https://cerbos.dev logo
Join Slack
Powered by
hi all, I have a validation issue with a role I’m ...
# help
d
hi all, I have a validation issue with a role I’m defining - details in 🧵
Copy code
apiVersion: api.cerbos.dev/v1
description: Common dynamic roles based on locale and group memberships
derivedRoles:
  name: common_roles_based_on_locale_and_groups
  definitions:
  - name: APPLE-READ
    parentRoles:
    - USER
    condition:
      match:
        expr: '"APPLE - READ" in P.attr.my-awesome-groups'
when i try to validate my policies - meaning when I run
Copy code
docker run -i -t -v $(PWD)/policies/:/policies <http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0> compile /policies
I get the following
Copy code
Compilation errors
derived_roles/base_roles.yaml: Invalid expression in derived role 'APPLE-READ' (#6) (failed to compile `"APPLE- READ" in P.attr.my-awesome-groups` [undeclared reference to 'awesome' (in container ''), undeclared reference to 'groups' (in container '')])
so its clearly interpretting “-” as operator
do I need to escape it? not sure what happens at complication time
short version - I write valid yaml - but cerbos will not compile is there are “-”s in my expressions
does Cerbos does not support attribute names with hyphens?
a
Hey
Let me quickly replicate this in the playground
d
hello
ok
a
Copy code
apiVersion: api.cerbos.dev/v1
description: Common dynamic roles based on locale and group memberships
derivedRoles:
  name: common_roles_based_on_locale_and_groups
  definitions:
  - name: APPLE-READ
    parentRoles:
    - USER
    condition:
      match:
        expr: >
          "APPLE - READ" in P.attr["my-awesome-groups"]
This is actually an edge case in CEL which I don't run into that often, but using the 
-
in the string leads to a parsing error so using the index-style reference works
d
ic - let me try this
ok that seems to make it work!
thank you !
a
Good. I’ll make a note to add that into the docs.
2 Views
Open in Slack
PreviousNext
Powered by