help
  • s

    sdktr

    10/17/2022, 9:42 PM
    How does one debug a policy evaluation? I know the queryplan, but that doesn’t actually evaluate all the steps. For example: tell me which ‘derived roles’ did you evaluate to?
  • s

    sdktr

    10/19/2022, 9:33 AM
    Did any of you got Azure Devops to work as a https based Git driver? We’re hitting ‘error 400’ on ‘git-upload-pack’
  • r

    Ryan Killeen

    10/19/2022, 2:00 PM
    Hello all! As always thanks for prompt answers to questions here. I'm currently sharing around Cerbos as a solution and have been able to field a lot of questions, but one came up that I don't have any insight into: Most use-cases I've run into are perfectly suited for making a request and then authorizing each resource, But in some cases, like queries to ElasticSearch, that isn't possible (prevents pagination, etc.) What's the Cerbos way of handling a use-case like this?
  • m

    Mark Piper

    10/23/2022, 2:15 AM
    Hi all! 👋 Evaluating Cerbos--but how can you model it to allow users to add self-service custom roles? Imagine an admin in a multi-tenant SaaS w/ UI to copy an existing system role, give it a new name and click checkboxes for what permissions to enable/disable on the new role. Thanks!
  • ł

    Łukasz Sierakowski

    10/25/2022, 8:45 AM
    Hi, I’m trying to use
    Principal policies
    for managing user access to client orders. Unfortunately it doesn’t work as I expected. I’ve created following principal policy
    apiVersion: api.cerbos.dev/v1
    principalPolicy:
      principal: user-123
      version: "dev"
      rules:
        - resource: client-12345
          actions:
            - name: view-data
              action: "view"
              effect: EFFECT_ALLOW
    and test for this policy
    name: test
    principals:
      user:
        id: user-123
        roles:
          - user
    resources:
      clients:
        id: client-12345
        kind: client
    tests:
      - name: User should view client records
        input:
          principals:
            - user
          resources:
            - clients
          actions:
            - view
        expected:
          - principal: user
            resource: clients
            actions:
              view: EFFECT_ALLOW
    My intention is to allow principal
    user-123
    to execute
    view
    action on
    client-12345
    resource. However when I compile ant test policy I always get
    EFFECT_DENY
    What did I wrong?
  • a

    Alex Tuca

    10/25/2022, 2:27 PM
    Hi, everybody! I am trying to implement @cerbos/grpc in my Express.js server using auxData to pass the JWT, but every way I check I still need to pass the principal data since I get the principal ID not having at least 1 rune otherwise. Am I interpreting the AuxData section from the documentation wrong that I could pass the JWT directly and not have to decode the token beforehand or do I need to use a specific syntax?
  • r

    Ryan Killeen

    10/25/2022, 5:43 PM
    Hey! Looking to run Cerbos in
    docker-compose
    and attempting to set a config for it, I can't seem to set the server config's yaml file through docker env variables. Is there a recommended approach here? yaml in the thread!
  • n

    Nimit

    10/26/2022, 11:29 AM
    Hello (i am from company called sales-i and we are evaluating cerbos for our PBAC needs), quick question.. I see there is a policy_revision sql table that stores the history of a policy Is there a way of get all revisions, getting a particular version etc from the admin api ?
  • i

    Imadul Islam

    11/03/2022, 2:54 PM
    Hello I am new with
    Cerbos
    . I was trying to run
    Cerbos
    with
    MySQL
    . There is a doc for how to run and create schemas. But I could not find any doc how should I insert my policies on the
    MySQL
    tables. Sample Finance Application Policyhttps://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje This is the playground URL I was trying to read from
    MySQL
    . Thanks
  • n

    Nimit

    11/03/2022, 3:40 PM
    hello, while defining a policy is there any place i can define some metadata ? For example while defining actions i want to have some metadata to describe each action
  • n

