https://cerbos.dev logo
#community
Title
# community
m

Musti Kamil

04/19/2023, 12:39 AM
hi i use sequelize and cerbos but i have a problem my postcrud.js
d

Dennis (Cerbos)

04/19/2023, 1:21 AM
What is the error or the problem?
m

Musti Kamil

04/19/2023, 1:59 AM
throw new Error("You are not authorized to visit this resource");
console.log(cerbosObject). { principal: { id: '1', policyVersion: 'default', roles: [ 'member' ], attributes: { id: 1, username: 'mustafa', role: 'member', email: 'deneme@deneme.com', blocked: false, iat: 1681862043, exp: 1681865643 } }, resource: { kind: 'blogpost', policyVersion: 'default', id: 'undefined', attributes: [Object: null prototype] { title: 'ndödöd', content: 'nasılsınız', category: 'technology' } }, actions: [ 'create' ] } [Object: null prototype] { title: 'ndödöd', content: 'nasılsınız', category: 'technology' }
and. throw new Error("You are not authorized to visit this resource");
d

Dennis (Cerbos)

04/19/2023, 2:02 AM
Do you think this request should be authorised?
If you believe the request should be authorised, please share your policy.
m

Musti Kamil

04/19/2023, 3:32 AM
i dont understand you say i share you yaml files or use express static share policy file to browse
d

Dennis (Cerbos)

04/19/2023, 3:39 AM
Sorry, I was referring to Cerbos policies which define access rules for resources and/or principals.
i share you yaml files
Can you please point me to these? I see the JS code and the request JSON object but not any yaml file.
m

Musti Kamil

04/19/2023, 6:08 PM
this sis resourse.yaml apiVersion: api.cerbos.dev/v1 resourcePolicy: version: "default" importDerivedRoles: - common_roles resource: "blogpost" rules: - actions: ['view:all'] effect: EFFECT_ALLOW derivedRoles: - all_users - actions: ['view:single'] effect: EFFECT_ALLOW roles: - moderator - member - actions: ['create'] effect: EFFECT_ALLOW derivedRoles: - member_only - actions: ['update'] effect: EFFECT_ALLOW derivedRoles: - owner - moderator_only condition: match: any: of: - expr: request.resource.attr.flagged == false && request.principal.attr.role == "member" - expr: request.resource.attr.flagged == true && request.principal.attr.role == "moderator" - actions: ['delete'] effect: EFFECT_ALLOW derivedRoles: - owner - actions: ['flag'] effect: EFFECT_ALLOW derivedRoles: - moderator_only
this is derived yaml apiVersion: "api.cerbos.dev/v1" derivedRoles: name: common_roles definitions: - name: all_users parentRoles: ["member", "moderator"] condition: match: expr: request.principal.attr.blocked == false - name: owner parentRoles: ["member"] condition: match: all: of: - expr: request.resource.attr.userId == request.principal.attr.id - expr: request.principal.attr.blocked == false - name: member_only parentRoles: ["member"] condition: match: expr: request.principal.attr.blocked == false - name: moderator_only parentRoles: ["moderator"] condition: match: expr: request.principal.attr.blocked == false - name: unknown parentRoles: ["unknown"]
d

Dennis (Cerbos)

04/20/2023, 2:08 AM
Here’s the Cerbos playground with your policies. “create” action is allowed as expected. 1. Can you please share the Cerbos log? 2. I’m curious about what’s in the
cerbosCheck
object. Please
console.log
and share it.
m

Musti Kamil

04/20/2023, 1:51 PM
when i console.log(cerbosCheck). CheckResourcesResult { resource: { id: 'undefined', kind: 'blogpost', policyVersion: 'default', scope: '' }, actions: { create: 'EFFECT_DENY' }, validationErrors: [], metadata: undefined }
i send you files
and console.log(cerbosObject). principal: { id: '1', policyVersion: 'default', roles: [ 'member' ], attributes: { id: '1', role: 'member', blocked: false } }, resource: { kind: 'blogpost', policyVersion: 'default', id: '1', attributes: { title: 'nasılım', content: 'iyi', category: 'technology', id: 1 } }, actions: [ 'create' ] } CheckResourcesResult { resource: { id: '1', kind: 'blogpost', policyVersion: 'default', scope: '' }, actions: { create: 'EFFECT_DENY' }, validationErrors: [], metadata: undefined }
d

Dennis (Cerbos)

04/21/2023, 6:55 AM
I’ve got a working example. 1. Run cerbos
docker run --rm --name cerbos -d -v $(pwd)/cerbos/policies:/policies -p 3592:3592 -p 3593:3593  <http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0>
2. Slightly modified
authorization.js
:
Copy code
const { GRPC } = require("@cerbos/grpc");

// The Cerbos PDP instance
const cerbos = new GRPC("localhost:3593", {
    tls: false,
});

module.exports = async (user, action, resourceAtrr = {}) => {
    const cerbosObject = {
        principal: {
            id: user.id.toString(),
            roles: [user?.role || "unknown"],
            attributes: user,
        },
        
        resource: {
            kind: "blogpost",
            id: resourceAtrr?.id + "" || "new",
            attributes: resourceAtrr,
        },
        
        actions: [action],
    };
    
    const cerbosCheck = await cerbos.checkResource(cerbosObject);

    return cerbosCheck.isAllowed(action);
};
3. Run the following script:
Copy code
const authorise = require("./authorization");

(async function() {
  let user = {id: 1, role: "member", blocked: false};
  let r = await authorise(user, "create", {});
  console.log("allowed:", r);
}())
Prints
allowed: true
.
m

Musti Kamil

04/21/2023, 11:50 AM
thanks so much i delete policyVersion: "default", it is work
sorry dont work allowed :false
d

Dennis (Cerbos)

04/22/2023, 2:22 AM
1. Do you mean my version of
authorization.js
and my script give you
allowed: false
in your environment? 2. I assume you run Cerbos with the command I posted previously. Please post the output of
docker logs cerbos
command. 3. Which nodejs version are you using?
5 Views