https://cerbos.dev logo
Join Slack
Powered by
Hi Team Cerbos :slightly_smiling_face: I am havin...
# help
j
Hi Team Cerbos 🙂 I am having a strange issue (probably doing something silly) where I am getting
Copy code
"error": "failed to get check for [attendee.default]: policy compilation error: 1 compilation errors:\nresource_policies/attendee.yaml: Derived roles import 'common_roles' cannot be found (import not found)"
+ same error for variables cannot be found but it is not happening with the meeting policy...
I put all the files in the playground, no errors thrown
tests are executing successfully and it is compiling
d
Is 
importDerivedRoles:
identical in both 
attendee.yaml
and 
meeting.yaml
? What is about identation?
j
hey Dennis, yep identical, identation too. I am wondering it is not specific to the attendee policy
d
Is the policy structure the same in the playground?
I see it is the same
Are you experiencing this issue locally, but not in the playground?
j
Thanks Dennis, the issue is happening in an EC2 Amazon Linux 2023 instance. I am now testing the Lambda that performs the permission check and it is returning DENY on this event:
Copy code
{
  "principal": {
    "id": "12345",
    "roles": [
      "user"
    ],
    "attributes": {
      "isMeetingHost": "true"
    }
  },
  "resource": {
    "kind": "meeting",
    "id": "12345",
    "attributes": {}
  },
  "action": "endMeeting"
}
which just doesn't make sense according to the meeting policy and the corresponding condition variables and common roles
I feel like I'm losing my mind 😂
When I change the action to createMeeting, which is a simply check if the role is user, that returns true correctly. It makes me think that NO variables or derived roles are being compiled
d
Can you reproduce this behaviour in the playground?
CheckResources
request has the “includeMeta” field. Set it to 
true
and the response will have some details about evaluation.
j
I am using the JS SDK, it doesn't seem to include the includeMeta in the isAllowed call
d
It should contain it according to the docs. I’m checking it
j
Thanks Dennis, I appreciate the back and forth help. It makes the insanity ease 😄 FWIW I am getting Type error trying to put in includeMeta
d
Works for me with 
"@cerbos/grpc": "^0.13.0"
j
I'm using http
d
Is your app in the browser?
j
The app is Electron based, and am using Lambdas for interacting with the EC2 instance, using http package for ease
d
Not sure about Electron, but in Lambdas gRPC should work fine. Anyway, you can use gRPC client for debugging.
Sorry, let me check if HTTP client has this option
It seems that 
"@cerbos/http": "^0.14.0"
has this option
j
huh, I am using 0.13.0 for some reason
Upgraded to 0.14.0 js sdk, FYI still getting Type error, maybe Types not updated?
Aha, it uses includeMeta*Data* I have found the inconsistencies in the JS SDK to cause me errors, e.g. also with "attributes" not the usual "attr"
d
Hm…
Copy code
import { HTTP } from "@cerbos/http";

const cerbos = new HTTP("<http://localhost:3592>");

await cerbos.isAllowed({
    principal: {
        id: "<mailto:user@example.com|user@example.com>",
        roles: ["USER"],
        attributes: { tier: "PREMIUM" },
    },
    resource: {
        kind: "document",
        id: "1",
        attributes: { owner: "<mailto:user@example.com|user@example.com>" },
    },
    action: "view",
    includeMetadata: true,
}); // => true
j
d
yes
j
image.png
d
Yes, it takes 
includeMeta
, but the output is 
boolean
, so no extra information in the output. 🤦
I suggest debugging policies without the SDK.
I suggest the debugging policies with following steps 1. The playground or local tests. 2. 
curl
3. SDK
Yes, it takes 
includeMeta
, but the output is 
boolean
, so no extra information in the output. 🤦
To get the full response, you can use 
checkResource
method.
Copy code
import { HTTP } from "@cerbos/http";
import fetch, {
    Headers,
    Request,
    Response,
} from 'node-fetch'

if (!globalThis.fetch) {
    globalThis.fetch = fetch
    globalThis.Headers = Headers
    globalThis.Request = Request
    globalThis.Response = Response
}

const cerbos = new HTTP("<http://localhost:3592>");

let result = await cerbos.checkResource({
    principal: {
        id: "<mailto:user@example.com|user@example.com>",
        roles: ["USER"],
        attributes: { tier: "PREMIUM" },
    },
    resource: {
        kind: "document",
        id: "1",
        attributes: { owner: "<mailto:user@example.com|user@example.com>" },
    },
    actions: ["view"],
    includeMetadata: true,
});

