Nimit
11/11/2022, 3:10 PMOliver Orav
11/12/2022, 3:38 PMPOST /v1/foos
. Now user-1 should be able to to other actions as well with this resource: GET/DELETE/PUT /v1/foos/{fooResourceId}
. Using Cerbos this could be easily solved with a derived role, if I keep track of the createdBy attribute and pass it as resource attribute.
But what happens when user-1 wants to give GET
and PUT
access user-2? Or, if Foo has a child resources Bar at /v1/foos/{fooResourceId}/bars/{barResourceId}
and user-2 should only be allowed to edit Bar resource but not Foo?
You could also think of it this way, that user-1 creates a profile (like in Facebook) that is private, but later decides that user-2 and user-3 should be able to see it. When creating the profile user-1 and user-2 might not even exist yet.
One option I see is using the Cerbos Admin API and POST /admin/policy
, but how would it handle if there are hundreds of users and resources.
Second option, I thought of would be to define policy role based (e.g USER-1-PROFILE-READ) and just add the user to the role, but at the time of writing the policy, I wouldât know the users that will exist in the future.
Third option would be to keep track of the permissions and access in our systems, but that would probably just end up as creating own authorisation service, which I hope to avoid with Cerbos.
I might be over-engineering everything and there is a really simple solution đ
Anyway, thanks for the help/ideas in advance!Petar Mrdalj
11/14/2022, 11:20 AMprincipal: {
id: userData.userId,
roles: userData.roles,
},
resource: {
kind: cerbosObject,
id: "1",
},
action: host.getHandler().name,
While looking into these examples https://github.com/cerbos/demo-graphql/blob/main/src/resolvers/Expenses.queries.ts it makes sense to actually call the db and compare the id's.
How would you handle the permission check for creating or deleting a certain object from the db in which case you only need to check for the role and you do not need the id in the resource object? It is a required value in the request.
Thanks in advance đANILA SOMAN
11/17/2022, 5:42 AMcould not list policies: rpc error: code = Unavailable desc = name resolver error: dns: A record lookup error: lookup cerbos: Temporary failure in name resolution
Nimit
11/17/2022, 10:32 AMAnkit Khosla
11/23/2022, 2:16 PMfalse
inside the node app. But, the same policy when tested in playground is returning true
for create action. Owner has full access over manager and store_manager
apiVersion: api.cerbos.dev/v1
principalPolicy:
version: default
principal: owner
rules:
- resource: manager
actions:
- action: "*"
effect: EFFECT_ALLOW
condition:
match:
expr: R.attr.clientNumber == P.attr.clientNumber
- resource: store_manager
actions:
- action: "*"
effect: EFFECT_ALLOW
condition:
match:
expr: R.attr.clientNumber == P.attr.clientNumber
Request body:
{
"principal": {
"id": "owner",
"roles": [
"OWNER"
],
"attr": {
"clientNumber": 1234
}
},
"resource": {
"kind": "manager",
"id": "1",
"attr": {
"clientNumber": 1234
}
},
"action": "CREATE"
}
ANILA SOMAN
11/27/2022, 1:21 AMNimit
11/28/2022, 3:00 PM{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "crm_prospects",
"version": "default",
"importDerivedRoles": [
"sales-i-roles"
],
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"poweruser"
],
"effect": "EFFECT_ALLOW"
},
{
"actions": [
"VIEW"
],
"roles": [
"restricted-user"
],
"effect": "EFFECT_DENY"
}
],
"scope": "TENANT-00101581-3dd4-40b8-a2e3-175624586f85"
}
}
Policy2:
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "crm_prospects",
"version": "default",
"importDerivedRoles": [
"sales-i-roles"
],
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"poweruser"
],
"effect": "EFFECT_ALLOW"
},
{
"actions": [
"VIEW"
],
"derivedRoles": [
"nimit-restrict"
],
"effect": "EFFECT_ALLOW"
}
],
"scope": "TENANT-00101581-3dd4-40b8-a2e3-175624586f85"
}
}
Derived Role:
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"derivedRoles": {
"name": "sales-i-roles",
"definitions": [
{
"name": "nimit-restrict",
"parentRoles": [
"restricted-user"
],
"condition": {
"match": {
"any": {
"of": [
{
"expr": "R.attr.createdByID == P.attr.subjectid"
},
{
"expr": "R.attr.updatedByID == P.attr.subjectid"
}
]
}
}
}
}
]
}
}
Matthew Ebeweber
11/28/2022, 4:55 PMerror evaluating condition "P.attr.userQid == R.id": no such attribute: id: 6, attributes: [0x40099161b0 0x4009916150]
Matthew Ebeweber
12/01/2022, 7:07 PMOwen Cummings
12/01/2022, 9:01 PMDeepika Agrawal
12/02/2022, 12:37 PMRob Crowe
12/05/2022, 3:53 PMpeer.address
in the audit logs is showing the loopback address.
