Apply ROND rules to /analytics

[rafpor75]

Description

Hi,
is it possible to apply ROND rules to the MongoDB reader service and all /analytics routes, using the same security policies that I applied to the CRUD service routes?

[fredmaggiowski]

Hi @rafpor75, yes it is possible by using the manual routes configuration tab in the authorization section and specifying the same policy name for both service-endpoint tuples.

You can re-use the same policies for all the routes and microservices you want.

In case you use request parameters (from the input.request object), make sure the the requests are compatible (e.g. share the same names foe path parameters/query/etc). If the requests are not compatible you can still use the same policy but will be required to define different OR blocks to make them work on the two interface variants.

For instance, imagine you have

• /resource/:id from crud-service
• /resource/:resourceId from the other service

You can protect both endpoints with the my_policy by defining the policy as in the following example:

my_policy {
    id := input.request.pathParameters.id
    # do something with id
}

my_policy {
    id := input.request.pathParameters.resourceId
    # do something with id
} 

In this way you are defining two possibilities for the policies that are evaluated in logical OR.

Further more, you can abstract the "do something part" in a different policy/function and re-use it in both branches, to avoid code duplication

[rafpor75]

Hi @fredmaggiowski ,
I may have misunderstood the issue. I want to filter the query in the profile configuration of the MongoDB Reader service by a value present in the metadata.myFieldValues field of the header jwt cookie. Can I do this using the code below, and how can I retrieve the value from the cookie? Alternatively, can I filter the main_collection in a different way?

query: {
    collectionName: 'main_collection',
    aggregationFunction: function aggregationFunction(input) {
      return [
        {
          $match: {
            __STATE__: 'PUBLIC',

             "metadata.myField": {
                  $in: ["value1","value2"]  //metadata.myFieldValues
            },
          }
        },