Cedarling Nativity Plan
- Needs to call the WASM component using a few javascript lines of code (ideally 1-2)
- Input from JS component is object
input = {
"tokens": {"access_token": "...",
"id_token": "...",
"userinfo_token": "...",
"tx_token": "..." },
"resource": {"id": "12345", "type": "Ticket", "creator": "[email protected]", "organization": "gluu"},
"action": "View",
"context": {
"ip_address": "54.9.21.201",
"network_type": "VPN",
"user_agent": "Chrome 125.0.6422.77 (Official Build) (arm64)",
"time": "1719266610.98636",
}
}
decision_result = authz(input)
-
tokens: Object with token_type as key. At least one token is required -- could be any ofaccess_token,id_token, oruserinfo_token -
resource: Object -
action: Cedar syntax action -
context: Object
-
CEDARLING_APPLICATION_NAME: Human friendly identifier for this application -
CEDARLING_LOCAL_POLICY_STORE: JSON object with policy store -
CEDARLING_POLICY_STORE_LOCAL_FN: Local file with JSON object with policy store -
CEDARLING_POLICY_STORE_URI: Location of policy store JSON, used if policy store is not local, or retreived from Lock Master. -
CEDARLING_POLICY_STORE_ID: The identifier of the policy store in case there is more then one policy_store_id in the policy store. -
CEDARLING_USER_AUTHZ: Whenenabled, Cedar engine authorization is queried for a User principal. -
CEDARLING_WORKLOAD_AUTHZ: Whenenabled, Cedar engine authorization is queried for a Workload principal. -
CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION:AND,OR -
CEDARLING_USER_IDENTIFIER: defaultsub-- uses the specified claim of the id_token or userinfo_token as the Cedar User entity identifier. If none present, ignores token. -
CEDARLING_WORKLOAD_IDENTIFIER: defaultclient_id-- uses the specified claim of the access_token as the Cedar Workcload entity identifier. If none present, ignores token. -
CEDARLING_MAPPING_USER: Name of Cedar User schema entity -
CEDARLING_MAPPING_WORKLOAD: Name of Cedar Workload schema entity -
CEDARLING_MAPPING_ID_TOKEN: Name of Cedar id_token schema entity -
CEDARLING_MAPPING_ACCESS_TOKEN: Name of Cedar access_token schema entity -
CEDARLING_MAPPING_USERINFO_TOKEN: Name of Cedar userinfo schema entity
The following bootstrap properties are needed to configure log behavior:
-
CEDARLING_LOG_STORAGE:off,memory,std_out -
CEDARLING_LOG_LEVEL: System Log Level See below. Default toWARN -
CEDARLING_LOG_STDOUT_TYPE: EitherSystem,Metric, orDecision. Default to System. -
CEDARLING_DECISION_LOG_USER_CLAIMS: List of claims to map from user entity, such as ["sub", "email", "username", ...] -
CEDARLING_DECISION_LOG_WORKLOAD_CLAIMS: List of claims to map from user entity, such as ["client_id", "rp_id", ...] -
CEDARLING_DECISION_LOG_DEFAULT_JWT_ID: Default isjti, but perhaps some other claim is needed. -
CEDARLING_LOG_TTL: in case ofmemorystore, TTL (time to live) of log entities in seconds. -
CEDARLING_LOG_SEND_TELEMETRY_TO_IMPROVE_PROJECT: Default isenabled. Whether to send back non PII usage information to the Janssen Project, used by the developers to improve the Cedarling.
