Cedarling Principal Mappings#
Cedarling automatically creates the following entities:
The entity type names of the Workload and User entities can be customized via the CEDARLING_MAPPING_USER
and CEDARLING_MAPPING_WORKLOAD
properties respectively.
Notes
- All entity creation and attribute population logic is configurable via the Token Metadata Schema (TEMS) and Cedarling bootstrap properties.
- Attribute presence depends on token contents and policy store configuration.
- Role inheritance simplifies user-role mapping for RBAC policy enforcement.
Trusted Issuer#
Cedarling creates a Trusted Issuer entity at startup for each trusted issuer defined in the policy store.
- Default Type Name:
Jans::TrustedIssuer
- Entity ID: Set using the name of the trusted issuer object in the policy store.
Workload Entity#
Cedarling creates a Workload entity for each request when the CEDARLING_WORKLOAD_AUTHZ
bootstrap property is set to enabled
.
- Default Type Name:
Jans::Workload
- Entity ID: Determined by the
workload_id
attribute from the Token Entity Metadata Schema (TEMS). - If
workload_id
is not set, Cedarling will fall back to the following claims (in order): aud
from theaccess_token
client_id
from theaccess_token
aud
from theid_token
-- note that the Workload attributes that will be created from this will still be from theaccess_token
- Entity Attributes: Extracted from by the claims of the
access_token
. Cedarling will check the schema and use the JWT claims with the same names as the Workload attributes.
Example Workload Entity Creation#
With the following access_token
claims:
{
"iss": "https://test.com/",
"aud": "some_aud",
"jti": "some_jti",
}
and Cedar schema:
entity TrustedIssuer;
entity Workload = {
iss: TrustedIssuer,
client_id?: String,
aud?: String,
name?: String,
rp_id?: String,
spiffe_id?: String,
access_token?: Access_token,
};
The following entity Workload Entity could be created:
{
"uid": {"type": "Workload", "id": "some_aud"},
"attrs": {
"iss": {"__entity": {"type": "TrustedIssuer", "id": "https://test.com/"}},
"aud": "some_aud"
"access_token": {"__entity": {"type": "Access_token", "id": "some_jti"}},
},
"parents": []
}
User Entity#
Cedarling creates a User entity for each request when the CEDARLING_USER_AUTHZ
bootstrap property is set to enabled
.
- Default Type Name:
Jans::User
- Entity ID: Determined by the
user_id
attribute from the TEMS. - If
user_id
is not set, Cedarling will fall back to the following claims (in order): sub
from theuserinfo_token
sub
from theid_token
- Entity Attributes: Determined by the combined claims of the
id_token
anduserinfo_token
. Cedarling will check the schema and use the JWT claims with the same names as the User attributes.
Example User Entity Creation#
With the following id_token
claims:
{
"iss": "https://test.com/",
"sub": "some_sub",
"email": "bob@email.com",
"jti": "id_tkn_jti",
"role": "role1"
}
and userinfo_token
claims:
{
"iss": "https://test.com/",
"sub": "some_sub",
"name": "bob",
"jti": "userinfo_tkn_jti",
"role": ["role2", "role3"]
}
and Cedar schema:
entity Role;
entity User in [Role] = {
sub: String,
email: String,
name: String,
};
The following entity Workload Entity could be created:
{
"uid": {"type": "User", "id": "some_sub"},
"attrs": {
"sub": "some_sub",
"email": "email@email.com",
"name": "bob"
},
"parents": [
{"type": "Role", "id": "role1"},
{"type": "Role", "id": "role2"},
{"type": "Role", "id": "role3"}
]
}
Role Entity#
Cedarling automatically attempts to create Role entities for each request.
- Default Type Name:
Jans::Role
- Entity ID: Determined by the
role_mapping
attribute from the TEMS. - If
role_mapping
is not set, Cedarling will try to create Role entities based on the following claims (in order): role
from theuserinfo_token
role
from theid_token
RBAC Support#
Since Role entities are automatically assigned as parents of User entities, you can easily define RBAC policies like:
permit (
principal == Jans::Role::"Admin",
action in [Jans::Action::"Compare",Jans::Action::"Execute"],
)
JWT Entities#
Cedarling creates JWT entities for each token defined in the trusted issuers schema.
- Type Name: Determined by the
entity_type_name
attribute from the TEMS. - Entity ID: Determined by the
token_id
attribute from the TEMS.
Attribute Mappings#
Each claim in the JWT is automatically added to the JWT entity's attributes.
Created: 1 week ago2025-03-20