Ankit Khosla
11/18/2023, 4:38 PMcondition
is not working. It should only ALLOW
when tenantId
and organizationId
matches. But it’s not working as expected. Any suggestions?
org_staff_roles.yaml
# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/derived_roles>
apiVersion: api.cerbos.dev/v1
derivedRoles:
name: org_staff_roles
definitions:
- name: MANAGER
parentRoles:
- admin
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
- name: READ_ONLY
parentRoles:
- user
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
- name: APPROVER
parentRoles:
- user
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
resource-policy.yml
apiVersion: api.cerbos.dev/v1
resourcePolicy:
resource: inventory
version: default
importDerivedRoles:
- user_roles
- admin_roles
- org_staff_roles
rules:
- actions: ["*"]
effect: EFFECT_ALLOW
roles:
- ORG_ADMIN
- SUPER_ADMIN
name: inventory_admin_rule
- actions:
[
"create",
"read",
"update",
"delete",
"approve"
]
effect: EFFECT_ALLOW
roles:
- MANAGER
name: inventory_manager_rule
- actions:
[
"approve"
]
effect: EFFECT_ALLOW
roles:
- APPROVER
name: inventory_creator_rule
- actions:
[
"read",
]
effect: EFFECT_ALLOW
roles:
- CHECKER
name: inventory_checker_rule
request body:
Should be DENY
all actions since, organizationId
does not match between, resource and principal. But it’s being ALLOWED
.
{
"requestId": "123123",
"principal": {
"id": "123",
"roles": [
"MANAGER"
],
"attr": {
"organizationId": "123",
"tenantId": "1234"
}
},
"resources": [
{
"resource": {
"kind": "inventory",
"id": "1234",
"attr": {
"organizationId": "123333",
"tenantId": "1234"
}
},
"actions": [
"approve",
"create",
"delete",
"read",
"update"
]
}
]
}
Dennis (Cerbos)
- actions:
[
"create",
"read",
"update",
"delete",
"approve"
]
effect: EFFECT_ALLOW
roles:
- MANAGER
The policy here does not refer to a derived role but to a “parent” role.
Then, you pass this MANAGER
role in the request, so you get the EFFECT_ALLOW
.
If you want to refer to a derived role MANAGER
you need to make two changes:
1. In the policy, use derivedRoles
field instead of roles.
2. In the request pass a parent role. I reckon it is admin
. Derived roles will be calculated by Cerbos.Ankit Khosla
11/22/2023, 10:21 AMderviedRoles
. It should be either user
or admin
, right?Gregory O'Grady
11/22/2023, 7:30 PMderivedRoles
are derived within cerbos based on the the information in the request, and should not be explicitly set in the request itselfAnkit Khosla
11/23/2023, 3:44 AMMANAGER
and REVIEWER
roles accordingly. And check whether they are authorised for certain actions based on those roles.
How can I achieve this, if we cannot provide derived roles in request body?
