Lindsay Cade
03/19/2024, 7:24 PMget_query
method. I have posted an issue here: https://github.com/cerbos/query-plan-adapters/issues/69
I would love any help or advice! Thanks!Dennis (Cerbos)
p
in this snippet:
plan_resource = PlanResourcesInput.Resource(kind="org")
plan = c.plan_resources("org.read", p, plan_resource)
query = get_query(plan, <http://models.Org|models.Org>, {"request.resource.id": models.Org._id})
Dennis (Cerbos)
{
"id": "user_764c63",
"roles": [
"user"
],
"attr": {
"orgs": {
"org_dd60a6": {
"role": "owner"
}
}
}
}
Lindsay Cade
03/19/2024, 9:14 PMDennis (Cerbos)
query = get_query(plan, <http://models.Org|models.Org>, {"request.resource.id": <http://models.Org|models.Org>._id})
doesn’t look right to me.
The last argument takes known resource attributes, if any. If the resource ID is known, you can get the resource by ID from the database; the query plan isn’t needed.Lindsay Cade
03/19/2024, 9:23 PMget_query
is supposed to be a mapping between the policy parameters and the mapping to the database. This query is supposed to return a list of orgs the principal is allowed to org.read
. You can see a similar example in the cerbos sqlalchemy example project: https://github.com/cerbos/python-sqlalchemy-cerbos/blob/6161da479d031e8bdcd2d7cf4fc6fac7fc991e97/main.py#L90-L99Dennis (Cerbos)
get_query
takes four arguments. Attributes map is the 3rd argument, and mapping to the DB is the 4th argument.Dennis (Cerbos)
{}
instead of {"request.resource.id": <http://models.Org|models.Org>._id}
?Lindsay Cade
03/19/2024, 9:38 PMKeyError: 'variable'
Dennis (Cerbos)
Lindsay Cade
03/19/2024, 9:41 PMLindsay Cade
03/19/2024, 9:43 PMLindsay Cade
03/19/2024, 9:48 PMDennis (Cerbos)
Dennis (Cerbos)
Dennis (Cerbos)
{
"id": "user_764c63",
"roles": [
"user"
],
"attr": {
"orgs_roles": {
"org_dd60a6": "owner"
}
}
}
And the policy:
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
name: common_roles
definitions:
- name: OrgViewer
parentRoles: ['user']
condition:
match:
any:
of:
- expr: P.attr.orgs_roles[R.id] == "owner"
- expr: P.attr.orgs_roles[R.attr.org_id] == "owner"
- expr: P.attr.orgs_roles[R.id] == "viewer"
- expr: P.attr.orgs_roles[R.attr.org_id] == "viewer"
That simplified the output of the query planner a lot. Hopefully, the ORM will be able to handle it.Lindsay Cade
03/19/2024, 10:02 PMLindsay Cade
03/19/2024, 10:05 PMDennis (Cerbos)
Dennis (Cerbos)
Lindsay Cade
03/19/2024, 10:08 PMSam Lock (Cerbos)
03/20/2024, 7:41 AMDennis (Cerbos)
Sam Lock (Cerbos)
03/20/2024, 2:39 PMI'll dig in to the SQLAlchemy adapter side of things.Dennis' PR solves the SQLAlchemy adapter issue too. If you pull the latest version of Cerbos, it should resolve your issue.
Lindsay Cade
03/20/2024, 4:46 PM