ANILA SOMAN
09/21/2023, 4:36 AMDennis (Cerbos)
func (c *GRPCAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error
method.
https://pkg.go.dev/github.com/cerbos/cerbos-sdk-go/cerbos#GRPCAdminClient.AddOrUpdatePolicyDennis (Cerbos)
ANILA SOMAN
09/21/2023, 4:51 AMANILA SOMAN
09/21/2023, 4:51 AMANILA SOMAN
09/21/2023, 4:51 AMDennis (Cerbos)
Dennis (Cerbos)
ANILA SOMAN
09/21/2023, 5:04 AMDennis (Cerbos)
Dennis (Cerbos)
ListPolicies
and had a question about policy IDs. Did you have any luck with that?ANILA SOMAN
09/21/2023, 5:37 AMDennis (Cerbos)
ANILA SOMAN
09/21/2023, 5:49 AMDennis (Cerbos)
Dennis (Cerbos)
ANILA SOMAN
09/21/2023, 6:05 AMDennis (Cerbos)
Dennis (Cerbos)
ANILA SOMAN
09/21/2023, 7:45 AM- resourceName: "ActionService-Action-ListActions"
actions:
- "org_mgmt"
- "role_mgmt"
- "user_mgmt"
this is how i read it
func readConfig(config *domain.Policies) error {
fileLocation := os.Getenv("RESOURCE_POLICY_FILE_LOCATION")
if fileLocation == "" {
fileLocation = "/etc/policy/resourcepolicy.yaml"
}
if _, err := os.Stat(fileLocation); os.IsNotExist(err) {
return fmt.Errorf("config file %s does not exist", fileLocation)
}
file, err := os.Open(fileLocation)
if err != nil {
return fmt.Errorf("error opening config file %s: %v", fileLocation, err)
}
defer file.Close()
decoder := yaml.NewDecoder(file)
if err := decoder.Decode(config); err != nil {
return fmt.Errorf("error decoding config file %s: %v", fileLocation, err)
}
fmt.Println(config.Policies)
return nil
}
this is how i add policy,
func (c *Client) AddOrUpdateCerbosResourcePolicy(resourceName string, actions []string) error {
<http://c.log.Info|c.log.Info>("AddOrUpdateCerbosResourcePolicy invoked")
defer <http://c.log.Info|c.log.Info>("AddOrUpdateCerbosResourcePolicy exited")
policy := client.NewResourcePolicy(resourceName, "default").
AddResourceRules(
client.NewAllowResourceRule("*").
WithRoles(actions...),
)
if err := c.CerbosAdminClient.AddOrUpdatePolicy(context.Background(), cerbosclient.NewPolicySet().AddResourcePolicies(policy)); err != nil {
return fmt.Errorf("error occured while add or update policy - Error %s", err.Error())
}
return nil
}
register
func (c *Client) RegisterIAMResourcePolicies() error {
<http://c.log.Info|c.log.Info>("RegisterIAMResourcePolicies invoked")
defer <http://c.log.Info|c.log.Info>("RegisterIAMResourcePolicies exited")
var policies domain.Policies
if err := readConfig(&policies); err != nil {
return fmt.Errorf("error reading config: %v", err)
}
for _, policy := range policies.Policies {
if err := c.AddOrUpdateCerbosResourcePolicy(policy.ResourceName, policy.Actions); err != nil {
return fmt.Errorf("error registering policy for resource %s: %v", policy.ResourceName, err)
}
}
return nil
}
if remove some policy how can i handle it, like disabling it?
@Dennis (Cerbos)ANILA SOMAN
09/21/2023, 7:45 AMpackage domain
type CerbosResourcePolicy struct {
ResourceName string `yaml:"resourceName"`
Actions []string `yaml:"actions"`
}
type Policies struct {
Policies []CerbosResourcePolicy `yaml:"policies"`
}
Dennis (Cerbos)
Charith (Cerbos)
AddOrUpdatePolicy
Admin API endpoint, it would overwrite the existing policy. This also means that if you keep adding the same policy definition over and over again, it's effectively idempotent.Charith (Cerbos)
ListPolicies
the items will look like resource.invoice.vdefault/foo.bar
. So, if you know the kind, name, version and scope of a policy already, you can construct the ID with something like:
fmt.Sprintf("%s.%s.v%s/%s", kind, name, version, scope)
Scope is optional. So if you don't use any scoped policies the ID would simply be:
fmt.Sprintf("%s.%s.v%s", kind, name, version)
ANILA SOMAN
09/21/2023, 8:50 AMfunc Disable() {
ids := []string{"resource.GreetingsService_SayHello.vdefault",
"resource.Org_GetOrgByName.vdefault",
"resource.movie.vdefault",
"resource.movie_dghgsd_sd.vdefault",
"resource.movie_object.vdefault",
}
_, err := admcli.DisablePolicy(context.Background(), ids...)
