Yoav Pinto
07/19/2023, 2:20 PMapiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
scope: "company.project"
resource: "company"
rules:
- actions: ['*']
effect: EFFECT_ALLOW
roles: ["project_admin", "project_user"]
condition:
match:
all:
of:
- expr: request.principal.attr.company == request.resource.attr.company
- expr: request.principal.attr.project == request.resource.attr.project
- actions: ['*']
effect: EFFECT_ALLOW
roles: ["project_contractor"]
condition:
match:
all:
of:
- expr: request.principal.attr.company == request.resource.attr.company
- expr: request.principal.attr.project == request.resource.attr.project
- expr: request.resource.attr.company == 'company_a'
in this example I want to get "project_contractor" when I look for 'company_a' in the 'company.project' scope.Dennis (Cerbos)
EFFECT_ALLOW
add the role to the result list.
2. This is a hack. Add project_role
resource (!) attribute and check it in the conditions. Use the query planner API, then parse AST to check the roles.
In the second option, the policy rules might look like:
rules:
- actions: ['*']
effect: EFFECT_ALLOW
roles: ["user"]
condition:
match:
all:
of:
- expr: R.attr.project_role in ["project_admin", "project_user"]
- expr: P.attr.company == R.attr.company
- expr: P.attr.project == R.attr.project
- actions: ['*']
effect: EFFECT_ALLOW
roles: ["user"]
condition:
match:
all:
of:
- expr: R.attr.project_role == "project_contractor"
- expr: P.attr.company == R.attr.company
- expr: P.attr.project == R.attr.project
- expr: R.attr.company == 'company_a'
Send a request to the query planner. The request should contain all P and R attributes except R.attr.project_role
. The result will be an AST of expression having the desired roles.
For example, if you send a request with P and R matching project and the company is “company_a”, the result will be an AST of the expression: R.attr.project_role in ["project_admin", "project_user"] OR R.attr.project_role == "project_contractor"
.Yoav Pinto
07/20/2023, 7:45 AMDennis (Cerbos)
My next question is if there is any way to get the all the actions a role is allowed to perform?If answering this doesn’t require checking policy conditions, it is easy. Just use Admin API to get a policy.
Dennis (Cerbos)
Dennis (Cerbos)
R.attr.project_role == <role1>
pattern or R.attr.project_role in <roles list>
pattern.
I assume you can enforce the format of project_role
expressions.Yoav Pinto
07/20/2023, 8:17 AMactions
as a list, and only the role get_roles
can access it.
In this way there is no need to pass another attribute or check another expr.Dennis (Cerbos)
Dennis (Cerbos)
Dennis (Cerbos)
The purpose for this is to allow a user (a company admin for example) to give and make custom roles.
I am looking for ways to store the roles each company has without adding load to my DB.Option 3. You can list all of the available roles for each company in the output expression of a rule with an expression
P.attr.company == "company_a"