Title
#help
Rasmus Dencker

Rasmus Dencker

05/25/2022, 1:23 PM
Should I just pop all the 'scopes' into
attr
and do configure with expr instead?
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 1:26 PM
Hey! Yes that is how we would recommending that and using an expression to check if the action is in the list that the user has. This means you can change a users access without having to change/update principal polciies
1:26 PM
You can see an example of this in this demo https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5
Rasmus Dencker

Rasmus Dencker

05/25/2022, 1:26 PM
The reason I went the roles way was to utilize derived roles to make a sort of hierarchical permission system, which is very nice:
1:26 PM
apiVersion: api.cerbos.dev/v1
derivedRoles:
  definitions:
    - name: report.read
      parentRoles:
        - report.read
        - report.delete
        - report.update
        - report.create
    - name: report.create
      parentRoles:
        - report.create
1:26 PM
I could do that with expr but it wouldnt be as clean
1:26 PM
Thanks for the link! I'll take a look 😎
1:28 PM
Oh I think I get the gist. So roles should be used for higher level stuff; right now I'd only have "USER" for instance.
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 1:29 PM
Simpliest expression could be
"report.read" in P.attr.permissions
where you principal looks like
{
  "id": "123",
  "roles": [
    "USER"
  ],
  "attr": {
    "permissions": [
      "reports.read",
      "reports.write"
    ]
  }
}
Rasmus Dencker

Rasmus Dencker

05/25/2022, 1:31 PM
We're using short lived JWT tokens inside our services, so the other handy thing about using expr is that I could1. Avoid extracting scopes from the jwt in the service 2. Bonus: Avoid doing jwk on the service-side and just check Cerbos for a bogus policy everyone has access to, effectively making Cerbos do both authz and authn
1:31 PM
pretty interesting
1:31 PM
So I could basically just call cerbos with the bearer token to see if its valid
1:32 PM
(given I don't have to check any authz stuff in that request, for instance just rendering a SPA)
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 1:37 PM
You can definitely do that and a clever use of the JWT feature!
Rasmus Dencker

Rasmus Dencker

05/25/2022, 1:38 PM
Amazing how such a simple to understand product can solve so much 😄
1:39 PM
thanks for your thoughts @Alex Olivier (Cerbos)!
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 1:41 PM
Glad to hear it! Let us know if we can help with anything else at all.
Rasmus Dencker

Rasmus Dencker

05/25/2022, 1:47 PM
Will do 💯
1:54 PM
One thing: I like the cool 'WithPlaygroundInstance' option; but can I somehow use the playground with auxData?
1:54 PM
or is that just a limitation of the playground
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 1:55 PM
There is an aux data section in the right sidebar
1:55 PM
(might need to scroll down)
Rasmus Dencker

Rasmus Dencker

05/25/2022, 1:56 PM
doh, I just realized I sent an access token and not a jwt, thats probably why it complained about 'failed to extract auxData' 😂
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 1:56 PM
Ah yes that would do it!
Rasmus Dencker

Rasmus Dencker

05/25/2022, 2:11 PM
cerbos, err := client.New("localhost:3593", client.WithPlaintext(), client.WithPlaygroundInstance("[redacted]"))
2:11 PM
Seems it's still hitting my local cerbos. Whats the trick to make it use the playground? 😄
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 2:13 PM
if you press “try the API” and goto the Go tab it will show you then client config
Rasmus Dencker

Rasmus Dencker

05/25/2022, 2:14 PM
got it, thanks!
2:40 PM
Just discovered your embedded testing framework. This is probably the best balance between hyperfocused functionality and embedded tooling I've ever seen in an open source project. Damn, good work!
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

05/25/2022, 2:44 PM
Thank you! We've been building this project with a hyper focus on the developer experience as we have all had to build authorization systems many times in our past and wanted to make sure there is an off the shelf solution that does it all.
Emre (Cerbos)

Emre (Cerbos)

05/25/2022, 2:45 PM
Hi @Rasmus Dencker can we quote you on that one?
Rasmus Dencker

Rasmus Dencker

05/25/2022, 3:50 PM
Sure @Emre (Cerbos) 😄