Horia Constantin02/06/2023, 7:09 PM
which has attributes
and on). If that's not the case and you need extra data from other sources to make the decision, you'd need some kind of a wrapper service that can gather that data from relevant places and communicate with Cerbos to get back the authorization decision.
Cerbos is designed to be stateless because if it tries to hook into your data sources directly, it becomes incredibly complicated to manage. As you can imagine, there are so many variables to contend with such as different API types, query languages, access credentials and caching requirements. Only you're in a position to navigate those requirements in your environment securely and in a performant way. Cerbos is there to give you visibility and easy management of the business logic of authorization within that context.
Jesum Yip02/06/2023, 10:41 PM
Policy Information Point
in an ABAC solution. You can google it. You either add the data itself into the call to Cerbos (via some kind of wrapper that you'd have to write) like what Charith said or you include the data as
payload (in a JWT). I won't recommend the latter unless you are comfortable with possibly exposing some internal information (JWTs are not designed to be private).
In my company, the layer that acts as the
is our FastAPI layer.
Horia Constantin02/07/2023, 12:05 PM
Jesum Yip02/07/2023, 12:30 PM
Horia Constantin02/07/2023, 1:30 PM
Jesum Yip02/07/2023, 1:33 PM
Horia Constantin02/07/2023, 3:10 PM
Jesum Yip02/07/2023, 9:54 PM
Horia Constantin02/08/2023, 10:27 AM
Jesum Yip02/08/2023, 11:10 AM
Sunil02/16/2023, 3:03 PM