help
- s
sdktr
10/17/2022, 9:42 PMHow does one debug a policy evaluation? I know the queryplan, but that doesn’t actually evaluate all the steps. For example: tell me which ‘derived roles’ did you evaluate to?2 replies · 2 participants
- s
sdktr
10/19/2022, 9:33 AMDid any of you got Azure Devops to work as a https based Git driver? We’re hitting ‘error 400’ on ‘git-upload-pack’9 replies · 3 participants
- r
Ryan Killeen
10/19/2022, 2:00 PMHello all! As always thanks for prompt answers to questions here. I'm currently sharing around Cerbos as a solution and have been able to field a lot of questions, but one came up that I don't have any insight into: Most use-cases I've run into are perfectly suited for making a request and then authorizing each resource, But in some cases, like queries to ElasticSearch, that isn't possible (prevents pagination, etc.) What's the Cerbos way of handling a use-case like this?8 replies · 3 participantss - m
Mark Piper
10/23/2022, 2:15 AMHi all! 👋 Evaluating Cerbos--but how can you model it to allow users to add self-service custom roles? Imagine an admin in a multi-tenant SaaS w/ UI to copy an existing system role, give it a new name and click checkboxes for what permissions to enable/disable on the new role. Thanks!3 replies · 2 participants - ł
Łukasz Sierakowski
10/25/2022, 8:45 AMHi, I’m trying to use
for managing user access to client orders. Unfortunately it doesn’t work as I expected. I’ve created following principal policyPrincipal policiesapiVersion: api.cerbos.dev/v1 principalPolicy: principal: user-123 version: "dev" rules: - resource: client-12345 actions: - name: view-data action: "view" effect: EFFECT_ALLOWname: test principals: user: id: user-123 roles: - user resources: clients: id: client-12345 kind: client tests: - name: User should view client records input: principals: - user resources: - clients actions: - view expected: - principal: user resource: clients actions: view: EFFECT_ALLOW
to executeuser-123
action onview
resource. However when I compile ant test policy I always getclient-12345
What did I wrong?EFFECT_DENY3 replies · 2 participants - a
Alex Tuca
10/25/2022, 2:27 PMHi, everybody! I am trying to implement @cerbos/grpc in my Express.js server using auxData to pass the JWT, but every way I check I still need to pass the principal data since I get the principal ID not having at least 1 rune otherwise. Am I interpreting the AuxData section from the documentation wrong that I could pass the JWT directly and not have to decode the token beforehand or do I need to use a specific syntax?1 reply · 2 participants - r
Ryan Killeen
10/25/2022, 5:43 PMHey! Looking to run Cerbos in
and attempting to set a config for it, I can't seem to set the server config's yaml file through docker env variables. Is there a recommended approach here? yaml in the thread!docker-compose22 replies · 2 participants - n
Nimit
10/26/2022, 11:29 AMHello (i am from company called sales-i and we are evaluating cerbos for our PBAC needs), quick question.. I see there is a policy_revision sql table that stores the history of a policy Is there a way of get all revisions, getting a particular version etc from the admin api ?1 reply · 2 participants - i
Imadul Islam
11/03/2022, 2:54 PMHello I am new with
. I was trying to runCerbos
withCerbos
. There is a doc for how to run and create schemas. But I could not find any doc how should I insert my policies on theMySQL
tables. Sample Finance Application Policyhttps://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje This is the playground URL I was trying to read fromMySQL
. ThanksMySQL5 replies · 3 participants
- n
Nimit
11/03/2022, 3:40 PMhello, while defining a policy is there any place i can define some metadata ? For example while defining actions i want to have some metadata to describe each action4 replies · 2 participants - n
Nimit
11/03/2022, 7:30 PMhi, i noticed a bug relating to scopes using PlanResource(), i have 2 policies a scoped and its related unscoped one [as below] I noticed calling PlanResources seems to always read from the unscoped (seems to ignore the scoped one - i had DENY in the scoped but ALLOW in unscoped and it returns CONDITIONAL) UNSCOPED:{"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>","resourcePolicy": {"resource": "top","version": "default","rules": [{"actions": ["VIEW"],"roles": ["customer-user"],"condition": {"match": {"any": {"of": [{"expr": "R.attr.custAnal in P.attr.custAllowedValues"},{"expr": "R.attr.salhAnal in P.attr.salhAllowedValues"}]}}},"effect": "EFFECT_ALLOW"}]}
SCOPED:}{"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>","resourcePolicy": {"resource": "top","version": "default","rules": [{"actions": ["VIEW"],"roles": ["customer-user"],"condition": {"match": {"any": {"of": [{"expr": "R.attr.custAnal in P.attr.custAllowedValues"},{"expr": "R.attr.salhAnal in P.attr.salhAllowedValues"}]}}},"effect": "EFFECT_DENY"}],"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"}}24 replies · 3 participants
