Ankit Khosla
09/24/2023, 8:20 AMattr
is empty. Should return DENY
, right?
derived role
# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/derived_roles>
apiVersion: api.cerbos.dev/v1
derivedRoles:
name: customer_roles
definitions:
- name: OWNER
parentRoles: ["USER"]
condition:
match:
expr: R.attr.owner.id == P.id
principal.json
{
"id": "12312312",
"roles": [
"OWNER"
],
"attr": {
"storeDetails": {
"id": "123",
"tenantId": "1234"
}
}
}
resource.json
{
"id": "13123123",
"kind": "order",
"attr": {}
}
resource policy:
- actions: ["order:read"]
effect: EFFECT_ALLOW
roles:
- OWNER
condition:
match:
expr: ("OWNER" in P.roles)
name: order_owner_rule
oguzhan
- actions: ["order:read"]
effect: EFFECT_ALLOW
derivedRoles:
- OWNER
name: order_owner_rule
Then according to the your derived role policy, the principal will have the derived role OWNER
if;
1. the principal has role USER
(because you’ve stated parentRoles: ["USER"]
in the rule)
2. the principal id and the owner.id
must be equal (because the rule has this expression: R.attr.owner.id == P.id
)
In order for you to have ALLOW
for the order:read
,
the principal
should have a principal with USER
role to meet the first (1
) condition above.
the resource
should have owner.id
set to 12312312
to meet the second (2
) condition above.
So something like this;
principal.json (modified)
{
"id": "12312312",
"roles": [
"USER"
],
"attr": {
"storeDetails": {
"id": "123",
"tenantId": "1234"
}
}
}
resource.json (modified)
{
"id": "13123123",
"kind": "order",
"attr": {
"owner": {
"id": "12312312"
}
}
}
Ankit Khosla
09/24/2023, 1:40 PMdenied
even for a valid owner id.oguzhan
You could change the rule in the resource policy to something like this;
- actions: ["order:read"]
effect: EFFECT_ALLOW
derivedRoles:
- OWNER
name: order_owner_rule
Ankit Khosla
09/24/2023, 1:47 PMAnkit Khosla
09/24/2023, 1:49 PMAnkit Khosla
09/24/2023, 1:50 PMUSER
role along with other derived roles inside roles: []
attribute of principal object.
{
"id": "123123123123",
"roles": [
"OWNER",
"USER"
],
"attr": {
"storeDetails": {
"id": "123",
"tenantId": "1234"
}
}
}
oguzhan
role: ["USER"]
is needed, derivedRoles
are deduced from the request context according to your derivedRole policy rules.
It’s not working for you this way?Ankit Khosla
09/24/2023, 1:56 PM