https://cerbos.dev logo
Powered by
#community
Title
# community
s

seala va

06/21/2022, 4:02 PM
ask for cerbos help of an article collaboration management system: https://github.com/issuebox/cerbos-discuss/blob/main/ask-for-cerbos-help.md
c

Charith (Cerbos)

06/21/2022, 5:27 PM
Hi. Thanks for the detailed spec. Off the top of my head, I think you might be able to use scoped policies to model this. Please have a look at that. I am away from my computer right now. I'll take a better look when I am back and try to give you a few more tips if possible.
s

seala va

06/22/2022, 1:30 AM
Thanks @Charith (Cerbos) Let me implement some simple code first.
This is my implementation of the article collaboration management system's authorization, if possible, can you help me see what needs to be improved? https://github.com/issuebox/cerbos-article-cooperation
c

Charith (Cerbos)

06/22/2022, 12:11 PM
Hi. I see you have made some good progress 👍 I read your problem statement and if I understood it correctly, you have a finite set of organizations and channels that a user can belong to. In that case, when a user first logs in, you can issue them a JWT that contains that small set of organizations and channels that person has access to and then reference those in the policy rules. For example, say your JWT contains the following claims:
Copy code
orgs: ["org_a", "org_b"]
channels: ["chan_x", "chan_y", "chan_z"]
and, in your request, you include the organization, channel and author of the resource:
Copy code
{
  "resource": {
    "id": "XX125",
    "kind": "article",
    "attr": {
      "organization": "org_a",
      "channel": "chan_x",
      "author": "user_p"
    }
  }
}
You can define a derived role for 
channel_editor
as follows:
Copy code
- name: channel_editor 
  parentRoles: ["chan_editor"] 
  condition: 
    match:
      all:
        of:
          - expr: request.resource.attr.organization in request.aux_data.jwt.orgs
          - expr: request.resource.attr.channel in request.aux_data.jwt.channels
Then you can define a policy rule for article 
edit
as follows:
Copy code
- actions: ['edit']
  effect: EFFECT_ALLOW
  derivedRoles:
    - channel_editor 
  condition:
    match:
      expr: request.resource.attr.author == request.principal.id
Hope this gives you some idea about how to approach the issue.
s

seala va

06/22/2022, 1:02 PM
Thanks @Charith (Cerbos). This is a good idea. but I have a little doubt: Suppose there is a userB, when he login, he is not in the channelA. After ten minutes(for instance), the channelA's owner join him into channelA, and set him to a admin role. How to update the userB's JWT data in this case?
c

Charith (Cerbos)

06/22/2022, 1:47 PM
Ah, if the memberships change during a session, then instead of the JWT you might have to use the principal attributes section to send the organization and channel memberships. That way they are always up-to-date.
3 Views
Powered by