- i
Imadul Islam
11/04/2022, 6:41 AMHello Sample Finance Application Policyhttps://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje I was trying to convert this playground’s policies to JSON so that I can save them through Admin API. The following is the payload.{ "policies": [ { "apiVersion": "api.cerbos.dev/v1", "description": "Common dynamic roles used within the Finance Demo app", "resourcePolicy": { "version": "default", "importDerivedRoles": [ "common_roles" ], "resource": "expense", "rules": [ { "actions": [ "*" ], "effect": "EFFECT_ALLOW", "roles": [ "ADMIN" ] }, { "actions": [ "view" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "OWNER", "FINANCE", "REGION_MANAGER" ] }, { "actions": [ "view:approver" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "FINANCE" ] }, { "actions": [ "view:approver" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "OWNER" ], "condition": { "match": { "expr": "request.resource.attr.status == \"APPROVED\"" } } }, { "actions": [ "update" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "OWNER" ], "condition": { "match": { "expr": "request.resource.attr.status == \"OPEN\"" } } }, { "actions": [ "approve" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "FINANCE_MANAGER" ], "condition": { "match": { "expr": "request.resource.attr.ownerId != request.principal.id" } } }, { "actions": [ "approve" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "FINANCE" ], "condition": { "match": { "all": { "of": [ { "expr": "request.resource.attr.amount < 1000" }, { "expr": "request.resource.attr.ownerId != request.principal.id" } ] } } } }, { "actions": [ "delete" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "FINANCE_MANAGER" ] }, { "actions": [ "delete" ], "effect": "EFFECT_ALLOW", "derivedRoles": [ "OWNER" ], "condition": { "match": { "all": { "of": [ { "expr": "request.resource.attr.status == \"OPEN\"" }, { "expr": "timestamp(request.resource.attr.createdAt).timeSince() < duration(\"1h\")" } ] } } } } ] }, "derivedRoles": { "name": "common_roles", "definitions": [ { "name": "OWNER", "parentRoles": [ "USER" ], "condition": { "match": { "expr": "request.resource.attr.ownerId == request.principal.id" } } }, { "name": "FINANCE", "parentRoles": [ "USER" ], "condition": { "match": { "expr": "request.principal.attr.department == \"FINANCE\"" } } }, { "name": "FINANCE_MANAGER", "parentRoles": [ "MANAGER" ], "condition": { "match": { "expr": "request.principal.attr.department == \"FINANCE\"" } } }, { "name": "REGION_MANAGER", "parentRoles": [ "MANAGER" ], "condition": { "match": { "expr": "request.resource.attr.region == request.principal.attr.region" } } } ] } } ] }{ "code": 3, "message": "proto: (line 141:13): error parsing \"derivedRoles\", oneof cerbos.policy.v1.Policy.policy_type is already set" }3 replies · 2 participants - n
Nimit
11/04/2022, 1:45 PMhi @Charith (Cerbos) 2 quick questions1. I have 2 policies (for 2 different resources - both accessed by a user_role - see below), can i somehow combine these 2 policies in 1 (i mean policy for a user_role for 2 separate resources)? I see it can be done for a single principal, but can be done for a role ? 2. Is there a simple function call where i can just get back the list of allowed actions on a resource (not send a list of actions and get back the allowed list). for e.g in the policy below can i just get back CUS01, CUS02 ?{"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>","resourcePolicy": {"resource": "*customers*","version": "default","rules": [{"actions": ["CUS01","CUS02"],"roles": ["*customer-user*"],"effect": "EFFECT_ALLOW"},{"actions": ["CUS11","CUS12"]],"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"}}{"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>","resourcePolicy": {"resource": "*salh*","version": "default","rules": [{"actions": ["SALH01","SALH02"],"roles": ["*customer-user*"],"effect": "EFFECT_ALLOW"}"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"}}11 replies · 2 participants - a
ANILA SOMAN
11/06/2022, 5:12 PMHello everyone, i am new in cerbos i am trying to connect cerbos with sqlite database and trying to put policies in database using cerbosctl but i am getting below error
config.yamlcerbosctl: error: failed to add or update the policies: failed to send batch [0,1): rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"--- server: httpListenAddr: ":3592" grpcListenAddr: ":3593" playgroundEnabled: true adminAPI: enabled: true adminCredentials: username: cerbos passwordHash: JDJ5JDEwJHFGcjhCSEtqVWkyUzRSVzF4Tm5zbC5LMW9NME55NUhxaDNyWkJmdmlwV3p3QTB3VjFzMm9xCgo= storage: driver: "sqlite3" sqlite3: dsn: ":memory:"2 replies · 2 participants - s
