Matthew Ebeweber
09/27/2022, 7:06 PMTAGGED_READ_ONLY
that is for entities with tag=foo
. Similarly you might have the same role conditioned on tag=bar
. The tag itself is arbitrary depending on customer requirements. On the flip side a resource might have a basket of tags. I want to avoid creating a role for each tag combination (using a git store for policies right now).
The role + tag need to be considered together. So right now I've got something like this. However, something like this works at the evaluation step if a resource is present, but doesn't translate well when doing query planning. Is there a way to represent this that query planning might better understand ?
P.attr.taggedRoles.exists(
tr,
tr.role == 'TAGGED_READ_ONLY' && tr.tag in R.attr.tags
)
Matthew Ebeweber
09/29/2022, 5:54 PMmatch:
any:
of:
- expr: V.foo
- expr: V.bar
vs.
match:
expr: V.foo || V.bar
Matthew Ebeweber
09/30/2022, 2:57 PMsome: {
connection: { id: R.id, user: P.id }
}
Hazel Boyle
10/05/2022, 2:07 PMsdktr
10/05/2022, 2:08 PMPetra Barus
10/06/2022, 4:28 AMNabil
10/12/2022, 6:51 PMsdktr
10/17/2022, 3:39 PMsdktr
10/17/2022, 9:42 PMsdktr
10/19/2022, 9:33 AMRyan Killeen
10/19/2022, 2:00 PMMark Piper
10/23/2022, 2:15 AMŁukasz Sierakowski
10/25/2022, 8:45 AMPrincipal policies
for managing user access to client orders. Unfortunately it doesn’t work as I expected.
I’ve created following principal policy
apiVersion: api.cerbos.dev/v1
principalPolicy:
principal: user-123
version: "dev"
rules:
- resource: client-12345
actions:
- name: view-data
action: "view"
effect: EFFECT_ALLOW
and test for this policy
name: test
principals:
user:
id: user-123
roles:
- user
resources:
clients:
id: client-12345
kind: client
tests:
- name: User should view client records
input:
principals:
- user
resources:
- clients
actions:
- view
expected:
- principal: user
resource: clients
actions:
view: EFFECT_ALLOW
My intention is to allow principal user-123
to execute view
action on client-12345
resource.
However when I compile ant test policy I always get EFFECT_DENY
What did I wrong?Alex Tuca
10/25/2022, 2:27 PMRyan Killeen
10/25/2022, 5:43 PMdocker-compose
and attempting to set a config for it, I can't seem to set the server config's yaml file through docker env variables.
Is there a recommended approach here? yaml in the thread!Nimit
10/26/2022, 11:29 AMImadul Islam
11/03/2022, 2:54 PMCerbos
. I was trying to run Cerbos
with MySQL
. There is a doc for how to run and create schemas. But I could not find any doc how should I insert my policies on the MySQL
tables.
Sample Finance Application Policy
https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje
This is the playground URL I was trying to read from MySQL
.
ThanksNimit
11/03/2022, 3:40 PMNimit
11/03/2022, 7:30 PM{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "top",
"version": "default",
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"customer-user"
],
"condition": {
"match": {
"any": {
"of": [
{
"expr": "R.attr.custAnal in P.attr.custAllowedValues"
},
{
"expr": "R.attr.salhAnal in P.attr.salhAllowedValues"
}
]
}
}
},
"effect": "EFFECT_ALLOW"
}
]
}
}
SCOPED:
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "top",
"version": "default",
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"customer-user"
],
"condition": {
"match": {
"any": {
"of": [
{
"expr": "R.attr.custAnal in P.attr.custAllowedValues"
},
{
"expr": "R.attr.salhAnal in P.attr.salhAllowedValues"
}
]
}
}
},
"effect": "EFFECT_DENY"
}
],
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
Imadul Islam
11/04/2022, 6:41 AM{
"policies": [
{
"apiVersion": "api.cerbos.dev/v1",
"description": "Common dynamic roles used within the Finance Demo app",
"resourcePolicy": {
"version": "default",
"importDerivedRoles": [
"common_roles"
],
"resource": "expense",
"rules": [
{
"actions": [
"*"
],
"effect": "EFFECT_ALLOW",
"roles": [
"ADMIN"
]
},
{
"actions": [
"view"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER",
"FINANCE",
"REGION_MANAGER"
]
},
{
"actions": [
"view:approver"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE"
]
},
{
"actions": [
"view:approver"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"expr": "request.resource.attr.status == \"APPROVED\""
}
}
},
{
"actions": [
"update"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"expr": "request.resource.attr.status == \"OPEN\""
}
}
},
{
"actions": [
"approve"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE_MANAGER"
],
"condition": {
"match": {
"expr": "request.resource.attr.ownerId != request.principal.id"
}
}
},
{
"actions": [
"approve"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE"
],
"condition": {
"match": {
"all": {
"of": [
{
"expr": "request.resource.attr.amount < 1000"
},
{
"expr": "request.resource.attr.ownerId != request.principal.id"
}
]
}
}
}
},
{
"actions": [
"delete"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE_MANAGER"
]
},
{
"actions": [
"delete"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"all": {
"of": [
{
"expr": "request.resource.attr.status == \"OPEN\""
},
{
"expr": "timestamp(request.resource.attr.createdAt).timeSince() < duration(\"1h\")"
}
]
}
}
}
}
]
},
"derivedRoles": {
"name": "common_roles",
"definitions": [
{
"name": "OWNER",
"parentRoles": [
"USER"
],
"condition": {
"match": {
"expr": "request.resource.attr.ownerId == request.principal.id"
}
}
},
{
"name": "FINANCE",
"parentRoles": [
"USER"
],
"condition": {
"match": {
"expr": "request.principal.attr.department == \"FINANCE\""
}
}
},
{
"name": "FINANCE_MANAGER",
"parentRoles": [
"MANAGER"
],
"condition": {
"match": {
"expr": "request.principal.attr.department == \"FINANCE\""
}
}
},
{
"name": "REGION_MANAGER",
"parentRoles": [
"MANAGER"
],
"condition": {
"match": {
"expr": "request.resource.attr.region == request.principal.attr.region"
}
}
}
]
}
}
]
}
I am getting the following error.
