Łukasz Sierakowski
10/25/2022, 8:45 AMPrincipal policies
for managing user access to client orders. Unfortunately it doesn’t work as I expected.
I’ve created following principal policy
apiVersion: api.cerbos.dev/v1
principalPolicy:
principal: user-123
version: "dev"
rules:
- resource: client-12345
actions:
- name: view-data
action: "view"
effect: EFFECT_ALLOW
and test for this policy
name: test
principals:
user:
id: user-123
roles:
- user
resources:
clients:
id: client-12345
kind: client
tests:
- name: User should view client records
input:
principals:
- user
resources:
- clients
actions:
- view
expected:
- principal: user
resource: clients
actions:
view: EFFECT_ALLOW
My intention is to allow principal user-123
to execute view
action on client-12345
resource.
However when I compile ant test policy I always get EFFECT_DENY
What did I wrong?Charith (Cerbos)
10/25/2022, 9:02 AMclient
and the rule should be written to target client
, not client-12345
.
• If the policy version is not default
, you have to explicitly set the policyVersion
field in the test data. So, your principal definitions should have policyVersion: dev
in the test fixtures.apiVersion: api.cerbos.dev/v1
principalPolicy:
principal: user-123
version: "dev"
rules:
- resource: client
actions:
- name: view-data
action: "view"
effect: EFFECT_ALLOW
condition:
match:
expr: |-
R.id == "client-12345"
name: test
principals:
user:
id: user-123
policyVersion: dev
roles:
- user
resources:
clients:
id: client-12345
kind: client
tests:
- name: User should view client records
input:
principals:
- user
resources:
- clients
actions:
- view
expected:
- principal: user
resource: clients
actions:
view: EFFECT_ALLOW
Łukasz Sierakowski
10/25/2022, 10:11 AM