Any chance there's a change that makes sense in PeerFromContext to support our use-case, where by we can pass through the original caller?ANILA SOMAN
12/08/2022, 12:18 PMANILA SOMAN
12/08/2022, 12:21 PM{
"policyKind": "resource",
"policies": [{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"version": "default",
"resource": "contact",
"scope": "airtel",
"rules": [{
"roles": "admin",
"actions": ["create", "update", "delete", "read", "list"],
"effect": "EFFECT_ALLOW"
}
]
}
}]
}
ANILA SOMAN
12/08/2022, 12:21 PMANILA SOMAN
12/08/2022, 12:22 PMColton
12/10/2022, 5:01 PMRyan Killeen
12/12/2022, 3:46 PMWilliam Vitali
12/16/2022, 4:58 PM---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
importDerivedRoles:
- common_roles
resource: "candidate:object"
rules:
- actions: ['*']
effect: EFFECT_ALLOW
derivedRoles:
- admin_africa
condition:
match:
expr: request.resource.attr.continents == "africa"
But if I replace the last line with expr: "africa" in request.resource.attr.continents
then I have the error {"log.level":"warn","@timestamp":"2022-12-16T165520.233Z","log.logger":"cerbos.dir.watch","message":"Failed to read policy from file","dir":"/policies","file":"resource_candidate.yaml","error":"failed to convert YAML to JSON: yaml: line 14: did not find expected key"}
Does anybody know why I can't use the "in" keyword here ?Mohan Prasath
12/17/2022, 12:30 PM/api/check/resources
I'm getting invalid actions on the response.
My Server config
server:
httpListenAddr: ":3592"
adminAPI:
enabled: true
adminCredentials:
username: ''
passwordHash: ''
playgroundEnabled: true
storage:
driver: "mysql"
mysql:
dsn: "user:password@tcp(localhost:3306)/cerbos"
connPool:
maxLifeTime: 60m
maxIdleTime: 45s
maxOpen: 4
maxIdle: 1
request and response from /admin/policy
curl --request GET \
--url '<http://172.31.39.159:3592/admin/policy?id=principal.student.vdefault>'
Response
{
"policies": [
{
"apiVersion": "api.cerbos.dev/v1",
"metadata": {
"hash": "13174666176308465445",
"storeIdentifer": "principal.student.vdefault"
},
"principalPolicy": {
"principal": "student",
"version": "default",
"rules": [
{
"resource": "student-management",
"actions": [
{
"action": "read",
"effect": "EFFECT_ALLOW"
}
]
}
]
}
}
]
}
Now I'm testing the /api/check/resources
curl --request POST \
--url <http://172.31.39.159:3592/api/check/resources> \
--header 'Content-Type: application/json' \
--data '{
"requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
"principal": {
"id": "student",
"policyVersion": "default",
"roles": [
"student"
],
"attr": {
"beta_tester": true
}
},
"resources": [
{
"actions": [
"read",
"delete"
],
"resource": {
"kind": "student-management",
"policyVersion": "default",
"id": "XX125",
"attr": {
}
}
}
]
}'
Response
{
"requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
"results": [
{
"resource": {
"id": "XX125",
"kind": "student-management",
"policyVersion": "default"
},
"actions": {
"delete": "EFFECT_DENY",
"read": "EFFECT_DENY"
}
}
]
}
The expected response is action read
should be as EFFECT_ALLOW
Please explain why I'm getting EFFECT_DENY instead of EFFECT_ALLOWIvano
12/19/2022, 11:57 AMIvano
12/19/2022, 11:57 AM=> [build 5/6] COPY client/ . 0.0s
=> ERROR [build 6/6] RUN npm run build 2.1s
------
> [build 6/6] RUN npm run build:
#0 0.629
#0 0.629 > build
#0 0.629 > sh build_monaco_workers.sh && parcel build
#0 0.629
: not foundild_monaco_workers.sh: 3:
' is invalid. Allowed choices are none, error, warn, info, verbose.
