can variables hold the boolean result of an expression?

Hi, is it possible to return

arbitrary object

instead of just

EFFECT_ALLOW/DENY

The use case of mine is, i want to return list of

fields

user could access based on

action

.

Hi, Is it possible to have the UI for the Admin API hidden or disabled somehow (the one available on port 3952)? Thank you

Hi Team Cerbos 🙂 I am having a strange issue (probably doing something silly) where I am getting

"error": "failed to get check for [attendee.default]: policy compilation error: 1 compilation errors:\nresource_policies/attendee.yaml: Derived roles import 'common_roles' cannot be found (import not found)"

+ same error for variables cannot be found but it is not happening with the meeting policy...

Hi guys, Does anyone know how to use condition script? I'm not sure but how it's possible to implement if ... then ... if ... in Cerbos? Can condition handles by external system to call a external engine and response with TRUE/FALSE?

Is there functionality (or plans to add): Searching a reduced set of policies via listPolicies(searchCriteria), where searchCriteria is a specific scope, for example?

Can a resource attr take an object? (JS SDK) I am sending it an object as an attr but it keeps receiving it as a string (as indicated by Cerbos audit log), and before I try to figure out what silly thing I have done, I wanted to sanity check with ye. Thanks ✌️

Is there a reason why a derived role policy does not support

version

? https://docs.cerbos.dev/cerbos/latest/policies/derived_roles. I know I can add it in as an attribute but I'm just wondering why this was engineered this way.

Welcome!

kam

joined #help.

Hi Team, func ListPolicies() { list, err := admcli.ListPolicies(context.Background()) if err != nil { fmt.Printf("error getting lists: %v", err) } for _, v := range list { fmt.Printf(" %s \n", v) } } policy ID necessary for disabling a policy, could you please provide more context about how we get the policy ID?

how to use derived roles policy

Is there a way to get a summary of permissions for a principal? This would then help build out the frontend (ie. disable pages where the user has no access to)

Hello 👋 We have a question, hoping maybe some hints could help us here. We are trying to inject Linkerd proxy into the helm chart deployment. Here is what we have below, we can see the annnotations being injected on Deployment & on ReplicaSet however on the POD the linkerd proxy is never injected and no annotations are present there whatsoever:

# Annotations to add to the deployment.
        deployment:
          annotations:
            <http://linkerd.io/inject|linkerd.io/inject>: enabled
            <http://config.linkerd.io/skip-outbound-ports|config.linkerd.io/skip-outbound-ports>: "27017,4222,80,81"
            <http://config.linkerd.io/shutdown-grace-period|config.linkerd.io/shutdown-grace-period>: "120"
            <http://cluster-autoscaler.kubernetes.io/safe-to-evict|cluster-autoscaler.kubernetes.io/safe-to-evict>: "true"

Wondering if by any chance you have any quick advice before we dig deeper in linkerd and all.

Update: Somehow this was solved by adding the same annotations on the podAnnotation level.

Do we have query plan adapter for java?

Is there any way to make the disk storage mutable? I'm trying to add/update policies

Is there a way to see the data model of cerbos?

Is anyone know how to use cerbos container as by using nginx proxy_pass? I tried to do proxy pass but the endpoints in HTML code starts with / and I'm getting 404 on requests.

location ~ ^/cerbos {
    rewrite /cerbos/(.*) /$1  break;
    proxy_pass <http://cerbos>;
}

Hi Everyone! I just recently found out about Cerbos and it seems like a really powerful tool. My question: Is there a way for the end user to add/remove permissions on a role? is it possible for the end user to create a custom role and add permissions?

Hi team! I recently discovered Cerbos, and I'm currently working on some Proof of Concepts (POCs) to confirm that the project fits our needs. The question I'm trying to answer with Cerbos at this time is: "The User:1 can execute the LIST action on the BOOKS resource? If so, in which categories?" To model this problem, I have a list of "allowed categories" as

attr

of my Principal(user:1), associated with a role(e.g.:

{"user": {"categories": [1, 2]}, "admin": {"categories": ["*"]}}

. Are the policy

outputs

suitable for returning this category list to my application to perform some kind of filtering in the database, or do you have another recommendation for approaching this kind of problem?"

how can i get only indore employee data using cerbos "employee": [ { "id": "1", "firstName": "Tom", "lastName": "Cruise", "city": "indore" }, { "id": "2", "firstName": "Maria", "lastName": "Sharapova", "city":"indore" }, { "id": "3", "firstName": "James", "lastName": "Bond", "city":"ujjain" } ]

I'm trying to implement my JWT decode functionality in Cerbos using auxiliary data. I've added the following block to my JSON object when using the

checkResources

method:

auxData: {
	jwt: {
		token,
		keySetId: 'default',
	},
},

The token comes from

request.headers

in my Express app. Since I'm doing all the decoding business in Cerbos, I was wondering how I was supposed to pass the user's id as the principal's id without decoding the token:

const {results} = await cerbos.checkResources({
	principal: {
		id: String(user.id),
		roles: user.roles,
	},
...

I went through the docs and couldn't find a way to check whether an attribute exists or not. Is this expression valid?

expr: request.resource.attr.roles == null

Hi all, I’m trying to import the cerbos java sdk into a project via gradle with a requirement that we need to be compatible with Java 8, i’m currently getting an error that the sdk version 0.7.0 declares components only compatible with java 11, I was wondering if it’s possible to import a version of the SDK via gradle that is compatible with Java 8? Cheers

Hi everyone, I'm getting the below error message

Failed to load the test suite: invalid test "[RESOURCE] CRUD Actions": resource "[RESOURCE]" not found

My project structure looks like this

resource_policies/
  |- [RESOURCE]/
    |- [RESOURCE]_test.yaml
    |- [RESOURCE].yaml

I skimmed through the testing docs to see if I missed anything, but without any luck. Could someone point me in the right direction please

One more quick question. If I wanted to provide a way for users to add their own roles and policies, is that something that Cerbos supports? I know there is an admin api to create policies, but is that the recommended way to allow users to create dynamic roles and policies?

Hi Team, how to create resource policy using golang sdk?

Hi all, I’ve created a derived role below named owner. It works, when resource

attr

is empty. Should return

DENY

, right? derived role

# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/derived_roles>
apiVersion: api.cerbos.dev/v1
derivedRoles:
  name: customer_roles
  definitions:
    - name: OWNER 
      parentRoles: ["USER"] 
      condition: 
        match:
          expr: R.attr.owner.id == P.id

principal.json

{
  "id": "12312312",
  "roles": [
    "OWNER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}

resource.json

{
  "id": "13123123",
  "kind": "order",
  "attr": {}
}

resource policy:

- actions: ["order:read"]
      effect: EFFECT_ALLOW
      roles:
        - OWNER
      condition:
        match:
          expr: ("OWNER" in P.roles)
      name: order_owner_rule

Hi, We have many services , and we register many policies policies for each services, but while list it , cerbos shows all the policies, is there a way to segregate the policies based on services, is there any other way around to achieve it ?