Cedarling Nativity Plan
- Needs to call the WASM component using a few javascript lines of code (ideally 1-2)
- Input from JS component is object
input = {
"tokens": {"access_token": "...",
"id_token": "...",
"userinfo_token": "...",
"tx_token": "..." },
"resource": {"id": "12345", "type": "Ticket", "creator": "mike@gluu.org", "organization": "gluu"},
"action": "View",
"context": {
"ip_address": "54.9.21.201",
"network_type": "VPN",
"user_agent": "Chrome 125.0.6422.77 (Official Build) (arm64)",
"time": "1719266610.98636",
}
}
decision_result = authz(input)
-
tokens: Object with token_type as key. At least one token is required -- could be any ofaccess_token,id_token, oruserinfo_token -
resource: Object -
action: Cedar syntax action -
context: Object
-
CEDARLING_APPLICATION_NAME: Human friendly identifier for this application -
CEDARLING_POLICY_STORE_LOCAL: JSON object as string with policy store. You can use this converter. -
CEDARLING_POLICY_STORE_LOCAL_FN: Local file with JSON object with policy store -
CEDARLING_POLICY_STORE_URI: Location of policy store JSON, used if policy store is not local, or retreived from Lock Server. -
CEDARLING_POLICY_STORE_ID: The identifier of the policy store in case there is more then one policy_store_id in the policy store. -
CEDARLING_USER_AUTHZ: Whenenabled, Cedar engine authorization is queried for a User principal. -
CEDARLING_WORKLOAD_AUTHZ: Whenenabled, Cedar engine authorization is queried for a Workload principal. -
CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION:AND,OR -
CEDARLING_MAPPING_USER: Name of Cedar User schema entity -
CEDARLING_MAPPING_WORKLOAD: Name of Cedar Workload schema entity -
CEDARLING_MAPPING_ROLE: Name of Cedar Role schema entity
The following bootstrap properties are needed to configure log behavior:
-
CEDARLING_LOG_TYPE:off,memory,std_out -
CEDARLING_LOG_LEVEL: System Log Level See below. Default toWARN -
CEDARLING_DECISION_LOG_USER_CLAIMS: List of claims to map from user entity, such as ["sub", "email", "username", ...] -
CEDARLING_DECISION_LOG_WORKLOAD_CLAIMS: List of claims to map from user entity, such as ["client_id", "rp_id", ...] -
CEDARLING_DECISION_LOG_DEFAULT_JWT_ID: Default isjti, but perhaps some other claim is needed. -
CEDARLING_LOG_TTL: in case ofmemorystore, TTL (time to live) of log entities in seconds. -
CEDARLING_LOG_MAX_ITEMS: Maximum number of log entities that can be stored using Memory logger. If used0value means no limit. And If missed or None, default value is applied. -
CEDARLING_LOG_MAX_ITEM_SIZE: Maximum size of a single log entity in bytes using Memory logger. If used0value means no limit. And If missed or None, default value is applied. -
CEDARLING_LOG_SEND_TELEMETRY_TO_IMPROVE_PROJECT: Default isenabled. Whether to send back non PII usage information to the Janssen Project, used by the developers to improve the Cedarling.
The following bootstrap properties are needed to configure JWT and cryptographic behavior:
-
CEDARLING_LOCAL_JWKS: JWKS file with public keys -
CEDARLING_JWT_SIG_VALIDATION:Enabled|Disabled-- Whether to check the signature of all JWT tokens. This requires anissis present. -
CEDARLING_JWT_STATUS_VALIDATION:Enabled|Disabled-- Whether to check the status of the JWT. On startup, the Cedarling should fetch and retreive the latest Status List JWT from the.well-known/openid-configurationvia thestatus_list_endpointclaim and cache it. See the IETF Draft for more info. -
CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED: Only tokens signed with these algorithms are acceptable to the Cedarling. -
CEDARLING_ID_TOKEN_TRUST_MODE:Strict|None. Varying levels of validations based on the preference of the developer.Strictmode requires (1) id_tokenaudmatches the access_tokenclient_id; (2) if a Userinfo token is present, thesubmatches the id_token, and that theaudmatches the access token client_id.
The following bootstrap properties are only needed for enterprise deployments.
