Title
m
Mark Piper
11/14/2022, 7:22 PMIs there any notion of returning an indeterminate response instead of
EFFECT_ALLOWDENYs
Steve High (NTWRK)
11/14/2022, 7:37 PMPolicies are compiled in such a way that there cant be an indeterminate answer to any request. Cerbos will always return EFFECT_DENY if it cant compute your intent from the claims provided to it.
I thnk what you might be looking for is some way for cerbos to say "According to what I have here, I don't know" and pass that along to the caller.
The issue with that approach is that unless you explicitly deny things via EFFECT_DENY, cerbos will always return EFFECT_DENY precisely because it couldnt produce EFFECT_ALLOW...so you'll get a lot of noise.
I am currently transitioning my systems to use cerbos for authz, and I've found that you need to perform the bespoke checks first before checking with cerbos...with the intent of removing those bespoke checks altogether
Working with multiple authz implementations can be pretty painful...but until you are ready to convert, you should use your existing auth as the source of truth until your policies are battle-tested...just my 2¢
a
Andrew Haines (Cerbos)
11/15/2022, 11:20 AMHi Mark, Steve's right, you can only get allow/deny out of a check request.
I can see a few possible ways around it for your use case:
• You could pass the result of the existing logic to Cerbos as a resource attribute, and include that in the conditions in your policy.
• You could add an additional action that indicates an indeterminate result, e.g. you could have
viewview_with_fallback_logicincludeMeta: truematchedPolicyKIND_ALWAYS_ALLOWEDKIND_ALWAYS_DENIEDKIND_CONDITIONAL