Title
#help
ł

Łukasz Sierakowski

10/25/2022, 8:45 AM
Hi, I’m trying to use
Principal policies
for managing user access to client orders. Unfortunately it doesn’t work as I expected. I’ve created following principal policy
apiVersion: api.cerbos.dev/v1
principalPolicy:
  principal: user-123
  version: "dev"
  rules:
    - resource: client-12345
      actions:
        - name: view-data
          action: "view"
          effect: EFFECT_ALLOW
and test for this policy
name: test
principals:
  user:
    id: user-123
    roles:
      - user
resources:
  clients:
    id: client-12345
    kind: client
tests:
  - name: User should view client records
    input:
      principals:
        - user
      resources:
        - clients
      actions:
        - view
    expected:
      - principal: user
        resource: clients
        actions:
          view: EFFECT_ALLOW
My intention is to allow principal
user-123
to execute
view
action on
client-12345
resource. However when I compile ant test policy I always get
EFFECT_DENY
What did I wrong?
Charith (Cerbos)

Charith (Cerbos)

10/25/2022, 9:02 AM
Hi. Two things: • Principal policies apply to resource kinds. In your case, the resource kind is
client
and the rule should be written to target
client
, not
client-12345
. • If the policy version is not
default
, you have to explicitly set the
policyVersion
field in the test data. So, your principal definitions should have
policyVersion: dev
in the test fixtures.
9:03 AM
So this would work:
apiVersion: api.cerbos.dev/v1
principalPolicy:
  principal: user-123
  version: "dev"
  rules:
    - resource: client
      actions:
        - name: view-data
          action: "view"
          effect: EFFECT_ALLOW
          condition:
            match:
              expr: |-
                R.id == "client-12345"
name: test
principals:
  user:
    id: user-123
    policyVersion: dev
    roles:
      - user
resources:
  clients:
    id: client-12345
    kind: client
tests:
  - name: User should view client records
    input:
      principals:
        - user
      resources:
        - clients
      actions:
        - view
    expected:
      - principal: user
        resource: clients
        actions:
          view: EFFECT_ALLOW
ł

Łukasz Sierakowski

10/25/2022, 10:11 AM
Thank you 🙂 It is working now