-
CEDARLING_LOCK: Enabled | Disabled. If Enabled, the Cedarling will connect to the Lock Server for policies, and subscribe for SSE events. -
CEDARLING_LOCK_SERVER_CONFIGURATION_URI: Required ifLOCK==Enabled. URI where Cedarling can get JSON file with all required metadata about Lock Server, i.e..well-known/lock-master-configuration. -
CEDARLING_LOCK_DYNAMIC_CONFIGURATION: Enabled | Disabled, controls whether Cedarling should listen for SSE config updates. -
CEDARLING_LOCK_SSA_JWT: SSA for DCR in a Lock deployment. The Cedarling will validate this SSA JWT prior to DCR. -
CEDARLING_LOCK_LOG_INTERVAL: How often to send log messages to Lock Server (0 to turn off trasmission). -
CEDARLING_LOCK_HEALTH_INTERVAL: How often to send health messages to Lock Server (0 to turn off transmission). -
CEDARLING_LOCK_TELEMETRY_INTERVAL: How often to send telemetry messages to Lock Server (0 to turn off transmission). -
CEDARLING_LOCK_LISTEN_SSE: Enabled | Disabled: controls whether Cedarling should listen for updates from the Lock Server.
The Cedarling Policy Store is a JSON file that contains all the data the Cedarling needs to verify JWT tokens and evaluate policies:
- Cedar Schema - JSON format Schema file
- Cedar Policies - JSON format Policy Set file (beware CLI bug cedar-950)
- Trusted Issuers - JSON file with below syntax
cedarling_store.json schema
{
"cedar_version": "v4.0.0",
"policy_store_version": "1.2.4",
"policy_stores": {
"some_random_id": {
"name": "",
"description": "",
"policies": {...}
"trusted_issuers": {...},
"schema": ""
}
},
}
Currently cedarling support only one policy_store in policy_stores map.
We have policy_stores map to avoid incompatible change in future.
This record contains the information needed to validate tokens from this issuer:
{
"name": "Google",
"description": "Consumer IDP",
"openid_configuration_endpoint": "https://accounts.google.com/.well-known/openid-configuration",
"tokens_metadata": {
"access_token": {
"trusted": true, <---- Allows to toggling configuration without deleting it (defaults to true)
"entity_type_name": "Jans::AccessToken", <-- Cedar Object of token
"principal_mapping": ["Jans::Workload"], <-- Where to put this token
"token_id": "jti", <-- Should always be jti
"user_id": "email | sub | uid", <--- OPTIONAL
"role_mapping": "role | group | memberOf", <--- OPTIONAL
"workload_id" : "client_id | aud", <--- OPTIONAL
"claim_mapping": { ... },
"required_claims": ["jti", "iss", "aud", "sub", "exp", "nbf", "some_custom_claim"]
},
"id_token": { ... },
"userinfo_token": { ... },
"tx_tokens": { ... },
"custom_token": { ... }, <---- More tokens can be added by just adding new entries here
},
}-
"name"(String): A user-defined human-readable identifier for the trusted issuer. -
"description"(String): A short description for the trusted issuer. -
"openid_configuration_endpoint"(String): URI containing the OpenID configuration of the trusted issuer. By convention, this is the/.well-known/openid-configurationendpoint as described in OpenID Connect Discovery 1.0 section 4. -
"tokens_metadata"(Object): Contains information on how tokens will be mapped to a Cedar entity. Each name/key in this object will be used to identify each token within Cedarling. Each entry in this Object represents a Token Entity Metadata Schema which is used by Cedarling as a guide to build the Cedar entity associated with the token.