The following bootstrap properties are needed to configure JWT and cryptographic behavior:
-
CEDARLING_LOCAL_JWKS: JWKS file with public keys -
CEDARLING_JWT_SIG_VALIDATION:Enabled|Disabled-- Whether to check the signature of all JWT tokens. This requires anissis present. -
CEDARLING_JWT_STATUS_VALIDATION:Enabled|Disabled-- Whether to check the status of the JWT. On startup, the Cedarling should fetch and retreive the latest Status List JWT from the.well-known/openid-configurationvia thestatus_list_endpointclaim and cache it. See the IETF Draft for more info. -
CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED: Only tokens signed with these algorithms are acceptable to the Cedarling. -
CEDARLING_AT_ISS_VALIDATION: When enabled, theissclaim must be present in access token and the scheme must behttps. -
CEDARLING_AT_JTI_VALIDATION: When enabled, thejticlaim must be present in access token. -
CEDARLING_AT_NBF_VALIDATION: When enabled, thenbfclaim must be present in access token and the Cedarling should verify that the current date is after thenbf. -
CEDARLING_AT_EXP_VALIDATION: When enabled, theexpclaim must be present and not past the date specified. -
CEDARLING_IDT_ISS_VALIDATION: When enabled, theissclaim must be present in id_token and the scheme must behttps. -
CEDARLING_IDT_SUB_VALIDATION: When enabled, thesubclaim must be present in id_token. -
CEDARLING_IDT_EXP_VALIDATION: When enabled, theexpclaim must be present and not past the date specified. -
CEDARLING_IDT_IAT_VALIDATION: When enabled, theiatclaim must be present in id_token. -
CEDARLING_IDT_AUD_VALIDATION: When enabled, theaudclaim must be present in id_token. -
CEDARLING_USERINFO_ISS_VALIDATION: When enabled, theissclaim must be present and the scheme must behttps. -
CEDARLING_USERINFO_SUB_VALIDATION: When enabled, thesubclaim must be present in Userinfo JWT. -
CEDARLING_USERINFO_AUD_VALIDATION: When enabled, theaudclaim must be present in Userinfo JWT. -
CEDARLING_USERINFO_EXP_VALIDATION: When enabled, theexpclaim must be present and not past the date specified. -
CEDARLING_ID_TOKEN_TRUST_MODE:Strict|None. Varying levels of validations based on the preference of the developer.Strictmode requires (1) id_tokenaudmatches the access_tokenclient_id; (2) if a Userinfo token is present, thesubmatches the id_token, and that theaudmatches the access token client_id. -
CEDARLING_TOKEN_ENTITY_MAPPER: A JSONObjectwhich allows users to configure if token entities are added into principal entities. See below for more information.
The following bootstrap properties are only needed for enterprise deployments.
-
CEDARLING_LOCK: Enabled | Disabled. If Enabled, the Cedarling will connect to the Lock Master for policies, and subscribe for SSE events. -
CEDARLING_LOCK_MASTER_CONFIGURATION_URI: Required ifLOCK==Enabled. URI where Cedarling can get JSON file with all required metadata about Lock Master, i.e..well-known/lock-master-configuration. -
CEDARLING_LOCK_DYNAMIC_CONFIGURATION: Enabled | Disabled, controls whether Cedarling should listen for SSE config updates. -
CEDARLING_LOCK_SSA_JWT: SSA for DCR in a Lock Master deployment. The Cedarling will validate this SSA JWT prior to DCR. -
CEDARLING_LOCK_LOG_INTERVAL: How often to send log messages to Lock Master (0 to turn off trasmission). -
CEDARLING_LOCK_HEALTH_INTERVAL: How often to send health messages to Lock Master (0 to turn off transmission). -
CEDARLING_LOCK_TELEMETRY_INTERVAL: How often to send telemetry messages to Lock Master (0 to turn off transmission). -
CEDARLING_LOCK_LISTEN_SSE: Enabled | Disabled: controls whether Cedarling should listen for updates from the Lock Server.
The Cedarling Policy Store is a JSON file that contains all the data the Cedarling needs to verify JWT tokens and evaluate policies:
- Cedar Schema - JSON format Schema file
- Cedar Policies - JSON format Policy Set file (beware CLI bug cedar-950)
- Trusted Issuers - JSON file with below syntax
cedarling_store.json schema
{
"cedar_version": "v4.0.0",
"policy_store_version": "1.2.4",
"policy_stores": {
"some_random_id": {
"name": "",
"description": "",
"policies": {...}
"trusted_issuers": {...},
"schema": ""
}
},
}
Currently cedarling support only one policy_store in policy_stores map.
We have policy_stores map to avoid incompatible change in future.
This record contains the information needed to validate tokens from this issuer:
{
"name": "Google",
"description": "Consumer IDP",
"openid_configuration_endpoint": "https://accounts.google.com/.well-known/openid-configuration",
"access_tokens": {
"trusted": true, <---- Allows to toggle configuration without deleting it
"principal_identifier": "jti", <---- Maps to Cedar entity identifier
... <- `Token Entity Metadata Schema` values
},
"id_tokens": {
"principal_identifier": "jti",
...