    Nimit

    11/03/2022, 7:30 PM
    hi, i noticed a bug relating to scopes using PlanResource(), i have 2 policies a scoped and its related unscoped one [as below] I noticed calling PlanResources seems to always read from the unscoped (seems to ignore the scoped one - i had DENY in the scoped but ALLOW in unscoped and it returns CONDITIONAL) UNSCOPED:
    {
    "apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
    "resourcePolicy": {
    "resource": "top",
    "version": "default",
    "rules": [
    {
    "actions": [
    "VIEW"
    ],
    "roles": [
    "customer-user"
    ],
    "condition": {
    "match": {
    "any": {
    "of": [
    {
    "expr": "R.attr.custAnal in P.attr.custAllowedValues"
    },
    {
    "expr": "R.attr.salhAnal in P.attr.salhAllowedValues"
    }
    ]
    }
    }
    },
    "effect": "EFFECT_ALLOW"
    }
    ]
    }
    }
    SCOPED:
    {
    "apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
    "resourcePolicy": {
    "resource": "top",
    "version": "default",
    "rules": [
    {
    "actions": [
    "VIEW"
    ],
    "roles": [
    "customer-user"
    ],
    "condition": {
    "match": {
    "any": {
    "of": [
    {
    "expr": "R.attr.custAnal in P.attr.custAllowedValues"
    },
    {
    "expr": "R.attr.salhAnal in P.attr.salhAllowedValues"
    }
    ]
    }
    }
    },
    "effect": "EFFECT_DENY"
    }
    ],
    "scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
    }
    }
  • i

    Imadul Islam

    11/04/2022, 6:41 AM
    Hello Sample Finance Application Policyhttps://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje I was trying to convert this playground’s policies to JSON so that I can save them through Admin API. The following is the payload.
    {
      "policies": [
        {
          "apiVersion": "api.cerbos.dev/v1",
          "description": "Common dynamic roles used within the Finance Demo app",
          "resourcePolicy": {
            "version": "default",
            "importDerivedRoles": [
              "common_roles"
            ],
            "resource": "expense",
            "rules": [
              {
                "actions": [
                  "*"
                ],
                "effect": "EFFECT_ALLOW",
                "roles": [
                  "ADMIN"
                ]
              },
              {
                "actions": [
                  "view"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "OWNER",
                  "FINANCE",
                  "REGION_MANAGER"
                ]
              },
              {
                "actions": [
                  "view:approver"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "FINANCE"
                ]
              },
              {
                "actions": [
                  "view:approver"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "OWNER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.resource.attr.status == \"APPROVED\""
                  }
                }
              },
              {
                "actions": [
                  "update"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "OWNER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.resource.attr.status == \"OPEN\""
                  }
                }
              },
              {
                "actions": [
                  "approve"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "FINANCE_MANAGER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.resource.attr.ownerId != request.principal.id"
                  }
                }
              },
              {
                "actions": [
                  "approve"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "FINANCE"
                ],
                "condition": {
                  "match": {
                    "all": {
                      "of": [
                        {
                          "expr": "request.resource.attr.amount < 1000"
                        },
                        {
                          "expr": "request.resource.attr.ownerId != request.principal.id"
                        }
                      ]
                    }
                  }
                }
              },
              {
                "actions": [
                  "delete"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "FINANCE_MANAGER"
                ]
              },
              {
                "actions": [
                  "delete"
                ],
                "effect": "EFFECT_ALLOW",
                "derivedRoles": [
                  "OWNER"
                ],
                "condition": {
                  "match": {
                    "all": {
                      "of": [
                        {
                          "expr": "request.resource.attr.status == \"OPEN\""
                        },
                        {
                          "expr": "timestamp(request.resource.attr.createdAt).timeSince() < duration(\"1h\")"
                        }
                      ]
                    }
                  }
                }
              }
            ]
          },
          "derivedRoles": {
            "name": "common_roles",
            "definitions": [
              {
                "name": "OWNER",
                "parentRoles": [
                  "USER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.resource.attr.ownerId == request.principal.id"
                  }
                }
              },
              {
                "name": "FINANCE",
                "parentRoles": [
                  "USER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.principal.attr.department == \"FINANCE\""
                  }
                }
              },
              {
                "name": "FINANCE_MANAGER",
                "parentRoles": [
                  "MANAGER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.principal.attr.department == \"FINANCE\""
                  }
                }
              },
              {
                "name": "REGION_MANAGER",
                "parentRoles": [
                  "MANAGER"
                ],
                "condition": {
                  "match": {
                    "expr": "request.resource.attr.region == request.principal.attr.region"
                  }
                }
              }
            ]
          }
        }
      ]
    }
    I am getting the following error.
    {
      "code": 3,
      "message": "proto: (line 141:13): error parsing \"derivedRoles\", oneof cerbos.policy.v1.Policy.policy_type is already set"
    }
    What I am doing wrong? Thanks
  • n

