Alex Ermolin
05/10/2023, 8:36 AMDavid Nilsdotter
05/11/2023, 7:59 AM{
id: 'john',
attr: {
projects: [{id: 1, role: 'user'},{id: 2, role: 'manager'},{id: 3, role: 'owner'}]
}
}
with a resource like
{
"kind": "file",
"attr": {
"parentProjectId": 1,
"name": "taxes.txt",
"createdAt": "2023-05-011T10:00:00.021-05:00"
}
}
and then create a derived role like
derivedRoles:
definitions:
- name: project_owner
condition:
match:
expr: <check if the role is 'owner' in the element of P.attr.projects with the id matching the R.attr.parentProjectId>
Is it possible to write such a match-string?
I know I can single out the project before sending the check, but if I can send the whole project state of a user (that rarely changes) it would be preferred.Dmitry Meyerson
05/11/2023, 10:17 PMMatthew Ebeweber
05/12/2023, 2:10 AMAnil Kumar G A
05/13/2023, 11:41 AMfunc (c *Client) AddOrUpdatePolicy(ctx context.Context) error {
policySet := &cerbosclient.PolicySet{}
if err := c.CerbosAdminClient.AddOrUpdatePolicy(ctx, policySet); err != nil {
c.log.Errorf("Failed to add or update policy", err)
return err
}
return nil
}
it is nt working, can someone help me on this
Jesum Yip
05/14/2023, 2:34 PMTo run the tests, provide the path to the tests directory using the --tests flag.
However, I've found that if I do not provide the --tests
flag, the cerbos
binary still goes ahead and self-discovers the test yamls and runs them.Dmitry Meyerson
05/15/2023, 7:06 PMDmitry Meyerson
05/16/2023, 4:08 PMdocker run -i -t -v /path/to/policy/dir:/policies <http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0> compile /policies
however I notice that I have to place all of my resources in a single flat directory structure , so I get a role import error w/in my resourcePolicy doc when I try to keep thing tidy w/ /policies/derivedRoles and /policies/resources - whats the quick fix here? Thank you Cerbos - sorry for @ing pplDmitry Meyerson
05/16/2023, 9:00 PMakkaratanapatT
05/17/2023, 7:53 AMMatthew Ebeweber
05/18/2023, 3:12 AMTory Clasen
05/19/2023, 7:16 PMAlex Ermolin
05/21/2023, 5:39 PMEliav Gnessin
05/22/2023, 5:47 PMLuis Diaz
05/25/2023, 1:36 PMCelso
05/28/2023, 9:22 AMRoman Levytskyi
05/31/2023, 11:32 AMscope
or resource kind
or both. The only way to do that is .list()
method which seems to be highly inefficient with 1000s
of items in the DB.
The why: tenants may override/create their own roles based on the list of available resources (fetched from authorization server policies) and their actions (extracted from policies). Is that even possible?
Thank you 🙏Roman Levytskyi
06/01/2023, 12:20 PMkind: Parent.Entity.aFhAsd273hd2asda
).
This might grow to 100k+ policies in DB.
How does Cerbos behave at a scale?Norberto Cáceres
06/01/2023, 10:50 PMMichael
06/02/2023, 10:25 AMexpr: P.attr.foo = env["FOO"]
?Roman Levytskyi
06/02/2023, 11:57 AM{
"log.level": "error",
"@timestamp": "2023-06-02T11:50:25.391Z",
"log.logger": "cerbos.git.store",
"message": "Failed to check for updates",
"dir": "/work",
"error": "failed to pull from remote: worktree contains unstaged changes"
}
This is happening when I’m running tests in parallel:
1. constantly pushing random number of policies, both modified and new
2. constantly running process calling isAllowed
method on SDK
What could it be?
I’m afraid that when a policy is being modified and authz request is being received at the same time, the check could fail.
Also sometimes pod crashes and is being restarted with normal Shutting down
message, althought k8s resources are not limited.Dmitry Meyerson
06/02/2023, 10:03 PMVladyslav Ishchenko
06/05/2023, 6:26 PMConor Downey
06/05/2023, 6:32 PMDung Truong
06/05/2023, 7:04 PMderivedRoles
.
In this case, it's about too much responsibilities in Cerbos.
My expectation is, those deriveRoles
is normal role
, but it's determined via the request
object instead. Could this simplify the system ? So i could send the role
directly via request
.Dung Truong
06/05/2023, 7:04 PMNorberto Cáceres
06/06/2023, 7:37 PMLuis Diaz
06/07/2023, 8:38 AMLuis Diaz
06/07/2023, 10:59 AMMatthew Ebeweber
06/07/2023, 5:10 PM