https://cerbos.dev logo
#help
Title
# help
y

Yoav Pinto

07/19/2023, 2:20 PM
Hey, is there any way to receive the roles list that exist in a specific scope that matches the expressions for the actions from the CerbosClient using python? For example:
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  scope: "company.project" 
  resource: "company"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["project_admin", "project_user"]
      condition: 
        match:
          all: 
            of:
              - expr: request.principal.attr.company == request.resource.attr.company
              - expr: request.principal.attr.project == request.resource.attr.project

    - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["project_contractor"]
      condition: 
        match:
          all: 
            of:
              - expr: request.principal.attr.company == request.resource.attr.company
              - expr: request.principal.attr.project == request.resource.attr.project
              - expr: request.resource.attr.company == 'company_a'
in this example I want to get "project_contractor" when I look for 'company_a' in the 'company.project' scope.
d

Dennis (Cerbos)

07/20/2023, 12:33 AM
There’s no straightforward solution yet, but you can get the roles list with some coding. I presume the application has all principal (P) and resource (R) attributes used in the policies. I see a couple of options for finding roles that satisfy conditions for the given P and R attributes. 1. If the number of roles is small and known upfront, you can send a request with the same P and R attributes but use a different role each time. If the outcome is
EFFECT_ALLOW
add the role to the result list. 2. This is a hack. Add
project_role
resource (!) attribute and check it in the conditions. Use the query planner API, then parse AST to check the roles. In the second option, the policy rules might look like:
Copy code
rules:
  - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["user"]
      condition: 
        match:
          all: 
            of:
              - expr: R.attr.project_role in ["project_admin", "project_user"]
              - expr: P.attr.company == R.attr.company
              - expr: P.attr.project == R.attr.project

    - actions: ['*']
      effect: EFFECT_ALLOW
      roles: ["user"]
      condition: 
        match:
          all: 
            of:
              - expr: R.attr.project_role == "project_contractor"
              - expr: P.attr.company == R.attr.company
              - expr: P.attr.project == R.attr.project
              - expr: R.attr.company == 'company_a'
Send a request to the query planner. The request should contain all P and R attributes except
R.attr.project_role
. The result will be an AST of expression having the desired roles. For example, if you send a request with P and R matching project and the company is “company_a”, the result will be an AST of the expression:
R.attr.project_role in ["project_admin", "project_user"] OR R.attr.project_role == "project_contractor"
.
y

Yoav Pinto

07/20/2023, 7:45 AM
The purpose for this is to allow a user (a company admin for example) to give and make custom roles. I am looking for ways to store the roles each company has without adding load to my DB. So no.1 isn't really good for that. But no. 2 is an interesting hack. Like a "get_roles" Role with the company's roles as the actions in order to get the roles in the Resource. My next question is if there is any way to get the all the actions a role is allowed to perform? I am using the Python SDK.
d

Dennis (Cerbos)

07/20/2023, 8:00 AM
My next question is if there is any way to get the all the actions a role is allowed to perform?
If answering this doesn’t require checking policy conditions, it is easy. Just use Admin API to get a policy.
Sorry. If you implement option 2, then it is not easy. Roles will be encoded in expressions.
In the case of option 2, you can get a policy and pattern match condition expressions for
R.attr.project_role == <role1>
pattern or
R.attr.project_role in <roles list>
pattern. I assume you can enforce the format of
project_role
expressions.
y

Yoav Pinto

07/20/2023, 8:17 AM
I was thinking about listing all of the available roles in the
actions
as a list, and only the role
get_roles
can access it. In this way there is no need to pass another attribute or check another expr.
d

Dennis (Cerbos)

07/20/2023, 8:27 AM
A rule can have an optional output. You can define a single expression per rule which will be evaluated and output in the response. An output expression can contain anything that condition expressions can have.
The purpose for this is to allow a user (a company admin for example) to give and make custom roles.
I am looking for ways to store the roles each company has without adding load to my DB.
Option 3. You can list all of the available roles for each company in the output expression of a rule with an expression
P.attr.company == "company_a"
4 Views