• m

    Maggie Walker

    3 weeks ago
    Is there a
    not in
    operator, if I'm looking to create an EFFECT_ALLOW if there is not a specific key in a resource attribute?
    m
    Charith (Cerbos)
    4 replies
    Copy to Clipboard
  • m

    Matthew Ebeweber

    2 weeks ago
    I'm attempting to use the
    queryPlanToPrisma
    logic to convert a cerbos response to a prisma query and am running into some trouble. Auditing the call, the
    planResources
    call is returning something formed from --
    {
      "kind": "KIND_CONDITIONAL",
      "condition": {
        "expression": {
          "operator": "eq",
          "operands": [
            {
              "value": "qid::tenant:foo"
            },
            {
              "variable": "request.resource.attr.tenantQid"
            }
          ]
        }
      }
    }
    but then when I pass the result into
    queryPlanToPrisma
    with a pretty simple mapping
    { 'request.resource.attr.tenantQid': 'tenantQid'}
    , I get filtering conditions that are
    { undefined: { equals: "undefined" } }
    . I haven't gone too deep into the logic or tried other conditions, but was curious if I was doing something obviously wrong.
    m
    Alex Olivier (Cerbos)
    12 replies
    Copy to Clipboard
  • b

    B Cerkezi

    2 weeks ago
    Hey team - very basic question, when making a request and sending the Principal object, why is an empty/null
    Principal.Roles
    not allowed? Is the idea that we should make the decision in code to reject the request without sending it to cerbos?
    b
    Charith (Cerbos)
    2 replies
    Copy to Clipboard
  • m

    Maggie Walker

    1 week ago
    Hey! I'm trying to exec into our cerbos docker container to poke around, and I'm getting
    OCI runtime exec failed: exec failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory: unknown
    How do you all exec in?
    m
    Andrew Haines (Cerbos)
    4 replies
    Copy to Clipboard
  • m

    Matthew Ebeweber

    1 week ago
    For the git storage mechanism, do you know if there's an easy way to support filters / sparse checkouts? For context, I'd like my policies to exist within a monorepo but also want to avoid needing to pull everything down all the time.
    m
    Charith (Cerbos)
    5 replies
    Copy to Clipboard
  • a

    Alberto Cunha

    1 week ago
    I´m trying to use a local/data/ key. Here is my config.yaml:
    ---
    server:
      httpListenAddr: ":3592"
    
    storage:
      driver: "disk"
      disk:
        directory: /policies
        watchForChanges: true
    
    auxData:
      jwt:
        keySets:
          - id: ks1
            local:
              data: eW91ci0yNTYtYml0LXNlY3JldA==
  • a

    Alberto Cunha

    1 week ago
    Here is my request:
    {
      "requestId": "e4ae98fc-571d-4e4b-aa36-81b9c3a28970",
      "includeMeta": false,
      "principal": {
        "id": "4",
        "policyVersion": "default",
        "roles": [
          "Assessor"
        ]
      },
      "resources": [
        {
          "actions": [
            "list"
          ],
          "resource": {
            "kind": "casos",
            "policyVersion": "default",
            "id": "undefined",
            "attr": {},
            "scope": ""
          }
        }
      ],
      "auxData": {
        "jwt": {
          "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWQiOiI0Iiwicm9sZXMiOlsiYWRtaW4iXSwiaWF0IjoxNTE2MjM5MDIyfQ.mE8TQz11_Z1U7ios9O9xU12l1jtWtCNLuqOzkYgEzbE",
          "keySetId": "ks1"
        }
      }
    }
  • a

    Alberto Cunha

    1 week ago
    The jwt-secret, not encoded, is
    your-256-bit-secret
    . I´m getting this error: {"log.level":"error","@timestamp":"2022-09-14T20:38:00.511Z","log.logger":"cerbos.grpc","message":"Failed to extract auxData","grpc.start_time":"2022-09-14T20:38:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"127.0.0.1:54936","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GCYVJ2HZP8F3ENP5MB8E9HJQ"},"error":"failed to retrieve keyset: failed to parse key data: failed to unmarshal JWK set: invalid character 'y' looking for beginning of value"}
  • a

    Alberto Cunha

    1 week ago
    {"log.level":"info","@timestamp":"2022-09-14T20:38:00.511Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-09-14T20:38:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"127.0.0.1:54936","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GCYVJ2HZP8F3ENP5MB8E9HJQ"},"error":"rpc error: code = InvalidArgument desc = failed to extract auxData","grpc.code":"InvalidArgument","grpc.time_ms":0.223}
  • h

    Hazel Boyle

    1 week ago
    hi, i'm trying out cerbos right now - does the actual check api cache its policies while the admin api doesn't? i've got
    watchForChanges
    turned on with the disk storage, and when i update my policy i can see the changes immediately reflected in
    /admin/policy
    , but
    /api/check
    is still making outdated decisions based on the old policy. if this is the case, how can i change this behaviour?
    /admin/store/reload
    didn't work, and even if it did i wouldn't want to be regularly needing to call that, obviously
    h
    Alex Olivier (Cerbos)
    +1
    27 replies
    Copy to Clipboard