How to Modify the default "tagging match” behavior of Katanemo?
Katanemo’s default behavior is to match tags associated with a resource against tags present in the session token (of the principal) making the request. However, you can alter this default behavior for your particular use case by adding the where
clause to your Role policies.
Where clause (via Role policies)
In cases where the default behavior of matching tags associated with a resource doesn’t satisfy your particular use case, you can define conditional policies using the where
clause to match tags as per your use case. Note, the UI experience offers an "Advanced Editor" that enables you to construct permission with a where
clause. The following use cases showcase policies using Katanemo's OpenAPI-based permissions language with the where
clause to construct simple, yet highly powerful authorization rules.
Use Case #1: Some users will have READ/WRITE access to dev clusters, and READ access to stage & prod clusters.
allow:
api:
– PUT:/cluster/{clusterId}
– GET:/cluster/{clusterId}
where: $resourceTags:clustertag = 'dev'
api:
- GET:/cluster/{clusterId}
where: $resourceTags:clustertag IN ('staging', 'production')
Use Case #2: Some users will have READ/WRITE access to dev clusters of type EKS.
allow:
api:
– PUT:/cluster/{clusterId}
– GET:/cluster/{clusterId}
where: $resourceTags:clustertag = 'EKS'
Use Case #3: Some users will have the ability to create promotions only up to a maximum of 10% off.
allow:
api:
– POST:/api-offers/promo/create
where: $request:promo:discount:value < 10 AND $request:promo:targetProducts:value IN ('SKU-124')
Use Case #3a: Some users will have the ability to UPDATE promotions where tag = “independence-day”
allow:
api:
– PUT:/api-offers/promo/update/{promoId}
where: $resourceTag:note = "independence day promos"
$resourceTags,
$request
, and $principalTags
are system variables that can be used in the where clause to get tags for the resource or the principal, respectively. The $resourceTags:tagkey
directive allows you to look for a particular tag key for a resource.