{
"trusted": true,
"entity_type_name": "Jans::AccessToken",
"principal_mapping": ["Jans::Workload"],
"token_id": "jti",
"user_id": "email | sub | uid",
"role_mapping": "role | group | memberOf",
"workload_id" : "client_id | rp_id",
"required_claims": ["jti", "iss", "aud", "sub", "exp", "nbf", "some_custom_claim"]
"claim_mapping": {
"email_address": {
"parser": "regex",
"type": "Jans::email_address",
"regex_expression" : "^(?P<UID>[^@]+)@(?P<DOMAIN>.+)$",
"UID": {"attr": "uid", "type":"String"},
"DOMAIN": {"attr": "domain", "type":"String"}
},
"picture_url": {
"parser": "regex",
"type": "Jans::Url",
"regex_expression": "(?x) ^(?P<SCHEME>[a-zA-Z][a-zA-Z0-9+.-]*):\\/\\/(?P<HOST>[^\\/:\\#?]+)(?::(?<PORT>\\d+))?(?P<PATH>\\/[^?\\#]*)?(?:\\?(?P<QUERY>[^\\#]*))?(?:(?P<FRAGMENT>.*))?",
"SCHEME": {"attr": "scheme", "type":"String"},
"HOST": {"attr": "host", "type":"String"},
"PORT": {"attr": "port", "type":"String"},
"PATH": {"attr": "path", "type":"String"},
"QUERY": {"attr": "query", "type":"String"},
"FRAGMENT": {"attr": "fragment", "type":"String"}
}
},
}A Token Entity Metadata Schema is used to describe how a token or principal entity will be created by Cedarling. A Token Entity Metadata Schema contains the following names:
- "
trusted" (bool, Default:true): Allows to toggling configuration without deleting the object. - "
entity_type_name" (string, required): The type name of the Cedar Entity that will be created from the token; for example:"Jans::Access_token". - "
principal_mapping" (array[string], Default:[]): Describes where references of the created token entity should be included. - "
token_id" (string, Default:"jti"): The JWT claim that will be used as the ID for the Token Entity. - "
user_id" (string, Default:"sub"): The JWT claim that will be used as the ID for the User Entity. - "
role_mapping" (string, Default:"role"): The JWT claim that will be used as the ID for any Role Entities. - "
workload_id" (string, Default: "aud"): The JWT claim that will be used as the ID for the Workload Entity. -
"required_claims"(array[string], Default:[]): A list of claims that must be present within the JWT to be considered valid. Additionally, if a required claim is a registered claim name under RFC 7519 Section 4.1, the claim will also be validated. -
"claim_mapping"(object, Default:{}): Applies a transformation on a JWT's claim to types defined in the Cedar schema before creating the Token Entity's attribute. This enables creating a Cedar Type that has multiple attributes from a single JWT claim.
In regex attribute mapping "UID": {"attr": "uid", "type":"String"}, type field can contain possible variants:
-
String- to string without transformation, -
Number- parse string to float64 (JSON number) if error returns default value -
Boolean- if string NOT empty map to true else false
Note use of regex named capture groups which is more readable by referring to parts of a regex match by descriptive names rather than numbers. For example, (?P<name>...) defines a named capture group where name is the identifier, and ... is the regex pattern for what you want to capture.
When you use (?x) modifier in regexp, ensure that you escaped character # => \#.
Currently the Cedarling only supports one Namespace. All types and entities must be in the same Namespace.
namespace Jans {
// ****** TYPES ******
type Url = {
host: String,
path: String,
protocol: String
};
type email_address = {
domain: String,
uid: String
};
type Context = {
network?: String,
network_type?: String,
user_agent?: String,
operating_system?: String,
device_health?: Set<String>,
current_time?: Long,
geolocation?: Set<String>,
fraud_indicators?: Set<String>,
};
// ****** Entities ******
entity Role;
entity User in [Role] = {
email?: email_address,
phone_number?: String,
role: Set<String>,
sub: String,
"username"?: String,
id_token?: id_token,
userinfo_token?: Userinfo_token,
};
entity Workload = {
iss: TrustedIssuer,
client_id?: String,
aud?: String,
name?: String,
rp_id?: String,
spiffe_id?: String,
access_token?: Access_token,
};
entity Access_token = {
aud: String,
exp: Long,
iat: Long,
iss: TrustedIssuer,
jti?: String,
nbf?: Long,
scope?: Set<String>
};
entity id_token = {
acr?: String,
amr?: Set<String>,
aud: String,
azp?: String,
birthdate?: String,
email?: email_address,
exp: Long,
iat: Long,
iss: TrustedIssuer,
jti?: String,
name?: String,
phone_number?: String,
role?: Set<String>,
sub: String
};
entity Userinfo_token = {
aud: String,
birthdate?: String,
email?: email_address,
exp?: Long,
iat?: Long,
iss: TrustedIssuer,
jti?: String,
name?: String,
phone_number?: String,
role?: Set<String>,
sub: String
};
entity HTTP_Request = {
"header": {
"Accept"?: String
},
"url": Url
};
entity TrustedIssuer = {
issuer_entity_id: Url
};
entity Application = {
app_id: String,
name: String,
url: Url
};
