Hi Team, how to create resource policy using golang sdk?

Hi, you can use

func (c *GRPCAdminClient) AddOrUpdatePolicy(ctx context.Context, policies *PolicySet) error

method. https://pkg.go.dev/github.com/cerbos/cerbos-sdk-go/cerbos#GRPCAdminClient.AddOrUpdatePolicy

Thank you @Dennis (Cerbos)

The pod can check if the policy is already registered first. I assume you can’t use a disk/git storage because you have other dynamic policies.

we use mysql @Dennis (Cerbos)

Did you try to use GetPolicy to check if the policy is registered?

for external services registration can we use yaml file? is there anything available?

Can you please provide more details about this scenario? I am not sure what you mean by external services registration.

we have designed a IAM application for our internal purposes. in that we use cerbos for authorization. we are using the resource policy.in this resource policy the resource will be the full method name of the rpcs we have in our grpc application and we use roles and permissions or actions. this policies we need to register. we want this to be registered somehow. we use mysql db for our cerbos. am confused with adding it using yaml. is that possible. @Dennis (Cerbos)

I see. You need to add these policies to the mysql db. You said that when the pod restarts it tries to register the policy again. Can you please describe why this is a problem?

so it means if new policy added then no problem even if pod restart it will update already exist policy only so no problem right?

Correct. The API updates the policy if the policy ID remains the same.

this is yaml i use

- resourceName: "ActionService-Action-ListActions"
    actions:
      - "org_mgmt"
      - "role_mgmt"
      - "user_mgmt"

this is how i read it

func readConfig(config *domain.Policies) error {
	fileLocation := os.Getenv("RESOURCE_POLICY_FILE_LOCATION")
	if fileLocation == "" {
		fileLocation = "/etc/policy/resourcepolicy.yaml"
	}
	if _, err := os.Stat(fileLocation); os.IsNotExist(err) {
		return fmt.Errorf("config file %s does not exist", fileLocation)
	}
	file, err := os.Open(fileLocation)
	if err != nil {
		return fmt.Errorf("error opening config file %s: %v", fileLocation, err)
	}
	defer file.Close()
	decoder := yaml.NewDecoder(file)
	if err := decoder.Decode(config); err != nil {
		return fmt.Errorf("error decoding config file %s: %v", fileLocation, err)
	}
	fmt.Println(config.Policies)
	return nil
}

this is how i add policy,

func (c *Client) AddOrUpdateCerbosResourcePolicy(resourceName string, actions []string) error {
	<http://c.log.Info|c.log.Info>("AddOrUpdateCerbosResourcePolicy invoked")
	defer <http://c.log.Info|c.log.Info>("AddOrUpdateCerbosResourcePolicy exited")
	policy := client.NewResourcePolicy(resourceName, "default").
		AddResourceRules(
			client.NewAllowResourceRule("*"). 
								WithRoles(actions...),
		)
	if err := c.CerbosAdminClient.AddOrUpdatePolicy(context.Background(), cerbosclient.NewPolicySet().AddResourcePolicies(policy)); err != nil {
		return fmt.Errorf("error occured while add or update policy - Error %s", err.Error())
	}
	return nil
}

register

func (c *Client) RegisterIAMResourcePolicies() error {
	<http://c.log.Info|c.log.Info>("RegisterIAMResourcePolicies invoked")
	defer <http://c.log.Info|c.log.Info>("RegisterIAMResourcePolicies exited")
	var policies domain.Policies
	if err := readConfig(&policies); err != nil {
		return fmt.Errorf("error reading config: %v", err)
	}
	for _, policy := range policies.Policies {
		if err := c.AddOrUpdateCerbosResourcePolicy(policy.ResourceName, policy.Actions); err != nil {
			return fmt.Errorf("error registering policy for resource %s: %v", policy.ResourceName, err)
		}
	}
	return nil
}

if remove some policy how can i handle it, like disabling it? @Dennis (Cerbos)

You need to know the ID of a policy to disable it. Keeping track of policies one needs to disable is a bit tedious. I’ll double-check if you could use an “overlay” storage. It would be great if these policies could be read from disk storage and others from mysql. Edit: Overlay storage can’t help here.

The ID of a policy is determined by its kind (principal, resource, derived roles), name (e.g. resource name), version and scope. If you add a resource policy with the same kind, name, version and scope using the

AddOrUpdatePolicy

Admin API endpoint, it would overwrite the existing policy. This also means that if you keep adding the same policy definition over and over again, it's effectively idempotent.

am disable policy like this

func Disable() {
	ids := []string{"resource.GreetingsService_SayHello.vdefault",
		"resource.Org_GetOrgByName.vdefault",
		"resource.movie.vdefault",
		"resource.movie_dghgsd_sd.vdefault",
		"resource.movie_object.vdefault",
	}
	_, err := admcli.DisablePolicy(context.Background(), ids...)
	if err != nil {
		fmt.Printf("error disabling policy: %v", err)
	}
}

but getting this error error disabling policy: could not disable policy: rpc error: code = Unimplemented desc = Admin service is disabled by the configuration

Admin API needs to be enabled in the cerbos configuration.

server:
  adminAPI:
    enabled: true
    adminCredentials: # OPTIONAL
      passwordHash: JDJ5JDEwJEdEOVFzZDE2VVhoVkR0N2VkUFBVM09nalc0QnNZaC9xc2E4bS9mcUJJcEZXenp5OUpjMi91Cgo= # PasswordHash is the base64-encoded bcrypt hash of the password to use for authentication.
      username: cerbos # Username is the hardcoded username to use for authentication.

See Full Configuration page for more details.