if err != nil {
fmt.Printf("error disabling policy: %v", err)
}
}
but getting this error
error disabling policy: could not disable policy: rpc error: code = Unimplemented desc = Admin service is disabled by the configurationANILA SOMAN
09/21/2023, 8:50 AMfunc ListPolicies() {
list, err := admcli.ListPolicies(context.Background())
if err != nil {
fmt.Printf("error getting lists: %v", err)
}
for _, v := range list {
fmt.Printf(" %s \n", v)
}
}
oguzhan
server:
adminAPI:
enabled: true
adminCredentials: # OPTIONAL
passwordHash: JDJ5JDEwJEdEOVFzZDE2VVhoVkR0N2VkUFBVM09nalc0QnNZaC9xc2E4bS9mcUJJcEZXenp5OUpjMi91Cgo= # PasswordHash is the base64-encoded bcrypt hash of the password to use for authentication.
username: cerbos # Username is the hardcoded username to use for authentication.
See Full Configuration page for more details.ANILA SOMAN
09/21/2023, 8:55 AMserver:
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
#grpcListenAddr: "unix:/tmp/sock/cerbos.grpc"
#httpListenAddr: "unix:/tmp/sock/cerbos.http"
#udsFileMode: 0o766
adminAPI:
adminCredentials:
passwordHash: JDJ5JDEwJGJWcFRKUzJKRzYxOTJERWs5SzZaS2VSb2Z1cXNSeTYzam9NR1U5UkVKM3BtZ1VLQUVuM0xlCgo= # echo "randomHash" | htpasswd -niBC 10 cerbos | cut -d ':' -f 2 | base64
username: cerbos
enabled: true
already its enabled onlyCharith (Cerbos)
ANILA SOMAN
09/21/2023, 9:03 AMcerbos:
container_name: cerbos
image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
restart: always
command: ['server', '--config=/config/conf.yaml', '--log-level=warn']
volumes:
- ./config:/config
depends_on:
- database
ports:
- 3592:3592
- 3593:3593
networks:
- intranet
created a folder named config , inside it created a file named conf.yamlANILA SOMAN
09/21/2023, 9:07 AM2023-09-21 14:36:26 {"log.level":"info","@timestamp":"2023-09-21T09:06:26.488Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
2023-09-21 14:36:26 {"log.level":"info","@timestamp":"2023-09-21T09:06:26.489Z","log.logger":"cerbos.server","message":"Loading configuration from /config/conf.yaml"}
2023-09-21 14:36:26 {"log.level":"info","@timestamp":"2023-09-21T09:06:26.500Z","log.logger":"cerbos.auditlog","message":"Initializing audit log","backend":"local","path":"/auditlogs"}
2023-09-21 14:36:26 {"log.level":"info","@timestamp":"2023-09-21T09:06:26.525Z","log.logger":"cerbos.mysql","message":"Initializing MySQL storage"}
2023-09-21 14:36:28 {"log.level":"info","@timestamp":"2023-09-21T09:06:28.194Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"}
2023-09-21 14:36:28 {"log.level":"info","@timestamp":"2023-09-21T09:06:28.195Z","log.logger":"cerbos.grpc","message":"Starting admin service"}
2023-09-21 14:36:28 {"log.level":"info","@timestamp":"2023-09-21T09:06:28.196Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"}
2023-09-21 14:36:28 {"log.level":"info","@timestamp":"2023-09-21T09:06:28.196Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}
ANILA SOMAN
09/21/2023, 9:09 AM{
"log.level": "error",
"@timestamp": "2023-09-21T09:08:44.831Z",
"log.logger": "cerbos.grpc",
"message": "Handled request",
"grpc.start_time": "2023-09-21T09:08:44Z",
"grpc.request.deadline": "2023-09-21T09:08:46Z",
"system": "grpc",
"span.kind": "server",
"grpc.service": "cerbos.svc.v1.CerbosAdminService",
"grpc.method": "DisablePolicy",
"peer.address": "172.24.0.1:59122",
"error": "rpc error: code = Unimplemented desc = Admin service is disabled by the configuration",
"grpc.code": "Unimplemented",
"grpc.time_ms": 0.194
}
Charith (Cerbos)
Charith (Cerbos)
ANILA SOMAN
09/21/2023, 9:12 AMCharith (Cerbos)
ANILA SOMAN
09/21/2023, 9:14 AMfunc AddResourcePolicy() {
policy := client.NewResourcePolicy("ActionService-Action-CreateAction", "default").
