https://cerbos.dev logo
Join Slack
Powered by
assuming i have this resource policy: ```apiVersi...
# community
j
assuming i have this resource policy:
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: invict_triage
  importDerivedRoles:
    - avengers_global_users
  rules:
    - actions:
        - subscribed
      effect: EFFECT_ALLOW
      derivedRoles:
        - avengers_invict_user
      condition:
        match:
          expr: request.resource.attr.data_org_id == "blablabla"
what's a clean way to add actions READ and actions WRITE permissions to the resource 
invict_triage
for this specific derivedRole WITHOUT modifying the YAML above?
from what i can see - the only way to achieve this is with scoped resource policies, but that means my cerbos API calls must include the scope parameter as well.
that's something i'm trying to avoid because this isn't really a scoped use case.
a
Can you elaborate a bit on why you want to do it without modifying that YAML?
j
i have a very simple crm system which business users will interface with. i will write a middleware that pulls data out of the crm system to spit out base cerbos policies. this base cerbos policy will look like the YAML above - with a simple condition of "subscribed" action being given EFFECT_ALLOW. that's like the mother-of-all permissions. without SUBSCRIBED, none of the READ or WRITE permissions would produce an EFFECT_ALLOW ( i will handle this part of the logic in the application that the customer subscribes to - so no issues here ) i then want a human to hand-write READ/WRITE policies for that customer. these then get merged together with the base policy above.
i could write additional derived roles of "avengers_invict_user_read" and "avengers_incit_user_write" but again, i need to modify the YAML above to insert these derived roles.
i'm trying to achieve separation of yamls so that i don't muddle what the middle-ware is producing vs what humans are writing.
maybe i'm approaching this wrongly and over complicating things!
it may be easier to just get the middleware to parse the yaml above and insert elements into the "actions" array, "derivedRoles" array, and "importDerivedRoles" array.
a
Ok, cool... this does sound a bit like a use case for scoped policies to me (per-customer/tenant rules is what that was designed to handle).
j
i'm trying to avoid scoped policies as well because that means i need additional attributes put into the cerbos API call to specify the scope....but yeah if that's easier then i'll have to engineer a mechanism for it
a
But equally yeah the YAML is supposed to be easy to parse and generate so if that fits your model better then that might be an option. You could probably just add additional 
rules
for read/write rather than having to merge into the existing rule.
j
assuming i only have 2 policies - a base one, and a custom hand-edited one, then i think this can work:
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: invict_triage
  importDerivedRoles:
    - avengers_global_users
  rules:
    - actions:
        - subscribed
      effect: EFFECT_ALLOW
      derivedRoles:
        - avengers_invict_user
      condition:
        match:
          expr: request.resource.attr.data_org_id == "blablabla"
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: invict_triage
  scope: "custom"
  importDerivedRoles:
    - avengers_global_users
  rules:
    - actions:
        - read
        - write
      effect: EFFECT_ALLOW
      derivedRoles:
        - avengers_invict_user
      condition:
        match:
          expr: request.resource.attr.data_org_id == "blablabla"
i just need to make sure EVERY API call to Cerbos has a resource scope of "custom"
thanks @Andrew Haines (Cerbos)
@Farzad Soltani fyi the solution which i think will work for me.
a
Nice, yep that sounds like a sensible approach to me!
7 Views
Open in Slack
PreviousNext
Powered by