Gabi Zarhin
08/31/2022, 10:49 AMP.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))
when P.attr.permissions.folder.read is a list of ids
and P.attr.folder.path is a string of ids separated by ‘.’ character.
for the resource_plan call i provide the attr of the Principal but not of the resource (expecting to get a plan with conditions on the resource attributes)
but i seem to get an error:
error evaluating condition \"P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))\": no such attribute: id: 4, attributes: [0xc000f2ad20 0xc000f2acc0 0xc000f2ac60]
any suggestions to what I’m doing wrong? or did i not understand something about the resource_plan callCharith (Cerbos)
08/31/2022, 11:21 AMGabi Zarhin
08/31/2022, 11:21 AMCharith (Cerbos)
08/31/2022, 11:54 AMread
is a substring of `folder_path`". It's deeply nested and depends on the value of folder_path
. I am sure you can appreciate that it's almost impossible to generate a plan for it without knowing what folder_path
is. That's what this not very helpful error message is trying to tell us.
Is there any reason why folder_path
a delimited string? If you are able to convert it to a list instead, you can write the condition as hasIntersection(P.attr.permissions.folder.read, R.attr.folder_path)
. That makes it less tricky to generate a plan when folder_path
is unknown and is also more robust than substring checks.Gabi Zarhin
08/31/2022, 11:58 AMCharith (Cerbos)
08/31/2022, 12:00 PM