cc: @Dennis (Cerbos)Dennis (Cerbos)
MANAGER
is assigned according to the following condition:
apiVersion: api.cerbos.dev/v1
derivedRoles:
name: org_staff_roles
definitions:
- name: MANAGER
parentRoles:
- admin
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
As long as you pass an admin
role in the request and all the conditions regarding tenantId
and organizationId
are met, the derived is assigned automatically.Dennis (Cerbos)
- actions:
- create
- read
- update
- delete
- approve
effect: EFFECT_ALLOW
derivedRoles:
- MANAGER
name: inventory_manager_rule
- actions:
- create
- read
- update
- delete
- approve
effect: EFFECT_ALLOW
roles:
- admin
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
name: inventory_manager_rule_NO_DERIVED_ROLES
I presume your application defines an admin role.Ankit Khosla
11/23/2023, 10:39 AMadmin
to request body. when user is assigned MANAGER
or SUPER_ADMIN
roles. Else, user
role, if none of them are assigned.Dennis (Cerbos)
admin
or a user
role in the request. If it also sets includeMeta
flag, the response metadata will contain effective derived roles.Ankit Khosla
11/24/2023, 5:16 AM# tier.run/refs
../../../../../pkg/mod/tier.run@v0.12.0/refs/refs.go:286:22: type func(a FeaturePlan, b FeaturePlan) bool of func(a, b FeaturePlan) bool {…} does not match inferred type func(a FeaturePlan, b FeaturePlan) int for func(a E, b E) int
I’ve tried to downgrade the versions. But, still the same error. There could be some incompatibility between package versions, any idea which internal package in cerbos-sdk-go
would be causing this issue? 😅Charith (Cerbos)
Ankit Khosla
11/24/2023, 8:49 AMCharith (Cerbos)
Ankit Khosla
11/24/2023, 8:52 AMCharith (Cerbos)
Ankit Khosla
11/24/2023, 8:57 AMbefore
and after
cerbos-sdk-go
is added. Will that be helpful?Charith (Cerbos)
Charith (Cerbos)
Ankit Khosla
11/24/2023, 9:21 AMCharith (Cerbos)
Charith (Cerbos)
Ankit Khosla
11/24/2023, 9:22 AM1.21
Ankit Khosla
11/24/2023, 9:22 AMCharith (Cerbos)
# tier.run/refs
../../../go/pkg/mod/tier.run@v0.12.0/refs/refs.go:286:22: type func(a FeaturePlan, b FeaturePlan) bool of func(a, b FeaturePlan) bool {…} does not match inferred type func(a FeaturePlan, b FeaturePlan) int for func(a E, bE) int
This is all I have in my Go file.
package main
import (
"context"
"fmt"
"log"
"tier.run/client/tier"
)
func main() {
t, err := tier.FromEnv()
errExit(err)
can := t.Can(context.Background(), "org:foo", "feature:bar")
fmt.Println(can)
}
func errExit(err error) {
if err != nil {
log.Fatal("Error: %v", err)
}
}
Ankit Khosla
11/24/2023, 9:24 AMcerbos
yet?Charith (Cerbos)
Ankit Khosla
11/24/2023, 9:24 AMCharith (Cerbos)
slices
package which is now in the standard library and has a different signature for the function they are using. So, the error message kind of makes sense. What I don't understand is why Go is mixing those two packages up at runtime. I do have a hunch that it's related to the linker search path.Ankit Khosla
11/24/2023, 9:57 AMAnkit Khosla
11/24/2023, 9:58 AMCharith (Cerbos)
Ankit Khosla
11/24/2023, 10:01 AMCharith (Cerbos)
go get -u tier.run/client/tier@main
Ankit Khosla
11/24/2023, 1:51 PMgo get
from the main
branch, haha!Ankit Khosla
11/24/2023, 4:05 PMcerbos
container through golang sdk using docker-compose?
value of CERBOS_URL
env variable is the container name provided in docker-compose.yml
main.go
path := os.Getenv("CERBOS_URL")
c, err := cerbos.New(path)
if err != nil {
log.Fatalf("Failed to create client: %v", err)
}
allowed, err := c.IsAllowed(
context.TODO(),
cerbos.NewPrincipal("sally").WithRoles("user"),
cerbos.NewResource("album:object", "A001"),
"view",
)
log.Println(">>>>allowed>>>", allowed)
if err != nil {
log.Fatalf("Failed to check permission: %v", err)
}
cerbos.yaml
---
server:
adminAPI:
enabled: false
httpListenAddr: ":3592"
engine:
defaultPolicyVersion: "default"
auxData:
jwt:
disableVerification: true
schema:
cacheSize: 1024
enforcement: reject
storage:
driver: disk
disk:
directory: /data/policies
watchForChanges: true
Getting the below error:
Failed to check permission: request failed: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: address gatekeeper: mis
Charith (Cerbos)
cerbos:3593
if your container is named cerbos
. Looks like you've called it gatekeeper
? If so the address would be gatekeeper:3593
.Ankit Khosla
11/24/2023, 6:04 PMCharith (Cerbos)
Ankit Khosla
11/25/2023, 3:26 AM<http://gatekeeper:3592>
but still received an error.