    Nimit

    11/04/2022, 1:45 PM
    hi @Charith (Cerbos) 2 quick questions1. I have 2 policies (for 2 different resources - both accessed by a user_role - see below), can i somehow combine these 2 policies in 1 (i mean policy for a user_role for 2 separate resources)? I see it can be done for a single principal, but can be done for a role ? 2. Is there a simple function call where i can just get back the list of allowed actions on a resource (not send a list of actions and get back the allowed list). for e.g in the policy below can i just get back CUS01, CUS02 ?
    {
    "apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
    "resourcePolicy": {
    "resource": "*customers*",
    "version": "default",
    "rules": [
    {
    "actions": [
    "CUS01",
    "CUS02"
    ],
    "roles": [
    "*customer-user*"
    ],
    "effect": "EFFECT_ALLOW"
    },
    {
    "actions": [
    "CUS11",
    "CUS12"
    ]
    ],
    "scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
    }
    }
    {
    "apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
    "resourcePolicy": {
    "resource": "*salh*",
    "version": "default",
    "rules": [
    {
    "actions": [
    "SALH01",
    "SALH02"
    ],
    "roles": [
    "*customer-user*"
    ],
    "effect": "EFFECT_ALLOW"
    }
    "scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
    }
    }
  • a

    ANILA SOMAN

    11/06/2022, 5:12 PM
    Hello everyone, i am new in cerbos i am trying to connect cerbos with sqlite database and trying to put policies in database using cerbosctl but i am getting below error
    cerbosctl: error: failed to add or update the policies: failed to send batch [0,1): rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
    config.yaml
    ---
    server:
      httpListenAddr: ":3592"
      grpcListenAddr: ":3593"
      playgroundEnabled: true
      adminAPI:
        enabled: true
        adminCredentials:
          username: cerbos
          passwordHash: JDJ5JDEwJHFGcjhCSEtqVWkyUzRSVzF4Tm5zbC5LMW9NME55NUhxaDNyWkJmdmlwV3p3QTB3VjFzMm9xCgo=
    storage:
      driver: "sqlite3"
      sqlite3:
        dsn: ":memory:"
  • s

    sdktr

    11/07/2022, 6:40 PM
    Did you ever consider calculating ‘derived actions’ as well? Or should that be a responsibility of the app?
  • o

    Owen Cummings

    11/07/2022, 11:39 PM
    I am getting an error when using the PlanResources API that does not occur when I use the CheckResources API. It seems like it is a bug, but wanted some guidance in case I am doing something wrong I’ve determined that it is due to my Derived Roles, specifically
    location_roles: P.attr.roles[R.attr.location_id]
    If I hard code this to location_roles: P.attr.roles["1"]everything seems to work as expected.
    apiVersion: api.cerbos.dev/v1
    variables: 
      location_roles: P.attr.roles[R.attr.location_id]
    derivedRoles:
      name: my_roles
      definitions:
        - name: global_admin
          parentRoles:
            - user
          condition:
            match:
              expr: ("Global Admin" in V.location_roles)
    {"log.level":"info","@timestamp":"2022-11-07T23:34:00.201Z","log.logger":"cerbos.payload","message":"server request payload logged as grpc.request.content field","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"grpc.request.content":{"msg":{"action":"entry:read","principal":{"id":"1","policyVersion":"default","roles":["user"],"attr":{"employee_id":"123","permissions":{"1":["entry.read_all"]},"roles":{"1":["Employee"]}}},"resource":{"kind":"entry","attr":{"location_id":"1"},"policyVersion":"default"},"includeMeta":true}}}
    {"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Resources query plan request failed","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"error":"error evaluating condition \"(\\\"Employee\\\" in V.location_roles)\": invalid qualifier type: *structpb.Value"}
    {"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"error":"rpc error: code = Internal desc = Resources query plan request failed","grpc.code":"Internal","grpc.time_ms":2.047}
  • s