},
"userinfo_tokens": {
"principal_identifier": "sub",
...
},
"tx_tokens": {
"principal_identifier": "jti",
...
}
}
{
"user_id": "...", <-- OPTIONAL e.g. email, sub, uid
"role_mapping": "...", <-- OPTIONAL e.g. role, memberOf
"claim_mapping": { <-- OPTIONAL
"email_address": {
"parser": "regex",
"type": "Jans::email_address",
"regex_expression" : "^(?P<UID>[^@]+)@(?P<DOMAIN>.+)$",
"UID": {"attr": "uid", "type":"String"},
"DOMAIN": {"attr": "domain", "type":"String"}
},
"picture_url": {
"parser": "regex",
"type": "Jans::Url",
"regex_expression": "(?x) ^(?P<SCHEME>[a-zA-Z][a-zA-Z0-9+.-]*):\\/\\/(?P<HOST>[^\\/:\\#?]+)(?::(?<PORT>\\d+))?(?P<PATH>\\/[^?\\#]*)?(?:\\?(?P<QUERY>[^\\#]*))?(?:(?P<FRAGMENT>.*))?",
"SCHEME": {"attr": "scheme", "type":"String"},
"HOST": {"attr": "host", "type":"String"},
"PORT": {"attr": "port", "type":"String"},
"PATH": {"attr": "path", "type":"String"},
"QUERY": {"attr": "query", "type":"String"},
"FRAGMENT": {"attr": "fragment", "type":"String"}
}
}
}
user_id - the field in the JWT payload that should be used to retrieve the id of the User entity.
role_mapping - This field in the JWT payload specifies which field(s) should be used to retrieve the id of the Role entity. It can be either a string or an array. If an array is provided, multiple Role entities will be created, and authorization will be attempted for each one until a permit status is achieved.
claim_mapping - is used for mapping JWT payload values to types defined in the cedar-policy schema. Mapping fields ("attr") should be the same as type in cedar-policy schema. It is very important to use correct namespace and typename to proper mapping.
In regex attribute mapping "UID": {"attr": "uid", "type":"String"}, type field can contain possible variants:
-
String- to string without transformation, -
Number- parse string to float64 (JSON number) if error returns default value -
Boolean- if string NOT empty map to true else false
Note use of regex named capture groups which is more readable by referring to parts of a regex match by descriptive names rather than numbers. For example, (?P<name>...) defines a named capture group where name is the identifier, and ... is the regex pattern for what you want to capture.
When you use (?x) modifier in regexp, ensure that you escaped character # => \#.
Currently the Cedarling only supports one Namespace. All types and entities must be in the same Namespace.
namespace Jans {
// ****** TYPES ******
type Url = {
host: String,
path: String,
protocol: String
};
type email_address = {
domain: String,
uid: String
};
type Context = {
network?: String,
network_type?: String,
user_agent?: String,
operating_system?: String,
device_health?: Set<String>,
current_time?: Long,
geolocation?: Set<String>,
fraud_indicators?: Set<String>,
};
// ****** Entities ******
entity Role;
entity User in [Role] = {
email?: email_address,
phone_number?: String,
role: Set<String>,
sub: String,
"username"?: String,
id_token?: id_token,
userinfo_token?: Userinfo_token,
};
entity Workload = {
client_id: String,
iss: TrustedIssuer,
name?: String,
rp_id?: String,
spiffe_id?: String,
access_token?: Access_token,
};
entity Access_token = {
aud: String,
exp: Long,
iat: Long,
iss: TrustedIssuer,
jti?: String,
nbf?: Long,
scope?: Set<String>
};
entity id_token = {
acr?: String,
amr?: Set<String>,
aud: String,
azp?: String,
birthdate?: String,
email?: email_address,
exp: Long,
iat: Long,
iss: TrustedIssuer,
jti?: String,
name?: String,
phone_number?: String,
role?: Set<String>,
sub: String
};
entity Userinfo_token = {
aud: String,
birthdate?: String,
email?: email_address,
exp?: Long,
iat?: Long,
iss: TrustedIssuer,
jti?: String,
name?: String,
phone_number?: String,
role?: Set<String>,
sub: String
};
entity HTTP_Request = {
"header": {
"Accept"?: String
},
"url": Url
};
entity TrustedIssuer = {
issuer_entity_id: Url
};
entity Application = {
app_id: String,
name: String,
url: Url
};
// ****** Actions ******
action Compare appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Execute appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Monitor appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Read appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Search appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Share appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Tag appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Write appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action GET appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action PUT appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action DELETE appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action HEAD appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action PATCH appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
}
- TrustedIssuer: Created on startup from Policy Store
- Workload: Created from access token client_id
- Application: Created if input supplies an Application name
-
Role: Created for each
roleclaim value in the joined id_token and userinfo token -
User: Created based on the joined id_token and userinfo token.
