Hey, is there any way to receive the roles list that exist in a specific scope that matches the expressions for the actions from the CerbosClient using python? For example:

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  scope: "company.project" 
  resource: "company"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["project_admin", "project_user"]
      condition: 
        match:
          all: 
            of:
              - expr: request.principal.attr.company == request.resource.attr.company
              - expr: request.principal.attr.project == request.resource.attr.project

    - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["project_contractor"]
      condition: 
        match:
          all: 
            of:
              - expr: request.principal.attr.company == request.resource.attr.company
              - expr: request.principal.attr.project == request.resource.attr.project
              - expr: request.resource.attr.company == 'company_a'

in this example I want to get "project_contractor" when I look for 'company_a' in the 'company.project' scope.

There’s no straightforward solution yet, but you can get the roles list with some coding. I presume the application has all principal (P) and resource (R) attributes used in the policies. I see a couple of options for finding roles that satisfy conditions for the given P and R attributes. 1. If the number of roles is small and known upfront, you can send a request with the same P and R attributes but use a different role each time. If the outcome is

EFFECT_ALLOW

add the role to the result list. 2. This is a hack. Add

project_role

resource (!) attribute and check it in the conditions. Use the query planner API, then parse AST to check the roles. In the second option, the policy rules might look like:

rules:
  - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["user"]
      condition: 
        match:
          all: 
            of:
              - expr: R.attr.project_role in ["project_admin", "project_user"]
              - expr: P.attr.company == R.attr.company
              - expr: P.attr.project == R.attr.project

    - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["user"]
      condition: 
        match:
          all: 
            of:
              - expr: R.attr.project_role == "project_contractor"
              - expr: P.attr.company == R.attr.company
              - expr: P.attr.project == R.attr.project
              - expr: R.attr.company == 'company_a'

Send a request to the query planner. The request should contain all P and R attributes except

R.attr.project_role

. The result will be an AST of expression having the desired roles. For example, if you send a request with P and R matching project and the company is “company_a”, the result will be an AST of the expression:

R.attr.project_role in ["project_admin", "project_user"] OR R.attr.project_role == "project_contractor"

.

The purpose for this is to allow a user (a company admin for example) to give and make custom roles. I am looking for ways to store the roles each company has without adding load to my DB. So no.1 isn't really good for that. But no. 2 is an interesting hack. Like a "get_roles" Role with the company's roles as the actions in order to get the roles in the Resource. My next question is if there is any way to get the all the actions a role is allowed to perform? I am using the Python SDK.

My next question is if there is any way to get the all the actions a role is allowed to perform?

If answering this doesn’t require checking policy conditions, it is easy. Just use Admin API to get a policy.

I was thinking about listing all of the available roles in the

actions

as a list, and only the role

get_roles

can access it. In this way there is no need to pass another attribute or check another expr.

A rule can have an optional output. You can define a single expression per rule which will be evaluated and output in the response. An output expression can contain anything that condition expressions can have.