console.log(JSON.stringify(result));
j
Thanks very much Dennis, I was in the middle of getting a curl cmd ready to test via CLI, would you suggest to use the checkResource SDK method instead firstly?
d
Personally I prefer curl, but if you have JS code already than replacing isAllowed with checkResource should be easy too.
The recommended way to test policies is 
cerbos compile
j
ok cool i will try both, i have a cerbos compile in the github action pipeline
d
cerbos compile
not only validates policies but also runs available tests
j
ok, im tired and going sleep soon but my current working theory is that there is something wrong with my attendee policy and/or the derived roles and/or variables, but compile is not picking it up. I get check failed due to invalid policy when I try to do a check on attendee resource I get DENY when I should get ALLOW on meeting resource, I pass "principal": { "id": "12345", "roles": ["user"], "attr": { "isMeetingHost": "true" } },
Right I am off to bed, all I have learned is that there is something funky going on with importing derived roles and/or variables for some unknown reason. It doesn't error out on meeting policy (even though it has the exact same imports) but it doesn't return correct ALLOW/DENY response when it is contingent on a principal attribute (regardless if variable or direct logic used) attendee policy fails when it has the exact same variable and derived role imports as meeting??? saying not found wonder is it something with the ec2 instance somehow..... maybe permission related?! 🤷
d
I think this is a cause of the problem:
Copy code
"isMeetingHost": "true"
It should be a boolean instead of a string.
Copy code
"isMeetingHost": true
Because in the global variables expression, you compare it with a boolean: 
P.attr.isMeetingHost == true
j
That made no difference unfortuantely
Okay I have finally discovered the issue (CC @Charith (Cerbos)). It is correctly pulling updates from the git repo, but for some reason it is not actually refreshing it's state. So it worked when I did a manual restart of the service. But when it detects new git, it doesn't refresh the state...
Copy code
er":"cerbos.git.store","message":"Detected repository changes","dir":"/var/lib/cerbos/policies"}
er":"cerbos.git.store","message":"Index updated","dir":"/var/lib/cerbos/policies"}
my config:
Copy code
server:
  httpListenAddr: ":3592"

storage:
  driver: "git"
  git:
    protocol: https
    url: <https://github.com/notchmeetings/cerbos.git>
    branch: main
    subDir: .
    checkoutDir: /var/lib/cerbos/policies
    updatePollInterval: 60s
    operationTimeout: 30s
    https:
      username: XXXXXXXXXXXXXXXXXXXXXXXX
      password: XXXXXXXXXXXXXXXXXXXXXXXX

audit:
  enabled: true
  accessLogsEnabled: true
  decisionLogsEnabled: true
  backend: file
  file:
    path: /var/lib/cerbos/audit.log
Ok, I started the server in debug log level and got this:
Copy code
INFO    cerbos.git.store        Detected repository changes     {"dir": "/var/lib/cerbos/policies"}
DEBUG   cerbos.git.store        Processing change       {"dir": "/var/lib/cerbos/policies", "change": "<Action: Modify, Path: resource_policies/attendee.yaml>"}
DEBUG   cerbos.git.store        Not applying add/update {"dir": "/var/lib/cerbos/policies", "change": "<Action: Modify, Path: resource_policies/attendee.yaml>"}
INFO    cerbos.git.store        Index updated   {"dir": "/var/lib/cerbos/policies"}
So it is actually saying "*Not applying add/update*"
a
I think you need to remove 
subDir: .
from your config
The problem is occurring here; because 
subDir
is non-empty, and the path 
resource_policies/attendee.yaml
does not start with the 
subDir
value, the file is treated as living outside the policies directory and is therefore ignored. I suspect that for the initial clone 
subDir: foo
and 
subDir: ./foo
are interchangeable, but for the change detection the latter won't work.
j
Thank you very very much @Andrew Haines (Cerbos). That was the problem alright, and it is working now. I need some recovery now lol
a
Glad it's all working now @Joseph Harkins, that was quite a head-scratcher! We'll have a fix out in the next release.
j
Nice to see this in the .30 release @Andrew Haines (Cerbos) 🙂
🎉 1
2 Views
Open in Slack
PreviousNext
Powered by