Hi guys, I've set up a Cerbos cluster on my localhost and I'm working on replicating the finance application sample provided in the Cerbos playground: Finance Application Sample I successfully created the resource policy and verified that I can retrieve it using the GET REST call. However, when I provide the same principal to the policy in my localhost environment, I consistently receive a "deny" response for all actions. This behavior differs from the results I get using the playground with the same principal. Upon debugging, I noticed that there are

derived_roles

defined in the

common_roles.yaml

file, which are referenced in the resource policy. It appears that these derived roles are crucial for the policy evaluation. My question is: How can I upload the

common_roles.yaml

to my localhost setup? Is there an API endpoint for uploading common roles? I couldn't find relevant documentation for this. Any guidance on this issue would be greatly appreciated. Thanks!

Hi @Akhil Chouhan, There are two ways to put policies into a DB store. 1. Using cerbosctl put command 2. Using Admin API I’d suggest you to 1. Use the

Export

button in the Playground (top left corner) to download all of the policies as a zip file, 2. Extracting the zip file into a directory, 3. Executing the command

cerbosctl put policies -R .

in the extracted policy directory.

@oguzhan are derived roles also considered as policies?

Yes, policy types for Cerbos are; • derived roles • export variables • principal policies • resource policies

@oguzhan thanks for this, so now i have 2 policies in my database resource and derived roles (attached screenshot below) and this is my request

{
  "requestId": "123123",
  "principal": {
    "id": "sally",
    "policyVersion": "default",
    "roles": [
      "USER"
    ],
    "attr": {
      "department": "SALES",
      "region": "EMEA"
    }
  },
  "resources": [
    {
      "resource": {
        "kind": "expense:object",
        "id": "expense1",
        "policyVersion": "default",
        "attr": {
          "ownerId": "sally",
          "createdAt": "2021-10-01T10:00:00.021-05:00",
          "vendor": "Flux Water Gear",
          "region": "EMEA",
          "amount": 500,
          "status": "OPEN"
        }
      },
      "actions": [
        "approve",
        "create",
        "delete",
        "update",
        "view",
        "view:approver"
      ]
    }
  ]
}

however i'm still getting EFFECT_DENY on create but i;m getting ALLOWED on the playground

In the request the kind is

expense:object

"kind": "expense:object",

It should be;

"kind": "expense",

@oguzhan voila, thank you so much this worked I want to understand what is expense:object and what is kind? and how do i figure out what will the kind be after i create the policy because the code

cerbosBlockingAdminClient.addOrUpdatePolicy()
                        .with(new InputStreamReader(new ByteArrayInputStream(baos.toByteArray()))).addOrUpdate();

does not return the created policy, since it returns void before putting in derived roles i was using "kind": "expense", but it was throwing me an error "invalid policy version" then i saw this statement, which encouraged me to change this to expense:object

I think in the example policy the kind used to be

expense:object

, and then changed to

expense

. But I guess the comment was mistakenly left as

expense:object

. So disregard the comment line there, it is a mistake. When you create a resource with kind

expense

, you need to state

expense

as the kind in the request too. So that Cerbos knows what resource policy you are referring to while resolving the request.

ahh thanks!