' is invalid. Allowed choices are none, error, warn, info, verbose.
' is invalid. Allowed choices are none, error, warn, info, verbose.
' is invalid. Allowed choices are none, error, warn, info, verbose.
' is invalid. Allowed choices are none, error, warn, info, verbose.
------
failed to solve: executor failed running [/bin/sh -c npm run build]: exit code: 1
PS C:\Temp\demo-admin-api>
Jesum Yip
01/03/2023, 1:47 AMMaggie Walker
01/05/2023, 6:47 PMSteve High (NTWRK)
01/06/2023, 9:41 PMrequest failed: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /sock/cerbos.sock: connect: permission denied"
I can't remember if I saw this before or how I fixed it 𤌠. I am connecting via gRPC on the unix socket as described in the errorMaggie Walker
01/09/2023, 9:00 PMmichelle x account_d6455851-3f86-48d8-b102-8d996eb92645
which I didn't think I was testing yet
---
name: AccountTestSuite
description: Tests for verifying the account resource policy
options:
now: "2022-08-02T15:00:00Z"
tests:
- name: Accessing an album
options:
now: "2022-08-03T15:00:00Z"
input:
principals:
- michelle
- elaine
resources:
- account_1
- account_053a1a75-acc5-4cd8-9206-a194335d2afa
- account_d6455851-3f86-48d8-b102-8d996eb92645
actions:
- view
- edit
expected:
- principal: michelle
resource: account_1
actions:
view: EFFECT_ALLOW
edit: EFFECT_ALLOW
- principal: michelle
resource: account_053a1a75-acc5-4cd8-9206-a194335d2afa
actions:
view: EFFECT_ALLOW
edit: EFFECT_ALLOW
- principal: elaine
resource: account_1
actions:
view: EFFECT_DENY
edit: EFFECT_DENY
- principal: elaine
resource: account_d6455851-3f86-48d8-b102-8d996eb92645
actions:
view: EFFECT_DENY
edit: EFFECT_DENY
Jesum Yip
01/12/2023, 10:02 AMgit clone <https://oauth2>:<token>@<gitlabURL>/repo.git
and it works just fine. however, i see my cerbos pods crashing with cerbos: error: failed to create store: failed to clone from https://<giturl>/repo.git to /work: authentication required
Michael Perju
01/12/2023, 3:46 PM{"log.level":"error","@timestamp":"2023-01-12T15:21:04.187Z","log.logger":"cerbos.git.store","message":"Failed to initialize git store","dir":"/policies","error":"failed to clone from git@github.com:utilitywarehouse/cerbos-policies.git to /policies: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable"}
cerbos: error: failed to create store: failed to clone from git@github.com:utilitywarehouse/cerbos-policies.git to /policies: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable
WHAT I'VE TRIED:
⢠Mounting a hardcoded known_hosts
file - makes it WORK â
I am not sure this is a good approach, since the public keys of github may rotate in the future and the hardcoded file will be invalid.
⢠Mounting a ssh_config
inside /etc/ssh/ssh_config
, as well as in /.ssh/config
, configuring SSH to ignore the kown_hosts file
- Does not work â
THOUGHTS:
At the moment, I think only hard-copying the known_hosts
file. A better approach, though not standard, would be to ignore checking the known hosts at all. That is done via SSH configuration, but the docker image ignores any mounted configuration files.Jesum Yip
01/16/2023, 2:32 AM{
"code": 3,
"message": "InvalidArgument"
}