Joseph Harkins
08/28/2023, 7:17 PM"error": "failed to get check for [attendee.default]: policy compilation error: 1 compilation errors:\nresource_policies/attendee.yaml: Derived roles import 'common_roles' cannot be found (import not found)"
+ same error for variables cannot be found
but it is not happening with the meeting policy...Dennis (Cerbos)
importDerivedRoles:
identical in both attendee.yaml
and meeting.yaml
? What is about identation?Joseph Harkins
08/28/2023, 8:28 PMDennis (Cerbos)
Joseph Harkins
08/28/2023, 9:22 PM{
"principal": {
"id": "12345",
"roles": [
"user"
],
"attributes": {
"isMeetingHost": "true"
}
},
"resource": {
"kind": "meeting",
"id": "12345",
"attributes": {}
},
"action": "endMeeting"
}
Dennis (Cerbos)
CheckResources
request has the “includeMeta” field. Set it to true
and the response will have some details about evaluation.Joseph Harkins
08/28/2023, 9:55 PMDennis (Cerbos)
Joseph Harkins
08/28/2023, 10:03 PMDennis (Cerbos)
"@cerbos/grpc": "^0.13.0"
Joseph Harkins
08/28/2023, 10:05 PMDennis (Cerbos)
Joseph Harkins
08/28/2023, 10:06 PMDennis (Cerbos)
"@cerbos/http": "^0.14.0"
has this optionJoseph Harkins
08/28/2023, 10:11 PMDennis (Cerbos)
import { HTTP } from "@cerbos/http";
const cerbos = new HTTP("<http://localhost:3592>");
await cerbos.isAllowed({
principal: {
id: "<mailto:user@example.com|user@example.com>",
roles: ["USER"],
attributes: { tier: "PREMIUM" },
},
resource: {
kind: "document",
id: "1",
attributes: { owner: "<mailto:user@example.com|user@example.com>" },
},
action: "view",
includeMetadata: true,
}); // => true
Joseph Harkins
08/28/2023, 10:38 PMDennis (Cerbos)
Joseph Harkins
08/28/2023, 10:39 PMDennis (Cerbos)
includeMeta
, but the output is boolean
, so no extra information in the output. 🤦curl
3. SDKYes, it takesTo get the full response, you can use, but the output isincludeMeta
, so no extra information in the output. 🤦boolean
checkResource
method.import { HTTP } from "@cerbos/http";
import fetch, {
Headers,
Request,
Response,
} from 'node-fetch'
if (!globalThis.fetch) {
globalThis.fetch = fetch
globalThis.Headers = Headers
globalThis.Request = Request
globalThis.Response = Response
}
const cerbos = new HTTP("<http://localhost:3592>");
let result = await cerbos.checkResource({
principal: {
id: "<mailto:user@example.com|user@example.com>",
roles: ["USER"],
attributes: { tier: "PREMIUM" },
},
resource: {
kind: "document",
id: "1",
attributes: { owner: "<mailto:user@example.com|user@example.com>" },
},
actions: ["view"],
includeMetadata: true,
});
console.log(JSON.stringify(result));
Joseph Harkins
08/28/2023, 10:50 PMDennis (Cerbos)
cerbos compile
Joseph Harkins
08/28/2023, 11:04 PMDennis (Cerbos)
cerbos compile
not only validates policies but also runs available testsJoseph Harkins
08/28/2023, 11:35 PMDennis (Cerbos)
"isMeetingHost": "true"
It should be a boolean instead of a string.
"isMeetingHost": true
Because in the global variables expression, you compare it with a boolean: P.attr.isMeetingHost == true
Joseph Harkins
08/29/2023, 5:40 PMer":"cerbos.git.store","message":"Detected repository changes","dir":"/var/lib/cerbos/policies"}
er":"cerbos.git.store","message":"Index updated","dir":"/var/lib/cerbos/policies"}
server:
httpListenAddr: ":3592"
storage:
driver: "git"
git:
protocol: https
url: <https://github.com/notchmeetings/cerbos.git>
branch: main
subDir: .
checkoutDir: /var/lib/cerbos/policies
updatePollInterval: 60s
operationTimeout: 30s
https:
username: XXXXXXXXXXXXXXXXXXXXXXXX
password: XXXXXXXXXXXXXXXXXXXXXXXX
audit:
enabled: true
accessLogsEnabled: true
decisionLogsEnabled: true
backend: file
file:
path: /var/lib/cerbos/audit.log
INFO cerbos.git.store Detected repository changes {"dir": "/var/lib/cerbos/policies"}
DEBUG cerbos.git.store Processing change {"dir": "/var/lib/cerbos/policies", "change": "<Action: Modify, Path: resource_policies/attendee.yaml>"}
DEBUG cerbos.git.store Not applying add/update {"dir": "/var/lib/cerbos/policies", "change": "<Action: Modify, Path: resource_policies/attendee.yaml>"}
INFO cerbos.git.store Index updated {"dir": "/var/lib/cerbos/policies"}
Andrew Haines (Cerbos)
subDir: .
from your configsubDir
is non-empty, and the path resource_policies/attendee.yaml
does not start with the subDir
value, the file is treated as living outside the policies directory and is therefore ignored. I suspect that for the initial clone subDir: foo
and subDir: ./foo
are interchangeable, but for the change detection the latter won't work.Joseph Harkins
08/29/2023, 11:16 PMAndrew Haines (Cerbos)
Joseph Harkins
09/13/2023, 3:40 PM