sdktr
11/07/2022, 6:40 PMDid you ever consider calculating ‘derived actions’ as well? Or should that be a responsibility of the app?6 replies · 2 participants - o
Owen Cummings
11/07/2022, 11:39 PMI am getting an error when using the PlanResources API that does not occur when I use the CheckResources API. It seems like it is a bug, but wanted some guidance in case I am doing something wrong I’ve determined that it is due to my Derived Roles, specifically
If I hard code this to location_roles: P.attr.roles["1"]everything seems to work as expected.location_roles: P.attr.roles[R.attr.location_id]apiVersion: api.cerbos.dev/v1 variables: location_roles: P.attr.roles[R.attr.location_id] derivedRoles: name: my_roles definitions: - name: global_admin parentRoles: - user condition: match: expr: ("Global Admin" in V.location_roles){"log.level":"info","@timestamp":"2022-11-07T23:34:00.201Z","log.logger":"cerbos.payload","message":"server request payload logged as grpc.request.content field","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"grpc.request.content":{"msg":{"action":"entry:read","principal":{"id":"1","policyVersion":"default","roles":["user"],"attr":{"employee_id":"123","permissions":{"1":["entry.read_all"]},"roles":{"1":["Employee"]}}},"resource":{"kind":"entry","attr":{"location_id":"1"},"policyVersion":"default"},"includeMeta":true}}} {"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Resources query plan request failed","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"error":"error evaluating condition \"(\\\"Employee\\\" in V.location_roles)\": invalid qualifier type: *structpb.Value"} {"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"error":"rpc error: code = Internal desc = Resources query plan request failed","grpc.code":"Internal","grpc.time_ms":2.047}16 replies · 2 participants - s
Sami Dahoux
11/09/2022, 1:53 PMHello everyone, I wanted to use Cerbos to control the permission of creating an object in our application. I have noticed that in order to perform a checkResource I need to provide a resourceId, which I don't yet have since I am creating the resource. Right now we used a resourceId of 0 as a placeholder to perform the check. Is there a better solution to this problem ?2 replies · 2 participants - o
Owen Cummings
11/09/2022, 7:27 PMI am having trouble with Cerbos finding my schema files. Probably something dumb I’m missing but I’m out of ideas. When I turn on schema enforcement in the conf.yaml I receive an error that Cerbos can’t find the configured schama files. My $PWD looks like this:. ├── README.md ├── _schemas │ ├── desk.json │ ├── entry.json │ └── principal.json ├── conf.yaml ├── policies │ ├── derived_roles │ │ └── my_roles.yaml │ └── resource │ ├── desk.yaml │ └── entry.yaml ├── start.sh └── tests ├── desk_test.yaml ├── entry_test.yaml └── testdata ├── principals.yaml └── resources.yaml
My policy looks like this:docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yamlapiVersion: api.cerbos.dev/v1 resourcePolicy: version: default resource: entry importDerivedRoles: - my_roles rules: - actions: - "entry:read" effect: EFFECT_ALLOW derivedRoles: - employee condition: match: any: of: - expr: P.attr.employee_id == R.attr.employee_id - expr: R.attr.location_id in P.attr.permissions.filter(x, P.attr.permissions[x].exists(y, y == "entry.read_all")) - actions: - "entry:read" effect: EFFECT_ALLOW derivedRoles: - global_admin - location_admin - receptionist schemas: principalSchema: ref: cerbos:///principal.json resourceSchema: ref: cerbos:///entry.json5 replies · 2 participants - n
Nimit
11/10/2022, 5:47 PMhi @Charith (Cerbos) noticed a difference between "IsAllowed" and "QueryPlan" .. i have the following 2 policies (base and a scoped) All actions blocked in the base BUT VIEW action allowed in scoped Both resource and principal have the correct scope set. When i try to check for VIEW access using "IsAllowed" i get an ALLOWED .. but using Plan is says BLOCKED As the specs say if the answer can be resolved from the scoped policy, why is the base being queried for plan ? base.ymlapiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>resourcePolicy:resource: interactionsversion: defaultrules:- actions:- "*"roles:- poweruser
scoped.ymleffect: EFFECT_DENYapiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>resourcePolicy:resource: interactionsversion: defaultrules:- actions:- VIEWroles:- powerusereffect: EFFECT_ALLOWscope: T00101581-3dd4-40b8-a2e3-175624586f85{"requestId": "123123","principal": {"id": "123","roles": ["poweruser"],"attr": {},"scope": "T00101581-3dd4-40b8-a2e3-175624586f85"},"resources": [{"resource": {"kind": "interactions","id": "123","scope": "T00101581-3dd4-40b8-a2e3-175624586f85","attr": {}},"actions": ["VIEW"]}]}18 replies · 3 participants - n
Nimit
11/10/2022, 5:50 PM - m
Maggie Walker