version: "3.7"
services:
gatekeeper:
container_name: gatekeeper
image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
volumes:
- ./gatekeeper:/data
restart: unless-stopped
ports:
- 3592:3592
sample-app:
container_name: sample-app
image: some-image
ports:
- 3000:3000
env_file: .env
restart: unless-stopped
environment:
- GATEKEEPER_URL=gatekeeper:3592
Charith (Cerbos)
Ankit Khosla
11/30/2023, 12:52 PM2023/11/30 20:51:34 Failed to check permission: request failed: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
I’ve disabled TLS check, what could be the issue? Following the client code:
c, err := cerbos.New("localhost:3593", cerbos.WithTLSInsecure())
if err != nil {
log.Fatalf("Failed to create client: %v", err)
}
allowed, err := c.IsAllowed(
context.TODO(),
cerbos.NewPrincipal("sally").WithRoles("user"),
cerbos.NewResource("album:object", "A001"),
"view",
)
log.Println(">>>>allowed>>>", allowed)
if err != nil {
log.Fatalf("Failed to check permission: %v", err)
}
Charith (Cerbos)
cerbos.WithPlaintext()
optionAnkit Khosla
12/21/2023, 8:48 AMfalse
instead should be true
The same policy is working as expected in golang playground.
middleware.go
c, err := cerbos.New("localhost:3593", cerbos.WithPlaintext())
if err != nil {
log.Fatalf("Failed to create client: %v", err)
}
roles := []string{"INVENTORY_VIEW_ONLY"}
principal := cerbos.NewPrincipal("1234").WithRoles(roles...).WithAttr("organizationId", "123").WithAttr("tenantId", "123")
resource := cerbos.NewResource("inventory", "A001").WithAttr("organizationId", "123").WithAttr("tenantId", "123")
allowed, err := c.IsAllowed(
ctx.Request().Context(),
principal,
resource,
"VIEW",
)
log.Println(">>>>>allowed>>>>>", allowed)
resource policy
apiVersion: api.cerbos.dev/v1
resourcePolicy:
resource: inventory
version: default
importDerivedRoles:
- admin_roles
- org_inventory_staff_roles
rules:
# - actions: ["CREATE","VIEW","UPDATE","DELETE","APPROVE"]
# effect: EFFECT_ALLOW
# derivedRoles:
# - INVENTORY_MANAGER
# name: inventory_manager_rule
- actions: ["VIEW"]
effect: EFFECT_ALLOW
roles:
- INVENTORY_VIEW_ONLY
name: inventory_view_only_rule
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
- expr: R.kind == "inventory"
- actions: ["VIEW","APPROVE"]
effect: EFFECT_ALLOW
roles:
- INVENTORY_APPROVE_ONLY
name: inventory_approve_only_rule
condition:
match:
all:
of:
- expr: R.attr.tenantId == P.attr.tenantId
- expr: R.attr.organizationId == P.attr.organizationId
- expr: R.kind == "inventory"
oguzhan
default
and gave a try?Ankit Khosla
12/21/2023, 8:58 AMdefault
is being provided.
---
server:
adminAPI:
enabled: true
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
engine:
defaultPolicyVersion: "default"
auxData:
jwt:
disableVerification: true
schema:
cacheSize: 1024
enforcement: warn
metricsEnabled: true
storage:
driver: disk
disk:
directory: /data/policies
watchForChanges: true
oguzhan
default
in the SDK part, sorry for the confusion (😬).
you could change this;
resource := cerbos.NewResource("inventory", "A001")
.WithAttr("organizationId", "123")
.WithAttr("tenantId", "123")
to this;
resource := cerbos.NewResource("inventory", "A001")
.WithPolicyVersion("default")
.WithAttr("organizationId", "123")
.WithAttr("tenantId", "123")
Ankit Khosla
12/21/2023, 1:21 PMallowed
is false
. I don’t think issue is related to version. Since, it’s already provided in cerbos.yaml
file.oguzhan
allowed, err := c.IsAllowed(
ctx.Request().Context(),
principal,
resource,
"VIEW",
)
I think this call returns an error. Since the err
is ignored and the zero value for the boolean is false, you see the false
output in the stdout.