hello I use the Python SDK to call Cerbos Whenever I get a r Cerbos Community #help

hello! I use the Python SDK to call Cerbos. Whenev...

Jesum Yip

07/08/2024, 5:29 AM

hello! I use the Python SDK to call Cerbos. Whenever I get a reply, I see a class of type

CheckResourcesResult

which has a property called

result

which holds an instance of

Resource

class. In that instance of

Resource

class, I see that the

attr

property is an empty dictionary. Is this supposed to be empty or are there circumstances where this will be filled up? the reason I am asking is this: i set my

kind

to be a global value of

service:fields.

I am using cerbos to control which fields in a database get obfuscated when a REST API returns it. the way I differentiate the fields (or specify the field names) in the cerbos API payload is via an attribute to the resource. I call this attribute

field_name

Jesum Yip

07/08/2024, 5:29 AM

when i submit the call to Cerbos, I submit it with a list of 20 resources (for example) where each resource is exactly the same EXCEPT for the attribute called

field_name

. I have policies written that evaluate this attribute.

Jesum Yip

07/08/2024, 5:30 AM

when i get a response from Cerbos, I have no idea which field an EFFECT_DENY or EFFECT_ALLOW applies to because the

kind

is the same for all the resources.

Jesum Yip

07/08/2024, 5:30 AM

from what I can see, the order of the resources listed in the response is exactly the order of the resources I specified in the API call. Is this a SAFE assumption? or is there a better way to do this?

Jesum Yip

07/08/2024, 5:34 AM

just fyi in my policy, i have something like this:

Copy code

- resource: "service:fields"
  actions:
        - action: read
          condition:
            match:
              all:
                of:
                  - expr: >
                      !(R.attr.field_name in [
                        "field1",
                        "field2",

this makes it easy for me because if i have 20 fields, I don't have to write 20 policies.

Charith (Cerbos)

07/08/2024, 8:38 AM

Hey. The

Resource

object in the response won't have the attributes set. It's just reusing the same type but not actually echoing back the request. The response from Cerbos returns results in the same order as the request. However, it is intentionally undocumented because we might want to change that in the future. The recommended way to uniquely identify results is to use the resource ID. The

get_resource

method of the response can be used for that.

Jesum Yip

07/08/2024, 8:54 PM

Thank you. I will modify my code to do just that!

Open in Slack

Previous Next