@oguzhan

server:
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"
  #grpcListenAddr: "unix:/tmp/sock/cerbos.grpc"
  #httpListenAddr: "unix:/tmp/sock/cerbos.http"
  #udsFileMode: 0o766
  adminAPI:
    adminCredentials:
      passwordHash: JDJ5JDEwJGJWcFRKUzJKRzYxOTJERWs5SzZaS2VSb2Z1cXNSeTYzam9NR1U5UkVKM3BtZ1VLQUVuM0xlCgo= # echo "randomHash" | htpasswd -niBC 10 cerbos | cut -d ':' -f 2 | base64
      username: cerbos
    enabled: true

already its enabled only

My hunch is that Cerbos is using the default configuration and not reading your configuration file. You can verify this by looking at the logs when Cerbos starts. It'll print out which configuration file it's reading.

@Charith (Cerbos)

cerbos:
        container_name: cerbos
        image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
        restart: always
        command: ['server', '--config=/config/conf.yaml', '--log-level=warn']
        volumes:
            - ./config:/config
        depends_on:
            - database
        ports:
            - 3592:3592
            - 3593:3593
        networks:
            - intranet

created a folder named config , inside it created a file named conf.yaml

Hmm... very strange. What's the version of Cerbos you're on?

cerbos:0.24.0

That's quite an old version. Could you try with the latest (0.30.0) please.

for adding policy also i used admin api,it worked

func AddResourcePolicy() {
	policy := client.NewResourcePolicy("ActionService-Action-CreateAction", "default").
		AddResourceRules(
			client.NewAllowResourceRule("org_mgmt", "role_mgmt", "user_mgmt").
				WithRoles("a"),
		)
	if err := admcli.AddOrUpdatePolicy(context.Background(), client.NewPolicySet().AddResourcePolicies(policy)); err != nil {
		fmt.Printf("error occured while add or update policy - Error %s", err.Error())
		return
	}
}

only while disable it showed me error

I think it is because 0.24.0 doesn’t have the

DisablePolicy

.

Indeed!

package main

import (
	"context"
	"fmt"
	"log"

	"<http://github.com/cerbos/cerbos/client|github.com/cerbos/cerbos/client>"
)

const (
	username = "cerbos"
	password = "randomHash"
)

var admcli client.AdminClient
var cli client.Client
var err error

const cerbosAddress = "localhost:3592"

func main() {
	admcli, err = client.NewAdminClientWithCredentials(cerbosAddress, username, password, client.WithPlaintext())
	if err != nil {
		log.Fatalf("Failed to create Cerbos client: %v", err)
	}
	cli, err = client.New(cerbosAddress, client.WithPlaintext())
	if err != nil {
		log.Fatalf("Failed to create Cerbos client: %v", err)
	}
	AddResourcePolicy()
	IsPrincipalAllowed()
	ListPoliciesAndDisable()
	IsPrincipalAllowed()
}

func AddResourcePolicy() {
	policy := client.NewResourcePolicy("ActionService-Action-CreateAction", "default").
		AddResourceRules(
			client.NewAllowResourceRule("org_mgmt", "role_mgmt", "user_mgmt").
				WithRoles("a"),
		)
	if err := admcli.AddOrUpdatePolicy(context.Background(), client.NewPolicySet().AddResourcePolicies(policy)); err != nil {
		fmt.Printf("error occured while add or update policy - Error %s", err.Error())
		return
	}
}

func IsPrincipalAllowed() {
	actions := []string{"org_mgmt", "role_mgmt", "user_mgmt"}
	principal := client.NewPrincipal("useremail", "a")
	resource := client.NewResource("ActionService-Action-CreateAction", "useremail")
	allowed := false
	for _, action := range actions {
		allowed, err = cli.IsAllowed(context.Background(), principal, resource, action)
		if err != nil {
			fmt.Printf("error checking permissions: %v", err)
		}
		if allowed {
			allowed = true
			break
		}
	}
	if allowed {
		fmt.Println("The principal is allowed to perform the action on the resource.")
	} else {
		fmt.Println("The principal is not allowed to perform the action on the resource.")
	}
}

func ListPoliciesAndDisable() {
	list, err := admcli.ListPolicies(context.Background())
	if err != nil {
		fmt.Printf("error getting lists: %v", err)
	}
	for _, v := range list {
		fmt.Printf("disabling %s policy \n", v)
		Disable(v)
	}
}

func ListSceme() {
	list, err := admcli.ListSchemas(context.Background())
	if err != nil {
		fmt.Printf("error getting lists: %v", err)
	}
	for _, v := range list {
		fmt.Printf(" %s \n", v)

	}

}

func Disable(id string) {
	ids := []string{"ActionService-Action-CreateAction"}
	_, err := admcli.DisablePolicy(context.Background(), ids...)
	if err != nil {
		fmt.Printf("error disabling policy: %v", err)
	}
}

go run . The principal is allowed to perform the action on the resource. disabling resource.ActionService_Action_CreateAction.vdefault policy The principal is allowed to perform the action on the resource. @Charith (Cerbos) @oguzhan even after disable the policy it shows allowed to me

_, err := admcli.DisablePolicy(context.Background(), ids...)
if err != nil {
    fmt.Printf("error disabling policy: %v", err)
}

ID for the policy you want to disable looks wrong. I think you might not be disabling the policy at all. DisablePolicy returns a response struct where you can observe how many policies are disabled.

The IDs are hardcoded in your

Disable

function

🙌 working fine💃 Thank you so much for your tremendous help! @Charith (Cerbos) @oguzhan @Dennis (Cerbos)