    Sami Dahoux

    11/09/2022, 1:53 PM
    Hello everyone, I wanted to use Cerbos to control the permission of creating an object in our application. I have noticed that in order to perform a checkResource I need to provide a resourceId, which I don't yet have since I am creating the resource. Right now we used a resourceId of 0 as a placeholder to perform the check. Is there a better solution to this problem ?
  • o

    Owen Cummings

    11/09/2022, 7:27 PM
    I am having trouble with Cerbos finding my schema files. Probably something dumb I’m missing but I’m out of ideas. When I turn on schema enforcement in the conf.yaml I receive an error that Cerbos can’t find the configured schama files. My $PWD looks like this:
    .
    ├── README.md
    ├── _schemas
    │   ├── desk.json
    │   ├── entry.json
    │   └── principal.json
    ├── conf.yaml
    ├── policies
    │   ├── derived_roles
    │   │   └── my_roles.yaml
    │   └── resource
    │       ├── desk.yaml
    │       └── entry.yaml
    ├── start.sh
    └── tests
        ├── desk_test.yaml
        ├── entry_test.yaml
        └── testdata
            ├── principals.yaml
            └── resources.yaml
    My docker command looks like this:
    docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yaml
    My policy looks like this:
    apiVersion: api.cerbos.dev/v1
    resourcePolicy:
      version: default
      resource: entry
      importDerivedRoles:
        - my_roles
      rules:
        - actions:
            - "entry:read"
          effect: EFFECT_ALLOW
          derivedRoles:
            - employee
          condition:
            match:
              any:
                of:
                  - expr: P.attr.employee_id == R.attr.employee_id
                  - expr: R.attr.location_id in P.attr.permissions.filter(x, P.attr.permissions[x].exists(y, y == "entry.read_all"))
    
        - actions:
            - "entry:read"
          effect: EFFECT_ALLOW
          derivedRoles:
            - global_admin
            - location_admin
            - receptionist
    
      schemas:
        principalSchema:
          ref: cerbos:///principal.json
        resourceSchema:
          ref: cerbos:///entry.json
  • n

    Nimit

    11/10/2022, 5:47 PM
    hi @Charith (Cerbos) noticed a difference between "IsAllowed" and "QueryPlan" .. i have the following 2 policies (base and a scoped) All actions blocked in the base BUT VIEW action allowed in scoped Both resource and principal have the correct scope set. When i try to check for VIEW access using "IsAllowed" i get an ALLOWED .. but using Plan is says BLOCKED As the specs say if the answer can be resolved from the scoped policy, why is the base being queried for plan ? base.yml
    apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>
    resourcePolicy:
    resource: interactions
    version: default
    rules:
    - actions:
    - "*"
    roles:
    - poweruser
    effect: EFFECT_DENY
    scoped.yml
    apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>
    resourcePolicy:
    resource: interactions
    version: default
    rules:
    - actions:
    - VIEW
    roles:
    - poweruser
    effect: EFFECT_ALLOW
    scope: T00101581-3dd4-40b8-a2e3-175624586f85
    {
    "requestId": "123123",
    "principal": {
    "id": "123",
    "roles": [
    "poweruser"
    ],
    "attr": {},
    "scope": "T00101581-3dd4-40b8-a2e3-175624586f85"
    },
    "resources": [
    {
    "resource": {
    "kind": "interactions",
    "id": "123",
    "scope": "T00101581-3dd4-40b8-a2e3-175624586f85",
    "attr": {}
    },
    "actions": [
    "VIEW"
    ]
    }
    ]
    }
  • n

    Nimit

    11/10/2022, 5:50 PM
  • m

    Maggie Walker

    11/10/2022, 6:37 PM
    Hey! Is there support for private Cerbos playgrounds?
  • a

    ANILA SOMAN

    11/10/2022, 8:07 PM
    hi, i have tried to put policies and getting message with uploaded 1 but while trying to get the policies its empty
  • n

    Nimit

    11/11/2022, 3:10 PM
    hi All, is there a debug/verbose mode that i can run the cerbos server to catch and logs (how does it decide allow/deny etc) ?
  • o