subis the entity identifier - Access_token: 1:1 mapping from claims in token
- id_token: 1:1 mapping from claims in token
- Userinfo_token: 1:1 mapping from claims in token
The bootstrap property CEDARLING_TOKEN_ENTITY_MAPPER allows the user to define on which principal a token entity will be included in. Token entities that do not have a mapping will not be automatically included into the principal entities.
Consider the following configuration that maps various tokens to specific principal entities:
- access_token → Jans::Workload
- userinfo_token → Jans::User
- id_token → Jans::User
- customer1_token → Customer::Widget
This configuration can be set in the CEDARLING_TOKEN_ENTITY_MAPPER as follows:
{
"id_token": "Jans::User",
"userinfo_token": "Jans::User",
"access_token": "Jans::Workload",
"customer1_token": "Customer::Widget"
}{
"version": "1.0",
"issuer": "yurem-evolved-woodcock.gluu.info",
"audit": {
"health_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/audit/health",
"log_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/audit/log",
"telemetry_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/audit/telemetry"
},
"config": {
"config_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config",
"issuers_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config/issuers",
"policy_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config/policy",
"schema_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config/schema",
"sse_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/sse"
}
}
Cedarling application has internal logger.
Using configuration parameter CEDARLING_LOG_TYPE you can set up:
-
off- disabled -
memory- store log entry in memory -
std_out- write log entry data to std output stream -
lock- centralize logs by sending to Jans Lock Server
Using the memory logger, we can set time to live entry in memory using CEDARLING_LOG_TTL.
Possible values for field log_type:
DecisionSystemMetric
-
FATAL: Indicates very severe error events that will likely lead the application to abort. These are the most critical issues. -
ERROR: Designates error events that might still allow the application to continue running but indicate a significant problem. -
WARN: Designates potentially harmful situations that should be addressed to prevent future issues. -
INFO: Provides informational messages that highlight the progress of the application at a coarse-grained level. -
DEBUG: Designates fine-grained informational events useful for debugging the application. -
TRACE: Provides finer-grained informational events than DEBUG. It is often used for detailed tracing of program execution.
pub trait LogStorage {
/// return logs and remove them from the storage
fn pop_logs(&self) -> Vec<LogEntry>;
/// get specific log entry
fn get_log_by_id(&self, id: &str) -> Option<LogEntry>;
/// returns a list of all log ids
fn get_log_ids(&self) -> Vec<String>;
}
{
"request_id": "0193b8a1-03ce-788d-8721-43b94d01f7f5",
"timestamp": "2024-12-12T04:09:40.302Z",
"log_kind": "System",
"pdp_id": "ecf15fdf-4b8d-4374-a41f-a47c470585c7",
"level": "INFO",
"msg": "Cedarling Authz initialized successfully",
"application_id": "My App",
"cedar_lang_version": "4.1.0",
"cedar_sdk_version": "4.2.2"
}
{
"request_id": "01937015-4649-7aad-8df8-4976e4bd8565",
"timestamp": "2024-11-27T10:10:50.654Z",
"pdp_id": "20939sdf9s89021304958",
"policystore_id": "564lk460gdlfkg340",
"policystore_version": "1.2.1",
"principal": "User" | "Workload",
"User": {"email":"[email protected]", "sub":"qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0"}, <-- claims set in Bootstrap properties | could be empty
"Workload" {"client_id":"123456", "rp_id": "5478963214"}, <-- claims set in Bootstrap properties | could be empty
"diagnostics": {
"reason": [
{
"id": "840da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy for user"
}
],
"errors": []
},
"lock_client_id": "987654",
"action": ""Jans::Action::Read",
"resource": "Jans::Application::\"some_id\"",
"decision": "ALLOW",
"tokens": {"id_token": {"jti": "ijLZO1ooRyWrgIn7cIdNyA"},
"Userinfo": {"jti": "huKL87hhQuQcnhd5dQqZaZ"},
"access": {"jti": "PiLYppReSD2Ldkuyd72KPI"}
}
"decision_time_ms": 1,
}
{
"id": "01937015-4649-7aad-8df8-4976e4bd8565",
