You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This section details the integration of Cerbos for fine-grained authorization within the Admin Portal, including how Policy Decision Points (PDPs) are configured across different environments using Cerbos Hub deployment labels.
138
+
139
+
### 1. Policy Decision Point (PDP) Configuration
140
+
141
+
The Cerbos PDP URL and the Cerbos Hub secret are managed via environment variables, allowing for flexible deployment across various environments.
142
+
143
+
***`local` (localhost)**:
144
+
***PDP Configuration**: For local development, the Cerbos PDP typically runs locally and loads policies directly from the `cerbos/policies` directory. It does not fetch policies from Cerbos Hub using a label.
145
+
***Environment Variables**:
146
+
*`NEXT_PUBLIC_CERBOS_PDP_URL`: `http://localhost:3593` (or your local PDP address)
147
+
*`CERBOS_HUB_SECRET`: (Not strictly required for local PDP, but can be set for consistency)
***PDP Configuration**: Cerbos PDP instances for these environments are configured to connect to Cerbos Hub and fetch policies using the `development` label.
152
+
***Environment Variables (set on hosting platform)**:
153
+
*`NEXT_PUBLIC_CERBOS_PDP_URL`: URL of the development/preview Cerbos PDP instance (e.g., `https://your-dev-pdp.cerbos.cloud`).
154
+
*`CERBOS_HUB_SECRET`: Your Cerbos Hub secret key (securely stored).
155
+
*`CERBOS_HUB_LABEL`: `development`
156
+
157
+
***`production` (iflastandards.info)**:
158
+
***PDP Configuration**: The production Cerbos PDP instance is configured to connect to Cerbos Hub and fetch policies using the `stable` label.
159
+
***Environment Variables (set on hosting platform)**:
160
+
*`NEXT_PUBLIC_CERBOS_PDP_URL`: URL of the production Cerbos PDP instance (e.g., `https://your-prod-pdp.cerbos.cloud`).
161
+
*`CERBOS_HUB_SECRET`: Your Cerbos Hub secret key (securely stored).
162
+
*`CERBOS_HUB_LABEL`: `stable`
163
+
164
+
### 2. Cerbos Hub Deployment Labels
165
+
166
+
The `.cerbos-hub.yaml` file at the root of the repository defines the mapping between deployment labels and Git references:
167
+
168
+
```yaml
169
+
---
170
+
apiVersion: api.cerbos.cloud/v1
171
+
labels:
172
+
latest: # 'latest' label pointing to the HEAD of the main branch
173
+
branch: main
174
+
development: # 'development' label pointing to the HEAD of the dev branch
175
+
branch: dev
176
+
stable: # 'stable' label pointing to latest stable release
177
+
branch: main
178
+
```
179
+
180
+
* The `development` label ensures that policies from the `dev` branch are deployed to the development and preview environments.
181
+
* The `stable` label ensures that policies from the `main` branch are deployed to the production environment.
182
+
183
+
### 3. `cerbos.ts` Configuration
184
+
185
+
The `apps/admin-portal/src/lib/cerbos.ts` file is configured to use `process.env.NEXT_PUBLIC_CERBOS_PDP_URL` for the Cerbos PDP URL, ensuring environment-specific connectivity.
186
+
187
+
### 4. Usage in Application
188
+
189
+
Authorization checks are performed using the `checkPermissions` function (and its helpers like `checkNamespacePermission`, `checkSitePermission`, etc.) within the Admin Portal's components and API routes. The `principalFromSession` function is used to construct the `Principal` object from the authenticated user's NextAuth session data.
0 commit comments