Hey guys I m trying to nest hierarichal permissions I though Cerbos Community #help

Hey guys, I’m trying to nest hierarichal permissio...

Joe Cantwell

10/14/2024, 3:54 PM

Hey guys, I’m trying to nest hierarichal permissions. I thought I could use derived policies and the compiler seems to like it but my unit test suggests the permissions aren’t inherited. (I’m assigning a single role in my test principle with the expectation that the derived role is inherited) So, Long question short, can a parent role also be a derived role?

Copy code

apiVersion: "api.cerbos.dev/v1"
description: |-
  Permissions based roles
derivedRoles:
  name: line_ip_roles
  definitions:
    - name: viewer
      parentRoles: ["user"]
      condition:
        match:
          all:
            of:
              - expr: ...

    - name: reader
      parentRoles: ["viewer"]
      condition:
        match:
          all:
            of:
              - expr: ...

    - name: editor
      parentRoles: ["reader"]
      condition:
        match:
          expr: ...
---

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  resource: "line:ip"
  rules:
    - actions:
        - view
      effect: EFFECT_ALLOW
      roles:
        - viewer
  
    - actions:
        - read
      effect: EFFECT_ALLOW
      roles:
        - reader

    - actions:
        - edit
      effect: EFFECT_ALLOW
      roles:
        - editor

so if my test principal has the

reader

role, I would have thought he’d also have the

viewer

role but that doesn’t seem to be the case. Is this not supported or am I just doing something daft?

Sam Lock (Cerbos)

10/14/2024, 4:05 PM

Hi Joe 👋 Derived roles aren't implicitly inherited--there's a required, explicit import step and then a dedicated field in the resource policy rules (

derivedRoles

rather than

roles

). This allows you to namespace derived role definitions (and reuse derived role names, etc). You can see an example of this in the resource policy example in the docs; namely, the annotations

(import statement) and

(the rule/derived role mapping).

👀 1

Sam Lock (Cerbos)

10/14/2024, 4:07 PM

The

import

name maps to the

name

field defined in the derived role policy (annotation

in the derived role example)

Joe Cantwell

10/14/2024, 4:09 PM

Fantastic. Thanks @Sam Lock (Cerbos)

🙏 1

Joe Cantwell

10/18/2024, 2:58 PM

Actually @Sam Lock (Cerbos), I’ve sorted out my syntax but it seems that deriving from previously derived roles isn’t supported. Is there any way that a derived role can inherit the conditions of another derived role? I can duplicate the expressions if needed but it would be really neat if I didn’t need to

Sam Lock (Cerbos)

10/21/2024, 2:47 PM

As it stands, no, there's no way to inherit. Each derived role is independent. The approach would be to apply more than one derived role to a given rule (composition rather than inheritance!) What is the particular "inheritance" case, out of interest?

Joe Cantwell

10/21/2024, 3:23 PM

thanks for getting back to me. I ended up doing as you suggested so its all good. We have a load of rules about accessing certain content. These rules are applied through a role hierarchy. I thought if I created a derived

viewer

role, I could inherit the rules applied and extend through a further derived

editor

role or similar.

👍 1

3 Views

Open in Slack

Previous Next