{
"code": 3,
"message": "proto: (line 141:13): error parsing \"derivedRoles\", oneof cerbos.policy.v1.Policy.policy_type is already set"
}
What I am doing wrong?
ThanksNimit
11/04/2022, 1:45 PM{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "*customers*",
"version": "default",
"rules": [
{
"actions": [
"CUS01",
"CUS02"
],
"roles": [
"*customer-user*"
],
"effect": "EFFECT_ALLOW"
},
{
"actions": [
"CUS11",
"CUS12"
]
],
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "*salh*",
"version": "default",
"rules": [
{
"actions": [
"SALH01",
"SALH02"
],
"roles": [
"*customer-user*"
],
"effect": "EFFECT_ALLOW"
}
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
ANILA SOMAN
11/06/2022, 5:12 PMcerbosctl: error: failed to add or update the policies: failed to send batch [0,1): rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
config.yaml
---
server:
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
playgroundEnabled: true
adminAPI:
enabled: true
adminCredentials:
username: cerbos
passwordHash: JDJ5JDEwJHFGcjhCSEtqVWkyUzRSVzF4Tm5zbC5LMW9NME55NUhxaDNyWkJmdmlwV3p3QTB3VjFzMm9xCgo=
storage:
driver: "sqlite3"
sqlite3:
dsn: ":memory:"
sdktr
11/07/2022, 6:40 PMOwen Cummings
11/07/2022, 11:39 PMlocation_roles: P.attr.roles[R.attr.location_id]
If I hard code this to `location_roles: P.attr.roles["1"]`everything seems to work as expected.
apiVersion: api.cerbos.dev/v1
variables:
location_roles: P.attr.roles[R.attr.location_id]
derivedRoles:
name: my_roles
definitions:
- name: global_admin
parentRoles:
- user
condition:
match:
expr: ("Global Admin" in V.location_roles)
{"log.level":"info","@timestamp":"2022-11-07T23:34:00.201Z","log.logger":"cerbos.payload","message":"server request payload logged as grpc.request.content field","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"grpc.request.content":{"msg":{"action":"entry:read","principal":{"id":"1","policyVersion":"default","roles":["user"],"attr":{"employee_id":"123","permissions":{"1":["entry.read_all"]},"roles":{"1":["Employee"]}}},"resource":{"kind":"entry","attr":{"location_id":"1"},"policyVersion":"default"},"includeMeta":true}}}
{"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Resources query plan request failed","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"error":"error evaluating condition \"(\\\"Employee\\\" in V.location_roles)\": invalid qualifier type: *structpb.Value"}
{"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"error":"rpc error: code = Internal desc = Resources query plan request failed","grpc.code":"Internal","grpc.time_ms":2.047}
Sami Dahoux
11/09/2022, 1:53 PMOwen Cummings
11/09/2022, 7:27 PM.
├── README.md
├── _schemas
│ ├── desk.json
│ ├── entry.json
│ └── principal.json
├── conf.yaml
├── policies
│ ├── derived_roles
│ │ └── my_roles.yaml
│ └── resource
│ ├── desk.yaml
│ └── entry.yaml
├── start.sh
└── tests
├── desk_test.yaml
├── entry_test.yaml
└── testdata
├── principals.yaml
└── resources.yaml
My docker command looks like this:
docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yaml
My policy looks like this:
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: entry
importDerivedRoles:
- my_roles
rules:
- actions:
- "entry:read"
effect: EFFECT_ALLOW
derivedRoles:
- employee
condition:
match:
any:
of:
- expr: P.attr.employee_id == R.attr.employee_id
- expr: R.attr.location_id in P.attr.permissions.filter(x, P.attr.permissions[x].exists(y, y == "entry.read_all"))
- actions:
- "entry:read"
effect: EFFECT_ALLOW
derivedRoles:
- global_admin
- location_admin
- receptionist
schemas:
principalSchema:
ref: cerbos:///principal.json
resourceSchema:
ref: cerbos:///entry.json
Nimit
11/10/2022, 5:47 PMapiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>
resourcePolicy:
resource: interactions
version: default
rules:
- actions:
- "*"
roles:
- poweruser
effect: EFFECT_DENY
scoped.yml
apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>
resourcePolicy:
resource: interactions
version: default
rules:
- actions:
- VIEW
roles:
- poweruser
effect: EFFECT_ALLOW
scope: T00101581-3dd4-40b8-a2e3-175624586f85
{
"requestId": "123123",
"principal": {
"id": "123",
"roles": [
"poweruser"
],
"attr": {},
"scope": "T00101581-3dd4-40b8-a2e3-175624586f85"
},
"resources": [
{
"resource": {
"kind": "interactions",
"id": "123",
"scope": "T00101581-3dd4-40b8-a2e3-175624586f85",
"attr": {}
},
"actions": [
"VIEW"
]
}
]
}
Nimit
11/10/2022, 5:50 PMMaggie Walker
11/10/2022, 6:37 PMANILA SOMAN
11/10/2022, 8:07 PM