Horia Constantin
02/06/2023, 7:09 PMCharith (Cerbos)
02/06/2023, 7:51 PMX
which has attributes A
, B
, C
and on). If that's not the case and you need extra data from other sources to make the decision, you'd need some kind of a wrapper service that can gather that data from relevant places and communicate with Cerbos to get back the authorization decision.
Cerbos is designed to be stateless because if it tries to hook into your data sources directly, it becomes incredibly complicated to manage. As you can imagine, there are so many variables to contend with such as different API types, query languages, access credentials and caching requirements. Only you're in a position to navigate those requirements in your environment securely and in a performant way. Cerbos is there to give you visibility and easy management of the business logic of authorization within that context.Jesum Yip
02/06/2023, 10:41 PMPolicy Information Point
or PIP
in an ABAC solution. You can google it. You either add the data itself into the call to Cerbos (via some kind of wrapper that you'd have to write) like what Charith said or you include the data as AuxData
payload (in a JWT). I won't recommend the latter unless you are comfortable with possibly exposing some internal information (JWTs are not designed to be private).
In my company, the layer that acts as the PIP
is our FastAPI layer.Horia Constantin
02/07/2023, 12:05 PMJesum Yip
02/07/2023, 12:30 PMCharith (Cerbos)
02/07/2023, 1:19 PMHoria Constantin
02/07/2023, 1:30 PMJesum Yip
02/07/2023, 1:33 PMHoria Constantin
02/07/2023, 3:10 PMJesum Yip
02/07/2023, 9:54 PMHoria Constantin
02/08/2023, 10:27 AMCharith (Cerbos)
02/08/2023, 10:45 AMJesum Yip
02/08/2023, 11:10 AMSunil
02/16/2023, 3:03 PM