Hi for principal policies the documentation says that wildca Cerbos Community #community

Hi, for principal policies, the documentation says...

Viet Au

08/15/2022, 10:15 AM

Hi, for principal policies, the documentation says that wildcard for a resource is supported, but if I use wildcard "*" for a resource it is rejected.

Alex Olivier (Cerbos)

08/15/2022, 10:31 AM

Checking now

Alex Olivier (Cerbos)

08/15/2022, 10:34 AM

I’ve setup this quick example and it seems to be working as I understand it - is this what you are trying? https://play.cerbos.dev/p/MQHR3nVZ62fa2089L6i5XFqoGl7ctOg8

Viet Au

08/15/2022, 10:49 AM

in the example you have a specific resource "demo", I wanted to have the resource as "*".

Viet Au

08/15/2022, 10:58 AM

If you change the resource to a wildcard "*", this error occurs.

Failed to read: invalid Policy.PrincipalPolicy: embedded message failed validation | caused by: invalid PrincipalPolicy.Rules[0]: embedded message failed validation | caused by: invalid PrincipalRule.Resource: value does not match regex pattern "^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$"

Charith (Cerbos)

08/15/2022, 11:04 AM

Yeah, I think the validation pattern is overly strict here. It's probably because we originally intended to only support segmented wildcards like

engineering:change_request:*

. I don't see why it has to be that way though.

Viet Au

08/15/2022, 11:30 AM

OK thanks for that. Do you intend to relax this check?

Charith (Cerbos)

08/15/2022, 11:33 AM

Already working on it 🙂 https://github.com/cerbos/cerbos/pull/1166

🙌 1

4 Views

Open in Slack

Previous Next