// ****** Actions ******
action Compare appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Execute appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Monitor appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Read appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Search appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Share appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Tag appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action Write appliesTo {
principal: [User, Workload],
resource: [Application],
context: Context
};
action GET appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action PUT appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action DELETE appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action HEAD appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
action PATCH appliesTo {
principal: [Workload],
resource: [HTTP_Request],
context: Context
};
}
- TrustedIssuer: Created on startup from Policy Store
-
Workload: The Workload's entity id will either be the
audorclient_idclaim from theaccess_token(unless configured differently through the token entity metadata schema). Additionally, if theaccess_tokencontains the following claims:name,rp_id, orspiffe_id, they will be added to the Workload's attributes. - Application: Created if input supplies an Application name
-
Role: Created for each claim value defined as the role_mapping in the joined id_token and userinfo token. Note that the role mapping defaults to
role. -
User: The User's entity id will be either the
userinfo_tokenorid_token'ssub(unless configured differently through the token entity metadata schema). The User entity's attributes will be created from the joinedsub,email,phone_number,role,usernameclaims from theid_tokenanduserinfo_token. - Access_token: 1:1 mapping from claims in token
- id_token: 1:1 mapping from claims in token
- Userinfo_token: 1:1 mapping from claims in token
{
"version": "1.0",
"issuer": "yurem-evolved-woodcock.gluu.info",
"audit": {
"health_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/audit/health",
"log_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/audit/log",
"telemetry_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/audit/telemetry"
},
"config": {
"config_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config",
"issuers_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config/issuers",
"policy_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config/policy",
"schema_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/config/schema",
"sse_endpoint": "https://yurem-evolved-woodcock.gluu.info/jans-lock/v1/sse"
}
}
Cedarling application has internal logger.
Using configuration parameter CEDARLING_LOG_TYPE you can set up:
-
off- disabled -
memory- store log entry in memory -
std_out- write log entry data to std output stream -
lock- centralize logs by sending to Jans Lock Server
Using the memory logger, we can set time to live entry in memory using CEDARLING_LOG_TTL.
Possible values for field log_type:
DecisionSystemMetric
-
FATAL: Indicates very severe error events that will likely lead the application to abort. These are the most critical issues. -
ERROR: Designates error events that might still allow the application to continue running but indicate a significant problem. -
WARN: Designates potentially harmful situations that should be addressed to prevent future issues. -
INFO: Provides informational messages that highlight the progress of the application at a coarse-grained level. -
DEBUG: Designates fine-grained informational events useful for debugging the application. -
TRACE: Provides finer-grained informational events than DEBUG. It is often used for detailed tracing of program execution.
pub trait LogStorage {
/// return logs and remove them from the storage
fn pop_logs(&self) -> Vec<LogEntry>;
/// get specific log entry
fn get_log_by_id(&self, id: &str) -> Option<LogEntry>;
/// returns a list of all log ids
fn get_log_ids(&self) -> Vec<String>;
}
{
"request_id": "0193b8a1-03ce-788d-8721-43b94d01f7f5",
"timestamp": "2024-12-12T04:09:40.302Z",
"log_kind": "System",
"pdp_id": "ecf15fdf-4b8d-4374-a41f-a47c470585c7",
"level": "INFO",
"msg": "Cedarling Authz initialized successfully",
"application_id": "My App",
"cedar_lang_version": "4.1.0",
"cedar_sdk_version": "4.2.2"
}
{
"request_id": "01937015-4649-7aad-8df8-4976e4bd8565",
"timestamp": "2024-11-27T10:10:50.654Z",
"pdp_id": "20939sdf9s89021304958",
"policystore_id": "564lk460gdlfkg340",
"policystore_version": "1.2.1",
"principal": "User" | "Workload",
"User": {"email":"foo@acme.com", "sub":"qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0"}, <-- claims set in Bootstrap properties | could be empty
"Workload" {"client_id":"123456", "rp_id": "5478963214"}, <-- claims set in Bootstrap properties | could be empty