"time": 1732752262,
"log_kind": "Decision",
"pdp_id": "75f0dc93-0a90-4076-95fa-dc16d3f00375",
"msg": "Result of authorize.",
"application_id": "TestApp",
"action": "Jans::Action::\"Read\"",
"resource": "Jans::Application::\"some_id\"",
"context": {
"user_agent": "Linux",
"operating_system": "Linux",
"network_type": "Local",
"network": "127.0.0.1",
"geolocation": [
"America"
],
"fraud_indicators": [
"Allowed"
],
"device_health": [
"Healthy"
],
"current_time": 1732752262
},
"entities": [
{
"uid": {
"type": "Jans::Action",
"id": "PUT"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Share"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "PATCH"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "HEAD"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Monitor"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Compare"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::User",
"id": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0"
},
"attrs": {
"sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0",
"role": [
"CasaAdmin"
],
"email": {
"domain": "jans.test",
"uid": "admin"
}
},
"parents": [
{
"type": "Jans::Role",
"id": "CasaAdmin"
}
]
},
{
"uid": {
"type": "Jans::id_token",
"id": "ijLZO1ooRyWrgIn7cIdNyA"
},
"attrs": {
"sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0",
"acr": "simple_password_auth",
"exp": 1731956630,
"jti": "ijLZO1ooRyWrgIn7cIdNyA",
"amr": [],
"aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62",
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"iat": 1731953030
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Test"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Workload",
"id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62"
},
"attrs": {
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"client_id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62"
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Write"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Read"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Role",
"id": "CasaAdmin"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Search"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Application",
"id": "some_id"
},
"attrs": {
"name": "Some Application",
"app_id": "application_id",
"url": {
"host": "jans.test",
"path": "/protected-endpoint",
"protocol": "http"
}
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "GET"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Execute"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Access_token",
"id": "uZUh1hDUQo6PFkBPnwpGzg"
},
"attrs": {
"nbf": 1731953030,
"scope": [
"email",
"openid",
"profile",
"role"
],
"exp": 1732121460,
"aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62",
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"jti": "uZUh1hDUQo6PFkBPnwpGzg",
"iat": 1731953030
},
"parents": []
},
{
"uid": {
"type": "Jans::Userinfo_token",
"id": "OIn3g1SPSDSKAYDzENVoug"
},
"attrs": {
"aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62",
"jti": "OIn3g1SPSDSKAYDzENVoug",
"email": {
"dost",
"uid": "admst",
"uid": "admst",
"uid": "admst",
"uid": "admin"
},
"name": "Default Admin User",
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"role": [
"CasaAdmin"
],
"sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0"
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "DELETE"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Tag"
},
"attrs": {},
"parents": []
}
],
"person_principal": "Jans::User::\"qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0\"",
"person_diagnostics": {
"reason": [
{
"id": "840da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy example for principal user"
}
],
"errors": []
},
"person_decision": "ALLOW",
"workload_principal": "Jans::Workload::\"d7f71bea-c38d-4caf-a1ba-e43c74a11a62\"",
"workload_diagnostics": {
"reason": [
{
"id": "444da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy example for principal workload"
}
],
"errors": []
},
"workload_decision": "ALLOW",
"authorized": true
}
"reason": [
{
"id": "444da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy example for principal workload"
}
],
- "id": "444da5d85403f35ea76519ed1a18a33989f855bf1cf8" - shows policy ID (from policy store) that was executed.
