Skip to main content

How to Modify the default "tagging match” behavior of Katanemo?

Katanemo’s default behavior is to match tags associated with a resource against tags present in the session token (of the principal) making the request. However, you can alter this default behavior for your particular use case by adding the where clause to your Role policies.

Where clause (via Role policies) In cases where the default behavior of matching tags associated with a resource doesn’t satisfy your particular use case, you can define conditional policies using the where clause to match tags as per your use case. Note, the UI experience offers an "Advanced Editor" that enables you to construct permission with a where clause. The following use cases showcase policies using Katanemo's OpenAPI-based permissions language with the where clause to construct simple, yet highly powerful authorization rules.

Use Case #1: Some users will have READ/WRITE access to dev clusters, and READ access to stage & prod clusters.

 allow:
  api: 
    – PUT:/cluster/{clusterId}
    – GET:/cluster/{clusterId}
  where: $resourceTags:clustertag = 'dev'
  api:
   - GET:/cluster/{clusterId}
  where: $resourceTags:clustertag IN ('staging', 'production')

Use Case #2: Some users will have READ/WRITE access to dev clusters of type EKS.

 allow:
  api: 
   – PUT:/cluster/{clusterId}
   – GET:/cluster/{clusterId}
  where: $resourceTags:clustertag = 'EKS'

Use Case #3: Some users will have the ability to create promotions only up to a maximum of 10% off.

 allow:
  api: 
   – POST:/api-offers/promo/create
  where: $request:promo:discount:value < 10 AND $request:promo:targetProducts:value IN ('SKU-124')

Use Case #3a: Some users will have the ability to UPDATE promotions where tag = “independence-day”

 allow:
  api: 
   – PUT:/api-offers/promo/update/{promoId}
  where: $resourceTag:note = "independence day promos"

$resourceTags, $request, and $principalTags are system variables that can be used in the where clause to get tags for the resource or the principal, respectively. The $resourceTags:tagkey directive allows you to look for a particular tag key for a resource.