    Oliver Orav

    11/12/2022, 3:38 PM
    Hey everybody 👋 I think I have a more of general/architectural question rather than technical, policy, related questions. Tried to read through this channel so hopefully it is not a duplicate. For the sake of keeping it short, let’s say I have 2 REST APIs accessible to clients (web or mobile apps) • identity-api: provides tokens, password resets, etc general user management. • business-api: provides business functionality, CRUD actions on resources, etc. All endpoints are authenticated by JWT from identity-api. My question is that how would I solve authorisation in cases where resources in business-api (or principals in identity-api) do not exist while Cerbos policies are made? For example: Lets say that user-1 creates a resource Foo using API endpoint in business-api
    POST /v1/foos
    . Now user-1 should be able to to other actions as well with this resource:
    GET/DELETE/PUT /v1/foos/{fooResourceId}
    . Using Cerbos this could be easily solved with a derived role, if I keep track of the createdBy attribute and pass it as resource attribute. But what happens when user-1 wants to give
    GET
    and
    PUT
    access user-2? Or, if Foo has a child resources Bar at
    /v1/foos/{fooResourceId}/bars/{barResourceId}
    and user-2 should only be allowed to edit Bar resource but not Foo? You could also think of it this way, that user-1 creates a profile (like in Facebook) that is private, but later decides that user-2 and user-3 should be able to see it. When creating the profile user-1 and user-2 might not even exist yet. One option I see is using the Cerbos Admin API and
    POST /admin/policy
    , but how would it handle if there are hundreds of users and resources. Second option, I thought of would be to define policy role based (e.g USER-1-PROFILE-READ) and just add the user to the role, but at the time of writing the policy, I would’t know the users that will exist in the future. Third option would be to keep track of the permissions and access in our systems, but that would probably just end up as creating own authorisation service, which I hope to avoid with Cerbos. I might be over-engineering everything and there is a really simple solution 😂 Anyway, thanks for the help/ideas in advance!
  • p

    Petar Mrdalj

    11/14/2022, 11:20 AM
    Hello I have a question when using nestJS with graphQL and cerbos Currently I have implemented an interceptor which is called before the resolver mutation code is actually called which is the behaviour I am expecting. While using grpc I need to provide a resource id which is not the case as to when using http:
    principal: {
            id: userData.userId,
            roles: userData.roles,
          },
          resource: {
            kind: cerbosObject,
            id: "1",
          },
          action: host.getHandler().name,
    While looking into these examples https://github.com/cerbos/demo-graphql/blob/main/src/resolvers/Expenses.queries.ts it makes sense to actually call the db and compare the id's. How would you handle the permission check for creating or deleting a certain object from the db in which case you only need to check for the role and you do not need the id in the resource object? It is a required value in the request. Thanks in advance 👐
  • a

    ANILA SOMAN

    11/17/2022, 5:42 AM
    Hi All, while using AdminApi i am getting below error
    could not list policies: rpc error: code = Unavailable desc = name resolver error: dns: A record lookup error: lookup cerbos: Temporary failure in name resolution
  • n

    Nimit

    11/17/2022, 10:32 AM
    hi All, quick question.. i want to have a parent-child relation for my policy, is that possible? I have 2 resources "child" and "parent" .. in cerbos can i define a policy wherein when i access child.. the parent is checked first followed by the explicit child policy ? Just to add .. i am using the scope already for another variable.
  • a

    Ankit Khosla

    11/23/2022, 2:16 PM
    Hi all, a principal policy I created against create action is returning
    false
    inside the node app. But, the same policy when tested in playground is returning
    true
    for create action.
    Owner has full access over manager and store_manager
    apiVersion: api.cerbos.dev/v1
    principalPolicy:
      version: default
      principal: owner
      rules:
        - resource: manager
          actions:
            - action: "*"
              effect: EFFECT_ALLOW
              condition:
                match:
                  expr: R.attr.clientNumber == P.attr.clientNumber
        - resource: store_manager
          actions:
            - action: "*"
              effect: EFFECT_ALLOW
              condition:
                match:
                  expr: R.attr.clientNumber == P.attr.clientNumber
    Request body:
    {
      "principal": {
        "id": "owner",
        "roles": [
          "OWNER"
        ],
        "attr": {
          "clientNumber": 1234
        }
      },
      "resource": {
        "kind": "manager",
        "id": "1",
        "attr": {
          "clientNumber": 1234
        }
      },
      "action": "CREATE"
    }
  • a

    ANILA SOMAN

    11/27/2022, 1:21 AM
    Hi Is it possible to use Cassandra data base to store the policy?