"diagnostics": {
"reason": [
{
"id": "840da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy for user"
}
],
"errors": []
},
"lock_client_id": "987654",
"action": ""Jans::Action::Read",
"resource": "Jans::Application::\"some_id\"",
"decision": "ALLOW",
"tokens": {"id_token": {"jti": "ijLZO1ooRyWrgIn7cIdNyA"},
"Userinfo": {"jti": "huKL87hhQuQcnhd5dQqZaZ"},
"access": {"jti": "PiLYppReSD2Ldkuyd72KPI"}
}
"decision_time_micro_sec": 999,
}
{
"id": "01937015-4649-7aad-8df8-4976e4bd8565",
"time": 1732752262,
"log_kind": "Decision",
"pdp_id": "75f0dc93-0a90-4076-95fa-dc16d3f00375",
"msg": "Result of authorize.",
"application_id": "TestApp",
"action": "Jans::Action::\"Read\"",
"resource": "Jans::Application::\"some_id\"",
"context": {
"user_agent": "Linux",
"operating_system": "Linux",
"network_type": "Local",
"network": "127.0.0.1",
"geolocation": [
"America"
],
"fraud_indicators": [
"Allowed"
],
"device_health": [
"Healthy"
],
"current_time": 1732752262
},
"entities": [
{
"uid": {
"type": "Jans::Action",
"id": "PUT"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Share"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "PATCH"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "HEAD"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Monitor"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Compare"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::User",
"id": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0"
},
"attrs": {
"sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0",
"role": [
"CasaAdmin"
],
"email": {
"domain": "jans.test",
"uid": "admin"
}
},
"parents": [
{
"type": "Jans::Role",
"id": "CasaAdmin"
}
]
},
{
"uid": {
"type": "Jans::id_token",
"id": "ijLZO1ooRyWrgIn7cIdNyA"
},
"attrs": {
"sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0",
"acr": "simple_password_auth",
"exp": 1731956630,
"jti": "ijLZO1ooRyWrgIn7cIdNyA",
"amr": [],
"aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62",
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"iat": 1731953030
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Test"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Workload",
"id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62"
},
"attrs": {
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"client_id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62"
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Write"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Read"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Role",
"id": "CasaAdmin"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Search"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Application",
"id": "some_id"
},
"attrs": {
"name": "Some Application",
"app_id": "application_id",
"url": {
"host": "jans.test",
"path": "/protected-endpoint",
"protocol": "http"
}
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "GET"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Execute"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Access_token",
"id": "uZUh1hDUQo6PFkBPnwpGzg"
},
"attrs": {
"nbf": 1731953030,
"scope": [
"email",
"openid",
"profile",
"role"
],
"exp": 1732121460,
"aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62",
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"jti": "uZUh1hDUQo6PFkBPnwpGzg",
"iat": 1731953030
},
"parents": []
},
{
"uid": {
"type": "Jans::Userinfo_token",
"id": "OIn3g1SPSDSKAYDzENVoug"
},
"attrs": {
"aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62",
"jti": "OIn3g1SPSDSKAYDzENVoug",
"email": {
"dost",
"uid": "admst",
"uid": "admst",
"uid": "admst",
"uid": "admin"
},
"name": "Default Admin User",
"iss": {
"__entity": {
"type": "Jans::TrustedIssuer",
"id": "https://account.gluu.org"
}
},
"role": [
"CasaAdmin"
],
"sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0"
},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "DELETE"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "Jans::Action",
"id": "Tag"
},
"attrs": {},
"parents": []
}
],
"person_principal": "Jans::User::\"qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0\"",
"person_diagnostics": {
"reason": [
{
"id": "840da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy example for principal user"
}
],
"errors": []
},
"person_decision": "ALLOW",
"workload_principal": "Jans::Workload::\"d7f71bea-c38d-4caf-a1ba-e43c74a11a62\"",
"workload_diagnostics": {
"reason": [
{
"id": "444da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy example for principal workload"
}
],
"errors": []
},
"workload_decision": "ALLOW",
"authorized": true
}
"reason": [
{
"id": "444da5d85403f35ea76519ed1a18a33989f855bf1cf8",
"description": "simple policy example for principal workload"
}
],
- "id": "444da5d85403f35ea76519ed1a18a33989f855bf1cf8" - shows policy ID (from policy store) that was executed.
