Cerbos 是一款云原生應(yīng)用的訪問控制工具，通過為應(yīng)用程序資源編寫上下文感知訪問控制策略來增強(qiáng)授權(quán)控制。

• 使用直觀的 YAML 配置語言編寫訪問規(guī)則
• 使用 Git-ops 基礎(chǔ)架構(gòu)來測(cè)試和部署
• 向 Cerbos PDP 發(fā)出簡(jiǎn)單的 API 請(qǐng)求，以評(píng)估策略并做出動(dòng)態(tài)訪問決策

用例：

派生角色：根據(jù)上下文數(shù)據(jù)為用戶動(dòng)態(tài)分配新角色。

---
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
  name: common_roles
  definitions:
    - name: owner
      parentRoles: ["user"]
      condition:
        match:
          expr: request.resource.attr.owner == request.principal.id

    - name: abuse_moderator
      parentRoles: ["moderator"]
      condition:
        match:
          expr: request.resource.attr.flagged == true

 資源策略：為資源編寫訪問規(guī)則。

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  importDerivedRoles:
    - common_roles
  resource: "album:object"
  version: "default"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - owner

    - actions: ['view', 'flag']
      effect: EFFECT_ALLOW
      roles:
        - user
      condition:
        match:
          expr: request.resource.attr.public == true

    - actions: ['view', 'delete']
      effect: EFFECT_ALLOW
      derivedRoles:
        - abuse_moderator

API 請(qǐng)求

cat <<EOF | curl --silent "http://localhost:3592/api/check?pretty" -d @-
{
  "requestId":  "test01",
  "actions":  ["view"],
  "resource":  {
    "kind":  "album:object",
    "instances": {
      "XX125": {
        "attr":  {
          "owner":  "alicia",
          "id":  "XX125",
          "public": false,
          "flagged": false
        }
      }
    }
  },
  "principal":  {
    "id":  "alicia",
    "roles":  ["user"]
  }
}
EOF

API 響應(yīng)

{
  "requestId": "test01",
  "resourceInstances": {
    "XX125": {
      "actions": {
        "view": "EFFECT_ALLOW"
      }
    }
  }
}