Hi is it possible to enable more verbose logging for the ` c Cerbos Community #help

Hi, is it possible to enable more verbose logging ...

Fatih Kaya

09/30/2021, 2:14 PM

Hi, is it possible to enable more verbose logging for the

/check

endpoint? I set log level to

DEBUG

but I want to see which the derived role user got while the authorization check process.

Alex Olivier (Cerbos)

09/30/2021, 2:35 PM

Hey

Alex Olivier (Cerbos)

09/30/2021, 2:36 PM

If you add

"includeMeta": true

into the request to the check endpoint it will include more information about which policies matched

Alex Olivier (Cerbos)

09/30/2021, 2:36 PM

Copy code

{
  "requestId": "test01",
  "actions": [
    "view"
  ],
  "resource": {
    "policyVersion": "dev",
    "kind": "album:object",
    "instances": {
      "XX125": {
        "attr": {
          "owner": "alicia",
          "id": "XX125",
          "public": false,
          "tags": [
            "x",
            "y"
          ],
          "flagged": false
        }
      }
    }
  },
  "principal": {
    "id": "alicia",
    "policyVersion": "dev",
    "roles": [
      "user"
    ],
    "attr": {
      "geography": "GB"
    }
  },
  "includeMeta": true
}

Alex Olivier (Cerbos)

09/30/2021, 2:40 PM

Let me know if that answers your question - happy to jump on a quick call if it is easier 🙂

Fatih Kaya

09/30/2021, 2:46 PM

Thank you so much @Alex Olivier (Cerbos)! So I can see

"effectiveDerivedRoles": []

Now I need to figure out why my principal doesn't get the derived role that I expected.

Alex Olivier (Cerbos)

09/30/2021, 2:49 PM

If you are willing to share your policies, I'm happy to assist

Fatih Kaya

09/30/2021, 2:56 PM

https://gist.github.com/fatihky/04830529e4281fdef5d8b3adc13e8ab7

Fatih Kaya

09/30/2021, 2:57 PM

Thank you @Alex Olivier (Cerbos), I've just uploaded my request body along with my policies.

Alex Olivier (Cerbos)

09/30/2021, 2:58 PM

From a quick look, I think the path for the owner should be

request.resource.attr.campaign.owner

Fatih Kaya

09/30/2021, 3:00 PM

Thank you. Adjusted it but I got effect_deny again. I got campaign_owner derived role when I import only one derived role configuration here: https://gist.github.com/fatihky/04830529e4281fdef5d8b3adc13e8ab7#file-resource_campaign_keyword-yaml-L8

Alex Olivier (Cerbos)

09/30/2021, 3:03 PM

Hmm let me try and replicate this

Alex Olivier (Cerbos)

09/30/2021, 3:08 PM

I can replicate what you are seeing - let me raise with our engineering team and see if we can get an answer to this for you

Fatih Kaya

09/30/2021, 3:10 PM

Thank you, in mean time, I found an example that imports multiple derived roles: https://github.com/cerbos/cerbos/blob/e8df72a6448bb5f7f371fa6a4b3d64983242379d/internal/test/testdata/compile/multiple_imports.yaml I'll try that now.

Alex Olivier (Cerbos)

09/30/2021, 5:55 PM

Hey just to let you know that this was indeed a bug and a PR with a fix is already up for review https://github.com/cerbos/cerbos/pull/330

Alex Olivier (Cerbos)

09/30/2021, 5:56 PM

Thanks for raising it and hopefully it hasn't caused too many headaches

Charith (Cerbos)

10/01/2021, 9:11 AM

Thanks for reporting the bug. We just released v0.8.0 with the bugfix. https://github.com/cerbos/cerbos/releases/tag/v0.8.0

Fatih Kaya

10/01/2021, 3:46 PM

Thank you so much @Alex Olivier (Cerbos) and @Charith (Cerbos). Sorry for the delayed appreciation because of the Slack's service interruption.

🎉 1

8 Views

Open in Slack

Previous Next