Title
#community
g

Gabi Zarhin

08/31/2022, 10:49 AM
Hello again: having some trouble with resource_plan call. one of our policies states:
P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))
when P.attr.permissions.folder.read is a list of ids and P.attr.folder.path is a string of ids separated by ‘.’ character. for the resource_plan call i provide the attr of the Principal but not of the resource (expecting to get a plan with conditions on the resource attributes) but i seem to get an error:
error evaluating condition \"P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))\": no such attribute: id: 4, attributes: [0xc000f2ad20 0xc000f2acc0 0xc000f2ac60]
any suggestions to what I’m doing wrong? or did i not understand something about the resource_plan call
Charith (Cerbos)

Charith (Cerbos)

08/31/2022, 11:21 AM
Hi. I am not sure what's happening there. Let us investigate and get back to you.
g

Gabi Zarhin

08/31/2022, 11:21 AM
Sure thing… thank you very much
Charith (Cerbos)

Charith (Cerbos)

08/31/2022, 11:54 AM
OK, this is a tricky one. The condition here is "check whether any of the ids in
read
is a substring of folder_path". It's deeply nested and depends on the value of
folder_path
. I am sure you can appreciate that it's almost impossible to generate a plan for it without knowing what
folder_path
is. That's what this not very helpful error message is trying to tell us. Is there any reason why
folder_path
a delimited string? If you are able to convert it to a list instead, you can write the condition as
hasIntersection(P.attr.permissions.folder.read, R.attr.folder_path)
. That makes it less tricky to generate a plan when
folder_path
is unknown and is also more robust than substring checks.
g

Gabi Zarhin

08/31/2022, 11:58 AM
Thanks for the quick response.. yeah i figured it would be hard to “plan”/“explain” this part of the query but i thought it would return this condition to me as is. thanks for the suggestion… I’d consider this… it makes more sense actually than what we did with the string 🙂 thanks again
Charith (Cerbos)

Charith (Cerbos)

08/31/2022, 12:00 PM
You're welcome