- "description": "simple policy example for principal workload" - description of policy in
policy store
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "LogEntry",
"description": "LogEntry is a struct that encapsulates all relevant data for logging events.",
"type": "object",
"required": [
"id",
"log_kind",
"msg",
"pdp_id",
"time"
],
"properties": {
"action": {
"description": "cedar-policy action",
"type": "string"
},
"application_id": {
"description": "name of application from [bootstrap properties](https://github.com/JanssenProject/jans/wiki/Cedarling-Nativity-Plan#bootstrap-properties)",
"anyOf": [
{
"$ref": "#/definitions/ApplicationName"
},
{
"type": "null"
}
]
},
"authorized": {
"description": "is authorized",
"type": "boolean"
},
"cedar_lang_version": {
"description": "cedar-policy language version",
"anyOf": [
{
"$ref": "#/definitions/Version"
},
{
"type": "null"
}
]
},
"cedar_sdk_version": {
"description": "cedar-policy sdk version",
"anyOf": [
{
"$ref": "#/definitions/Version"
},
{
"type": "null"
}
]
},
"context": {
"description": "cedar-policy context"
},
"error_msg": {
"description": "error message",
"type": [
"string",
"null"
]
},
"id": {
"description": "unique identifier for this event",
"allOf": [
{
"$ref": "#/definitions/Uuid"
}
]
},
"log_kind": {
"description": "kind of log entry",
"allOf": [
{
"$ref": "#/definitions/LogType"
}
]
},
"msg": {
"description": "message of the event",
"type": "string"
},
"pdp_id": {
"description": "unique id of cedarling",
"allOf": [
{
"$ref": "#/definitions/Uuid"
}
]
},
"person_decision": {
"description": "cedar-policy user/person decision",
"allOf": [
{
"$ref": "#/definitions/Decision"
}
]
},
"person_diagnostics": {
"description": "cedar-policy user/person diagnostics information",
"allOf": [
{
"$ref": "#/definitions/Diagnostics"
}
]
},
"person_principal": {
"description": "cedar-policy user/person principal",
"type": "string"
},
"resource": {
"description": "cedar-policy resource",
"type": "string"
},
"time": {
"description": "Time of decision, in unix time",
"type": "integer",
"format": "uint64",
"minimum": 0.0
},
"workload_decision": {
"description": "cedar-policy workload decision",
"allOf": [
{
"$ref": "#/definitions/Decision"
}
]
},
"workload_diagnostics": {
"description": "cedar-policy workload diagnostics information",
"allOf": [
{
"$ref": "#/definitions/Diagnostics"
}
]
},
"workload_principal": {
"description": "cedar-policy workload principal",
"type": "string"
}
},
"definitions": {
"ApplicationName": {
"description": "Name of application from configuration",
"type": "string"
},
"Decision": {
"description": "Cedar-policy decision of the authorization",
"oneOf": [
{
"description": "Determined that the request should be allowed",
"type": "string",
"enum": [
"ALLOW"
]
},
{
"description": "Determined that the request should be denied.",
"type": "string",
"enum": [
"DENY"
]
}
]
},
"Diagnostics": {
"description": "Diagnostics providing more information on how a `Decision` was reached",
"type": "object",
"required": [
"errors",
"reason"
],
"properties": {
"errors": {
"description": "Errors that occurred during authorization. The errors should be treated as unordered, since policies may be evaluated in any order.",
"type": "array",
"items": {
"$ref": "#/definitions/PolicyEvaluationError"
}
},
"reason": {
"description": "`PolicyId`s of the policies that contributed to the decision. If no policies applied to the request, this set will be empty.",
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true
}
}
},
"LogType": {
"description": "Type of log entry",
"type": "string",
"enum": [
"Decision",
"System",
"Metric"
]
},
"PolicyEvaluationError": {
"description": "An error occurred when evaluating a policy",
"type": "object",
"required": [
"error",
"id"
],
"properties": {
"error": {
"description": "Underlying evaluation error string representation",
"type": "string"
},
"id": {
"description": "Id of the policy with an error",
"type": "string"
}
}
},
"Uuid": {
"description": "version 7 uuid",
"type": "string",
"format": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"Version": {
"description": "SemVer version as defined by <https://semver.org>.",
"type": "string",
"format": "n.n.n"
}
}
}
Note: no JWT status check
