a clever use of the JWT feature!
r
Amazing how such a simple to understand product can solve so much 😄
😍 1
thanks for your thoughts @Alex Olivier (Cerbos)!
a
Glad to hear it! Let us know if we can help with anything else at all.
r
Will do 💯
One thing: I like the cool 'WithPlaygroundInstance' option; but can I somehow use the playground with auxData?
or is that just a limitation of the playground
a
There is an aux data section in the right sidebar
(might need to scroll down)
r
doh, I just realized I sent an access token and not a jwt, thats probably why it complained about 'failed to extract auxData' 😂
a
Ah yes that would do it!
r
Copy code
cerbos, err := client.New("localhost:3593", client.WithPlaintext(), client.WithPlaygroundInstance("[redacted]"))
Seems it's still hitting my local cerbos. Whats the trick to make it use the playground? 😄
a
if you press “try the API” and goto the Go tab it will show you then client config
r
got it, thanks!
Just discovered your embedded testing framework. This is probably the best balance between hyperfocused functionality and embedded tooling I've ever seen in an open source project. Damn, good work!
❤️ 2
a
Thank you! We've been building this project with a hyper focus on the developer experience as we have all had to build authorization systems many times in our past and wanted to make sure there is an off the shelf solution that does it all.
e
Hi @Rasmus Dencker can we quote you on that one?
r
Sure @Emre (Cerbos) 😄
11 Views
Open in Slack
PreviousNext
Powered by