Comments (5)
charithe
commented on May 28, 2024
This has been asked for a couple of times. We don't support regexes for several reasons. Resource names are part of the policy identity and, from a usability perspective, regexes make it difficult for people to reason about policies because there's no longer a 1:1 mapping between resources. One of our goals is to make authorization logic human readable. Incomprehensible regexes defeat that purpose.
From a technical point of view, supporting this consistently and efficiently in the various storage backends we have is not easy. On some of them policy lookup could go from O(1) to O(n) + whatever the complexity of the regex is. We won't be able to use a compact index anymore so the memory and CPU use would go up quite a bit as well.
If you want to use the same policy for multiple resources, you could use scopes with lenient scope search to do that.
from cerbos.
veeral-patel
commented on May 28, 2024
No worries. This is a critical requirement for our use case to avoid duplicating policies many times, so I wanted to implement this myself in a fork.
What's the best way to do so? I've read through a lot of the Cerbos code so feel free to go into low level details.
My understanding is Cerbos has a internal hashmap: resource name -> policy. We'd no longer be able to look up the policy using this hash map. Instead, we'd need to:
- take the resource name regex
- find all keys in the hashmap matching that regex
- evaluate all those policies.
Is this what you would suggest?
from cerbos.
veeral-patel
commented on May 28, 2024
Or, if I wanted to do it using scopes and lenient scope search, how would I do that? Sorry, not getting the suggested idea, any additional details would be good :)
from cerbos.
charithe
commented on May 28, 2024
If you want to reuse a single policy for a bunch of resources, you can use scopes for that.
- Define your policy. Let's call it
shared. - When you make an API call to Cerbos, use the resource kind
sharedand set the scope to your actual resource kind. - When lenient scope search is enabled, if there's no policy matching the requested scope, Cerbos will fall back to the parent policy (
shared) - If you want to override the policy rules for a particular resource, all you need to do is add a policy definition with its
scopeset to that resource kind.
from cerbos.
veeral-patel
commented on May 28, 2024
Ok, that makes sense -- thank you!
from cerbos.
Related Issues (20)
- Adding a YAML based policy via API? HOT 2
- Typo in docs
- Wrong HTTP API endpoint in docs HOT 3
- Are policies updated in-memory after being added or updated to the database? HOT 2
- Hibernate/JPA Query Plan Adapter HOT 2
- Clarify principal.id is matched for principal policies in the docs
- Variables referencing variables produce nondeterministic output HOT 2
- Support SIGHUP logrotation for audit (and other logs) HOT 5
- Audit events via gRPC endpoint HOT 4
- Collect E2E coverage profiles
- Handle leading `./` on Git store `subDir` config consistently
- Update cel-go to v0.18.0 HOT 1
- Change deprecated OTel jaeger exporter HOT 7
- Migrate to protovalidate
- auxData.jwt.disableVerification not operating as expected HOT 3
- Breaking change b/w cerbos v0.29.0 and dev HOT 2
- Update recommended nvim package manager in docs HOT 2
- Upgrade CEL to 0.18 HOT 2
- Improve error messages when gRPC endpoint doesn't exist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cerbos.