Wildcard match on actions?
Hi team,
We make extens...
# helps
Stefan de Kooter
03/18/2025, 11:31 AMWildcard match on actions?
Hi team,
We make extensive use of actions ending in wildcard (*). I now found out that if an action is offered ending in a column, it doesn't match these. Is this by design or should I use another wildcard for this?
example:
action in policy:
device_command_show*device_command_show_flash:device_command_show_flasha
Andrew Haines (Cerbos)
03/18/2025, 12:35 PM
This is by design, the colon is used as a delimiter.
s
Stefan de Kooter
03/18/2025, 2:37 PMhi Andrew, thanks for your fast reply. Should I understand this as:
if a : is found in the action, it is used to cut the action in multiple parts. Each part must match.
So if you have a lot of actions, that you'd like to group, it is recommended to use : as a delimiter to create a form of hierarcy?
Example:
device_commandshow*
match device_commandshowrunning
match device_commandshowversion
device_command:*
match device_commandshowrunning
match device_command:show
a
Andrew Haines (Cerbos)
03/18/2025, 2:38 PM
Yep, exactly
s
Stefan de Kooter
03/18/2025, 2:38 PMWould that allow for a syntax where all the 'child' actions are allowed, no matter how deep they're queried?
a
Andrew Haines (Cerbos)
03/18/2025, 2:38 PM
Although I'm not sure about your second example; I think
device_command:*device_command:showdevice_command:show:runnings
Stefan de Kooter
03/18/2025, 2:40 PMgotcha. So 'unlimited' access MIGHT need:
device_command:*device_command:*:*device_command:*:*:*a
Andrew Haines (Cerbos)
03/18/2025, 2:41 PM
Yep, indeed