https://cerbos.dev logo
Join Slack
Powered by
hi i use sequelize and cerbos but i have a proble...
# community
m
hi i use sequelize and cerbos but i have a problem my postcrud.js
d
What is the error or the problem?
m
throw new Error("You are not authorized to visit this resource");
console.log(cerbosObject). { principal: { id: '1', policyVersion: 'default', roles: [ 'member' ], attributes: { id: 1, username: 'mustafa', role: 'member', email: 'deneme@deneme.com', blocked: false, iat: 1681862043, exp: 1681865643 } }, resource: { kind: 'blogpost', policyVersion: 'default', id: 'undefined', attributes: [Object: null prototype] { title: 'ndödöd', content: 'nasılsınız', category: 'technology' } }, actions: [ 'create' ] } [Object: null prototype] { title: 'ndödöd', content: 'nasılsınız', category: 'technology' }
and. throw new Error("You are not authorized to visit this resource");
d
Do you think this request should be authorised?
If you believe the request should be authorised, please share your policy.
m
i dont understand you say i share you yaml files or use express static share policy file to browse
d
Sorry, I was referring to Cerbos policies which define access rules for resources and/or principals.
i share you yaml files
Can you please point me to these? I see the JS code and the request JSON object but not any yaml file.
m
this sis resourse.yaml apiVersion: api.cerbos.dev/v1 resourcePolicy: version: "default" importDerivedRoles: - common_roles resource: "blogpost" rules: - actions: ['view:all'] effect: EFFECT_ALLOW derivedRoles: - all_users - actions: ['view:single'] effect: EFFECT_ALLOW roles: - moderator - member - actions: ['create'] effect: EFFECT_ALLOW derivedRoles: - member_only - actions: ['update'] effect: EFFECT_ALLOW derivedRoles: - owner - moderator_only condition: match: any: of: - expr: request.resource.attr.flagged == false && request.principal.attr.role == "member" - expr: request.resource.attr.flagged == true && request.principal.attr.role == "moderator" - actions: ['delete'] effect: EFFECT_ALLOW derivedRoles: - owner - actions: ['flag'] effect: EFFECT_ALLOW derivedRoles: - moderator_only
this is derived yaml apiVersion: "api.cerbos.dev/v1" derivedRoles: name: common_roles definitions: - name: all_users parentRoles: ["member", "moderator"] condition: match: expr: request.principal.attr.blocked == false - name: owner parentRoles: ["member"] condition: match: all: of: - expr: request.resource.attr.userId == request.principal.attr.id - expr: request.principal.attr.blocked == false - name: member_only parentRoles: ["member"] condition: match: expr: request.principal.attr.blocked == false - name: moderator_only parentRoles: ["moderator"] condition: match: expr: request.principal.attr.blocked == false - name: unknown parentRoles: ["unknown"]
d
Here’s the Cerbos playground with your policies. “create” action is allowed as expected. 1. Can you please share the Cerbos log? 2. I’m curious about what’s in the 
cerbosCheck
object. Please 
console.log
and share it.
m
when i console.log(cerbosCheck). CheckResourcesResult { resource: { id: 'undefined', kind: 'blogpost', policyVersion: 'default', scope: '' }, actions: { create: 'EFFECT_DENY' }, validationErrors: [], metadata: undefined }
i send you files
adsız klasör.zip
and console.log(cerbosObject). principal: { id: '1', policyVersion: 'default', roles: [ 'member' ], attributes: { id: '1', role: 'member', blocked: false } }, resource: { kind: 'blogpost', policyVersion: 'default', id: '1', attributes: { title: 'nasılım', content: 'iyi', category: 'technology', id: 1 } }, actions: [ 'create' ] } CheckResourcesResult { resource: { id: '1', kind: 'blogpost', policyVersion: 'default', scope: '' }, actions: { create: 'EFFECT_DENY' }, validationErrors: [], metadata: undefined }
d
I’ve got a working example. 1. Run cerbos 
docker run --rm --name cerbos -d -v $(pwd)/cerbos/policies:/policies -p 3592:3592 -p 3593:3593  <http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0>
2. Slightly modified 
authorization.js
:
Copy code
const { GRPC } = require("@cerbos/grpc");

// The Cerbos PDP instance
const cerbos = new GRPC("localhost:3593", {
    tls: false,
});

module.exports = async (user, action, resourceAtrr = {}) => {
    const cerbosObject = {
        principal: {
            id: user.id.toString(),
            roles: [user?.role || "unknown"],
            attributes: user,
        },
        
        resource: {
            kind: "blogpost",
            id: resourceAtrr?.id + "" || "new",
            attributes: resourceAtrr,
        },
        
        actions: [action],
    };
    
    const cerbosCheck = await cerbos.checkResource(cerbosObject);

    return cerbosCheck.isAllowed(action);
};
3. Run the following script:
Copy code
const authorise = require("./authorization");

(async function() {
  let user = {id: 1, role: "member", blocked: false};
  let r = await authorise(user, "create", {});
  console.log("allowed:", r);
}())
Prints 
allowed: true
.
m
thanks so much i delete policyVersion: "default", it is work
sorry dont work allowed :false
d
1. Do you mean my version of 
authorization.js
and my script give you 
allowed: false
in your environment? 2. I assume you run Cerbos with the command I posted previously. Please post the output of 
docker logs cerbos
command. 3. Which nodejs version are you using?
5 Views
Open in Slack
PreviousNext
Powered by