g

    Gabi Zarhin

    3 weeks ago
    Hello again: having some trouble with resource_plan call. one of our policies states:
    P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))
    when P.attr.permissions.folder.read is a list of ids and P.attr.folder.path is a string of ids separated by ‘.’ character. for the resource_plan call i provide the attr of the Principal but not of the resource (expecting to get a plan with conditions on the resource attributes) but i seem to get an error:
    error evaluating condition \"P.attr.permissions.folder.read.exists(f, R.attr.folder_path.contains(f))\": no such attribute: id: 4, attributes: [0xc000f2ad20 0xc000f2acc0 0xc000f2ac60]
    any suggestions to what I’m doing wrong? or did i not understand something about the resource_plan call
    Charith (Cerbos)

    Charith (Cerbos)

    3 weeks ago
    Hi. I am not sure what's happening there. Let us investigate and get back to you.
    g

    Gabi Zarhin

    3 weeks ago
    Sure thing… thank you very much
    Charith (Cerbos)

    Charith (Cerbos)

    3 weeks ago
    OK, this is a tricky one. The condition here is "check whether any of the ids in
    read
    is a substring of folder_path". It's deeply nested and depends on the value of
    folder_path
    . I am sure you can appreciate that it's almost impossible to generate a plan for it without knowing what
    folder_path
    is. That's what this not very helpful error message is trying to tell us. Is there any reason why
    folder_path
    a delimited string? If you are able to convert it to a list instead, you can write the condition as
    hasIntersection(P.attr.permissions.folder.read, R.attr.folder_path)
    . That makes it less tricky to generate a plan when
    folder_path
    is unknown and is also more robust than substring checks.
    g

    Gabi Zarhin

    3 weeks ago
    Thanks for the quick response.. yeah i figured it would be hard to “plan”/“explain” this part of the query but i thought it would return this condition to me as is. thanks for the suggestion… I’d consider this… it makes more sense actually than what we did with the string 🙂 thanks again
    Charith (Cerbos)

    Charith (Cerbos)

    3 weeks ago
    You're welcome