Akhil Chouhan
05/20/2024, 1:01 PMderived_roles
defined in the common_roles.yaml
file, which are referenced in the resource policy. It appears that these derived roles are crucial for the policy evaluation.
My question is: How can I upload the common_roles.yaml
to my localhost setup? Is there an API endpoint for uploading common roles? I couldn't find relevant documentation for this.
Any guidance on this issue would be greatly appreciated.
Thanks!Akhil Chouhan
05/20/2024, 1:21 PMoguzhan
Export
button in the Playground (top left corner) to download all of the policies as a zip file,
2. Extracting the zip file into a directory,
3. Executing the command cerbosctl put policies -R .
in the extracted policy directory.Akhil Chouhan
05/20/2024, 1:30 PMoguzhan
Akhil Chouhan
05/20/2024, 1:34 PM{
"requestId": "123123",
"principal": {
"id": "sally",
"policyVersion": "default",
"roles": [
"USER"
],
"attr": {
"department": "SALES",
"region": "EMEA"
}
},
"resources": [
{
"resource": {
"kind": "expense:object",
"id": "expense1",
"policyVersion": "default",
"attr": {
"ownerId": "sally",
"createdAt": "2021-10-01T10:00:00.021-05:00",
"vendor": "Flux Water Gear",
"region": "EMEA",
"amount": 500,
"status": "OPEN"
}
},
"actions": [
"approve",
"create",
"delete",
"update",
"view",
"view:approver"
]
}
]
}
however i'm still getting EFFECT_DENY on create but i;m getting ALLOWED on the playgroundoguzhan
expense:object
"kind": "expense:object",
It should be;
"kind": "expense",
Akhil Chouhan
05/20/2024, 1:52 PMcerbosBlockingAdminClient.addOrUpdatePolicy()
.with(new InputStreamReader(new ByteArrayInputStream(baos.toByteArray()))).addOrUpdate();
does not return the created policy, since it returns void
before putting in derived roles i was using "kind": "expense", but it was throwing me an error "invalid policy version"
then i saw this statement, which encouraged me to change this to expense:objectoguzhan
expense:object
, and then changed to expense
. But I guess the comment was mistakenly left as expense:object
. So disregard the comment line there, it is a mistake.
When you create a resource with kind expense
, you need to state expense
as the kind in the request too. So that Cerbos knows what resource policy you are referring to while resolving the request.Akhil Chouhan
05/21/2024, 6:12 AM