- "description": "simple policy example for principal workload" - description of policy in
policy store
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "LogEntry",
"description": "LogEntry is a struct that encapsulates all relevant data for logging events.",
"type": "object",
"required": [
"id",
"log_kind",
"msg",
"pdp_id",
"time"
],
"properties": {
"action": {
"description": "cedar-policy action",
"type": "string"
},
"application_id": {
"description": "name of application from [bootstrap properties](https://github.com/JanssenProject/jans/wiki/Cedarling-Nativity-Plan#bootstrap-properties)",
"anyOf": [
{
"$ref": "#/definitions/ApplicationName"
},
{
"type": "null"
}
]
},
"authorized": {
"description": "is authorized",
"type": "boolean"
},
"cedar_lang_version": {
"description": "cedar-policy language version",
"anyOf": [
{
"$ref": "#/definitions/Version"
},
{
"type": "null"
}
]
},
"cedar_sdk_version": {
"description": "cedar-policy sdk version",
"anyOf": [
{
"$ref": "#/definitions/Version"
},
{
"type": "null"
}
]
},
"context": {
"description": "cedar-policy context"
},
"error_msg": {
"description": "error message",
"type": [
"string",
"null"
]
},
"id": {
"description": "unique identifier for this event",
"allOf": [
{
"$ref": "#/definitions/Uuid"
}
]
},
"log_kind": {
"description": "kind of log entry",
"allOf": [
{
"$ref": "#/definitions/LogType"
}
]
},
"msg": {
"description": "message of the event",
"type": "string"
},
"pdp_id": {
"description": "unique id of cedarling",
"allOf": [
{
"$ref": "#/definitions/Uuid"
}
]
},
"person_decision": {
"description": "cedar-policy user/person decision",
"allOf": [
{
"$ref": "#/definitions/Decision"
}
]
},
"person_diagnostics": {
"description": "cedar-policy user/person diagnostics information",
"allOf": [
{
"$ref": "#/definitions/Diagnostics"
}
]
},
"person_principal": {
"description": "cedar-policy user/person principal",
"type": "string"
},
"resource": {
"description": "cedar-policy resource",
"type": "string"
},
"time": {
"description": "Time of decision, in unix time",
"type": "integer",
"format": "uint64",
"minimum": 0.0
},
"workload_decision": {
"description": "cedar-policy workload decision",
"allOf": [
{
"$ref": "#/definitions/Decision"
}
]
},
"workload_diagnostics": {
"description": "cedar-policy workload diagnostics information",
"allOf": [
{
"$ref": "#/definitions/Diagnostics"
}
]
},
"workload_principal": {
"description": "cedar-policy workload principal",
"type": "string"
}
},
"definitions": {
"ApplicationName": {
"description": "Name of application from configuration",
"type": "string"
},
"Decision": {
"description": "Cedar-policy decision of the authorization",
"oneOf": [
{
"description": "Determined that the request should be allowed",
"type": "string",
"enum": [
"ALLOW"
]
},
{
"description": "Determined that the request should be denied.",
"type": "string",
"enum": [
"DENY"
]
}
]
},
"Diagnostics": {
"description": "Diagnostics providing more information on how a `Decision` was reached",
"type": "object",
"required": [
"errors",
"reason"
],
"properties": {
"errors": {
"description": "Errors that occurred during authorization. The errors should be treated as unordered, since policies may be evaluated in any order.",
"type": "array",
"items": {
"$ref": "#/definitions/PolicyEvaluationError"
}
},
"reason": {
"description": "`PolicyId`s of the policies that contributed to the decision. If no policies applied to the request, this set will be empty.",
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true
}
}
},
"LogType": {
"description": "Type of log entry",
"type": "string",
"enum": [
"Decision",
"System",
"Metric"
]
},
"PolicyEvaluationError": {
"description": "An error occurred when evaluating a policy",
"type": "object",
"required": [
"error",
"id"
],
"properties": {
"error": {
"description": "Underlying evaluation error string representation",
"type": "string"
},
"id": {
"description": "Id of the policy with an error",
"type": "string"
}
}
},
"Uuid": {
"description": "version 7 uuid",
"type": "string",
"format": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"Version": {
"description": "SemVer version as defined by <https://semver.org>.",
"type": "string",
"format": "n.n.n"
}
}
}
Note: no JWT status check