11/10/2022, 6:37 PMHey! Is there support for private Cerbos playgrounds?2 replies · 2 participants - a
ANILA SOMAN
11/10/2022, 8:07 PMhi, i have tried to put policies and getting message with uploaded 1 but while trying to get the policies its empty5 replies · 2 participants - n
Nimit
11/11/2022, 3:10 PMhi All, is there a debug/verbose mode that i can run the cerbos server to catch and logs (how does it decide allow/deny etc) ?2 replies · 2 participants - o
Oliver Orav
11/12/2022, 3:38 PMHey everybody 👋 I think I have a more of general/architectural question rather than technical, policy, related questions. Tried to read through this channel so hopefully it is not a duplicate. For the sake of keeping it short, let’s say I have 2 REST APIs accessible to clients (web or mobile apps) • identity-api: provides tokens, password resets, etc general user management. • business-api: provides business functionality, CRUD actions on resources, etc. All endpoints are authenticated by JWT from identity-api. My question is that how would I solve authorisation in cases where resources in business-api (or principals in identity-api) do not exist while Cerbos policies are made? For example: Lets say that user-1 creates a resource Foo using API endpoint in business-api
. Now user-1 should be able to to other actions as well with this resource:POST /v1/foos
. Using Cerbos this could be easily solved with a derived role, if I keep track of the createdBy attribute and pass it as resource attribute. But what happens when user-1 wants to giveGET/DELETE/PUT /v1/foos/{fooResourceId}
andGET
access user-2? Or, if Foo has a child resources Bar atPUT
and user-2 should only be allowed to edit Bar resource but not Foo? You could also think of it this way, that user-1 creates a profile (like in Facebook) that is private, but later decides that user-2 and user-3 should be able to see it. When creating the profile user-1 and user-2 might not even exist yet. One option I see is using the Cerbos Admin API and/v1/foos/{fooResourceId}/bars/{barResourceId}
, but how would it handle if there are hundreds of users and resources. Second option, I thought of would be to define policy role based (e.g USER-1-PROFILE-READ) and just add the user to the role, but at the time of writing the policy, I would’t know the users that will exist in the future. Third option would be to keep track of the permissions and access in our systems, but that would probably just end up as creating own authorisation service, which I hope to avoid with Cerbos. I might be over-engineering everything and there is a really simple solution 😂 Anyway, thanks for the help/ideas in advance!POST /admin/policy4 replies · 3 participants - p
Petar Mrdalj
11/14/2022, 11:20 AMHello I have a question when using nestJS with graphQL and cerbos Currently I have implemented an interceptor which is called before the resolver mutation code is actually called which is the behaviour I am expecting. While using grpc I need to provide a resource id which is not the case as to when using http:principal: { id: userData.userId, roles: userData.roles, }, resource: { kind: cerbosObject, id: "1", }, action: host.getHandler().name,5 replies · 3 participants
- a
ANILA SOMAN
11/17/2022, 5:42 AMHi All, while using AdminApi i am getting below errorcould not list policies: rpc error: code = Unavailable desc = name resolver error: dns: A record lookup error: lookup cerbos: Temporary failure in name resolution8 replies · 3 participants - n
Nimit
11/17/2022, 10:32 AMhi All, quick question.. i want to have a parent-child relation for my policy, is that possible? I have 2 resources "child" and "parent" .. in cerbos can i define a policy wherein when i access child.. the parent is checked first followed by the explicit child policy ? Just to add .. i am using the scope already for another variable.3 replies · 2 participants - a
Ankit Khosla
11/23/2022, 2:16 PMHi all, a principal policy I created against create action is returning
inside the node app. But, the same policy when tested in playground is returningfalse
for create action.trueOwner has full access over manager and store_managerapiVersion: api.cerbos.dev/v1 principalPolicy: version: default principal: owner rules: - resource: manager actions: - action: "*" effect: EFFECT_ALLOW condition: match: expr: R.attr.clientNumber == P.attr.clientNumber - resource: store_manager actions: - action: "*" effect: EFFECT_ALLOW condition: match: expr: R.attr.clientNumber == P.attr.clientNumber{ "principal": { "id": "owner", "roles": [ "OWNER" ], "attr": { "clientNumber": 1234 } }, "resource": { "kind": "manager", "id": "1", "attr": { "clientNumber": 1234 } }, "action": "CREATE" }7 replies · 3 participants - a
ANILA SOMAN
11/27/2022, 1:21 AMHi Is it possible to use Cassandra data base to store the policy?2 replies · 2 participants