AddResourceRules(
client.NewAllowResourceRule("org_mgmt", "role_mgmt", "user_mgmt").
WithRoles("a"),
)
if err := admcli.AddOrUpdatePolicy(context.Background(), client.NewPolicySet().AddResourcePolicies(policy)); err != nil {
fmt.Printf("error occured while add or update policy - Error %s", err.Error())
return
}
}
only while disable it showed me erroroguzhan
DisablePolicy
.Charith (Cerbos)
Charith (Cerbos)
<http://ghcr.io/cerbos/cerbos:0.30.0|ghcr.io/cerbos/cerbos:0.30.0>
as I suggested above.ANILA SOMAN
09/21/2023, 9:39 AMpackage main
import (
"context"
"fmt"
"log"
"<http://github.com/cerbos/cerbos/client|github.com/cerbos/cerbos/client>"
)
const (
username = "cerbos"
password = "randomHash"
)
var admcli client.AdminClient
var cli client.Client
var err error
const cerbosAddress = "localhost:3592"
func main() {
admcli, err = client.NewAdminClientWithCredentials(cerbosAddress, username, password, client.WithPlaintext())
if err != nil {
log.Fatalf("Failed to create Cerbos client: %v", err)
}
cli, err = client.New(cerbosAddress, client.WithPlaintext())
if err != nil {
log.Fatalf("Failed to create Cerbos client: %v", err)
}
AddResourcePolicy()
IsPrincipalAllowed()
ListPoliciesAndDisable()
IsPrincipalAllowed()
}
func AddResourcePolicy() {
policy := client.NewResourcePolicy("ActionService-Action-CreateAction", "default").
AddResourceRules(
client.NewAllowResourceRule("org_mgmt", "role_mgmt", "user_mgmt").
WithRoles("a"),
)
if err := admcli.AddOrUpdatePolicy(context.Background(), client.NewPolicySet().AddResourcePolicies(policy)); err != nil {
fmt.Printf("error occured while add or update policy - Error %s", err.Error())
return
}
}
func IsPrincipalAllowed() {
actions := []string{"org_mgmt", "role_mgmt", "user_mgmt"}
principal := client.NewPrincipal("useremail", "a")
resource := client.NewResource("ActionService-Action-CreateAction", "useremail")
allowed := false
for _, action := range actions {
allowed, err = cli.IsAllowed(context.Background(), principal, resource, action)
if err != nil {
fmt.Printf("error checking permissions: %v", err)
}
if allowed {
allowed = true
break
}
}
if allowed {
fmt.Println("The principal is allowed to perform the action on the resource.")
} else {
fmt.Println("The principal is not allowed to perform the action on the resource.")
}
}
func ListPoliciesAndDisable() {
list, err := admcli.ListPolicies(context.Background())
if err != nil {
fmt.Printf("error getting lists: %v", err)
}
for _, v := range list {
fmt.Printf("disabling %s policy \n", v)
Disable(v)
}
}
func ListSceme() {
list, err := admcli.ListSchemas(context.Background())
if err != nil {
fmt.Printf("error getting lists: %v", err)
}
for _, v := range list {
fmt.Printf(" %s \n", v)
}
}
func Disable(id string) {
ids := []string{"ActionService-Action-CreateAction"}
_, err := admcli.DisablePolicy(context.Background(), ids...)
if err != nil {
fmt.Printf("error disabling policy: %v", err)
}
}
go run .
The principal is allowed to perform the action on the resource.
disabling resource.ActionService_Action_CreateAction.vdefault policy
The principal is allowed to perform the action on the resource.
@Charith (Cerbos) @oguzhan
even after disable the policy it shows allowed to meANILA SOMAN
09/21/2023, 9:40 AMoguzhan
_, err := admcli.DisablePolicy(context.Background(), ids...)
if err != nil {
fmt.Printf("error disabling policy: %v", err)
}
ID for the policy you want to disable looks wrong. I think you might not be disabling the policy at all. DisablePolicy returns a response struct where you can observe how many policies are disabled.Charith (Cerbos)
Disable
functionANILA SOMAN
09/21/2023, 9:53 AM