-
Notifications
You must be signed in to change notification settings - Fork 79
Admin UI authorization using Cedar Policy
Arnab Dutta edited this page Oct 9, 2024
·
16 revisions
cedar authorize --policies policies.cedar -k linked --schema policies.cedarschema --schema-format cedar --entities entities.json --request-json test.json
@id("ViewFeature")
permit(
principal == ?principal,
action,
resource == ?resource
)
when {
principal.rolePermissionsMap.permission.containsAll(resource.permission)
};
@id("EditFeature")
permit(
principal == ?principal,
action,
resource == ?resource
)
when {
principal.rolePermissionsMap.permission.containsAll(resource.permission)
};
[
{
"template_id": "ViewFeature",
"link_id": "ViewOIDCClientJohn",
"args": {
"?principal": "User::\"John\"",
"?resource": "Feature::\"oidc_client_view\""
}
},
{
"template_id": "EditFeature",
"link_id": "EditOIDCClientJohn",
"args": {
"?principal": "User::\"Ahmad\"",
"?resource": "Feature::\"oidc_client_view\""
}
}
]
[
{
"uid": { "type": "User", "id": "John" },
"attrs": {
"rolePermissionsMap": {
"role": ["api-viewer"],
"permission": ["https://jans.io/oauth/config/openid/clients.readonly", "https://jans.io/oauth/config/scopes.readonly"]
},
"username": "John",
"sub": "dsghsaAJ232345943572348643hadhasdklsa"
},
"parents": []
},
{
"uid": { "type": "User", "id": "Ahmad"},
"attrs" : {
"rolePermissionsMap": {
"role": ["api-admin"],
"permission": ["https://jans.io/oauth/config/openid/clients.readonly",
"https://jans.io/oauth/config/openid/clients.write",
"https://jans.io/oauth/config/openid/clients.delete",
"https://jans.io/oauth/config/scopes.readonly",
"https://jans.io/oauth/config/scopes.write",
"https://jans.io/oauth/config/scopes.delete"]
},
"username": "ahmad",
"sub": "dsghsaAJ232345943572348643hadhasdklsad"
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "oidc_client_view"},
"attrs" : {
"permission": [
"https://jans.io/oauth/config/openid/clients.readonly"
]
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "oidc_client_edit"},
"attrs" : {
"permission": [
"https://jans.io/oauth/config/openid/clients.write"
]
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "oidc_client_delete"},
"attrs" : {
"permission": [
"https://jans.io/oauth/config/openid/clients.delete"
]
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "scope_view"},
"attrs" : {
"permission": [
"https://jans.io/oauth/config/scopes.readonly"
]
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "scope_edit"},
"attrs" : {
"permission": [
"https://jans.io/oauth/config/scopes.write"
]
},
"parents": []
},
{
"uid": { "type": "Feature", "id": "scope_delete"},
"attrs" : {
"permission": [
"https://jans.io/oauth/config/scopes.delete"
]
},
"parents": []
}
]
type RolePermissionsMap = {
role: Set<String>,
permission: Set<String>
};
entity Role;
entity User in [Role] {
sub: String,
username: String,
rolePermissionsMap: RolePermissionsMap,
};
entity Feature= {
permission: Set<String>,
};
type Context = {
network: ipaddr,
network_type: String,
user_agent: String,
operating_system: String,
device_health: Set<String>,
current_time: Long,
geolocation: Set<String>,
fraud_indicators: Set<String>,
};
//actions
action Read appliesTo {
principal: [User, Role],
resource: Feature
};
action Write appliesTo {
principal: [User, Role],
resource: Feature
};
action Delete appliesTo {
principal: [User, Role],
resource: Feature
};
//ALLOW
{
"principal":"User::\"John\"",
"action":"Action::\"Read\"",
"resource":"Feature::\"oidc_client_view\"",
"context":{ }
}
//DENY
{
"principal":"User::\"John\"",
"action":"Action::\"Write\"",
"resource":"Feature::\"oidc_client_edit\"",
"context":{ }
}