• b

    B Cerkezi

    1 month ago
    Hey 👋 , I have been evaluating the tool today - looks really cool! One basic question: when using the principal attributes as a condition expression I can't get the "in" operator to work? here is the code:
    ---
    apiVersion: api.cerbos.dev/v1
    resourcePolicy:
      resource: album
      version: default
      rules:
        - actions: ['view']
          effect: EFFECT_ALLOW
          roles:
            - editor
          condition:
            match:
              expr: 'test' in request.principal.attr.products
    and response
    failed to convert YAML to JSON: yaml: line 12: did not find expected key
    b
    Alex Olivier (Cerbos)
    2 replies
    Copy to Clipboard
  • a

    Amy Soetopo

    1 month ago
    Quick question: in a production setting, we are planning to use PostgreSQL for policy storage. From what I understand, Cerbos reads from the DB, loads the policies into memory, and then after - is the connection to the data store kept alive?
    a
    Charith (Cerbos)
    2 replies
    Copy to Clipboard
  • a

    Amy Soetopo

    1 month ago
    Hi, I’m trying to run tests on my machine with:
    docker run -i -t \
        -v /path/to/policy/dir:/policies \
        -v /path/to/test/dir:/tests \
        <http://ghcr.io/cerbos/cerbos:0.20.0|ghcr.io/cerbos/cerbos:0.20.0> compile --tests=/tests /policies
    (from the docs, and of course, updated with paths to my policies and tests locally) just an FYI, that the
    --format
    flag is invalid? getting this error:
    cerbos: error: unknown flag --format
    a
    Dennis (Cerbos)
    4 replies
    Copy to Clipboard
  • a

    Amy Soetopo

    1 month ago
    Also, I find the playground tests unreliable - some cases that should be throwing an error pass. If I’m running the tests in that docker container, they do fail (as they should).
    a
    2 replies
    Copy to Clipboard
  • a

    Amy Soetopo

    1 month ago
    I’m wondering about using yaml to define policies (production setting) - what are the reasons not to do this?
    a
    Alex Olivier (Cerbos)
    +1
    6 replies
    Copy to Clipboard
  • g

    Gabi Zarhin

    1 month ago
    Hello community 🙂 I think I’ve found a bug in the python AsyncCerbosClient… (raise_on_error option of the client) what would be the best way to validate the bug existence and open a bug? (or maybe even a PR for a fix)
    g
    Charith (Cerbos)
    6 replies
    Copy to Clipboard
  • r

    Ryan Killeen

    1 month ago
    A quick question around when to use scopes vs hierarchal naming for resources: Let's say I have an experience that's largely config-driven, and certain roles can modify certain parts of that configuration. As a simplified example, say a product manager can take actions on products, and a marketing manager can update content, colors, assets etc in different parts of the configuration. I see two ways this could be modeled: 1. Hierarchal naming of the resource (a base policy for
    config
    , a policy for
    config:products
    ,
    config:somePart:content
    ) 2. Scopes (
    kind: config, scope: 'config.products'
    ) 3. A mix of the two? Is it right to say that scope should be resource agnostic, and preferred for things like multi-tenancy? What are the trade-offs of modeling it in one manner or another? What sort of litmus would you use to pick? I appreciate any insight you might provide! Thanks again for a great intro to the community today
    r
    Charith (Cerbos)
    +1
    9 replies
    Copy to Clipboard
  • m

    Maggie Walker

    3 weeks ago
    Hey! I'm trying to run the python demo locally - and hitting issues during
    ./pw demo
    -- specifically I get stuck in
    pw
    on
    env_builder.create(venv_dir)
    the error comes from here
    /Users/walk003/orchard/collab/mwalker/cerbos/demo-python/.pyprojectx/pyprojectx/0.9.9-py3.8/bin/python3 -Im ensurepip --upgrade --default-pip
    and I get
    zsh: killed      -Im ensurepip --upgrade --default-pip
    I'm working in a new M1 macbook, and I've heard there's funkiness with python/pip + M1 -- have you all encountered anything similar?
    m
    Charith (Cerbos)
    22 replies
    Copy to Clipboard
  • m

    Maggie Walker

    3 weeks ago
    Does the "in" operator work in the playground? I'm trying to write a parallel example to
    condition:
      match:
        any:
          of:
            - expr: R.attr.status == "PENDING_APPROVAL"
            - expr: "GB" in R.attr.geographies
            - expr: P.attr.geography == "GB"
    like this:
    condition:
              match:
                  expr: "name" in request.resource.attr
    but just getting
    Failed to read: failed to convert YAML to JSON: yaml: line 28: did not find expected key
    m
    Alex Olivier (Cerbos)
    2 replies
    Copy to Clipboard
  • m

    Maggie Walker

    3 weeks ago
    Another random question while I'm here - is there a way to see specifically why an action was denied (or, I guess, where it hit it's first deny)? I'm imagining an engineer creating a policy, getting an unexpected deny, and then having trouble parsing through all the policies to know where the action was blocked
    m
    Alex Olivier (Cerbos)
    +1
    6 replies
    Copy to Clipboard