Nimit
11/03/2022, 7:30 PM{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "top",
"version": "default",
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"customer-user"
],
"condition": {
"match": {
"any": {
"of": [
{
"expr": "R.attr.custAnal in P.attr.custAllowedValues"
},
{
"expr": "R.attr.salhAnal in P.attr.salhAllowedValues"
}
]
}
}
},
"effect": "EFFECT_ALLOW"
}
]
}
}
SCOPED:
{
"apiVersion": "<http://api.cerbos.dev/v1|api.cerbos.dev/v1>",
"resourcePolicy": {
"resource": "top",
"version": "default",
"rules": [
{
"actions": [
"VIEW"
],
"roles": [
"customer-user"
],
"condition": {
"match": {
"any": {
"of": [
{
"expr": "R.attr.custAnal in P.attr.custAllowedValues"
},
{
"expr": "R.attr.salhAnal in P.attr.salhAllowedValues"
}
]
}
}
},
"effect": "EFFECT_DENY"
}
],
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
Dennis (Cerbos)
11/03/2022, 7:32 PMNimit
11/03/2022, 7:43 PMDennis (Cerbos)
11/03/2022, 7:48 PMNimit
11/03/2022, 7:50 PMDennis (Cerbos)
11/03/2022, 7:51 PMNimit
11/03/2022, 8:06 PM{
"requestId": "123123",
"principal": {
"id": "123",
"roles": [
"customer-user"
],
"attr": {
"custAllowedValues": "VALUE1",
"salhAllowedValues": "VALUE2"
},
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
},
"resources": [
{
"resource": {
"kind": "top",
"id": "123",
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa",
"attr": {}
},
"actions": [
"VIEW"
]
}
]
}
Dennis (Cerbos)
11/04/2022, 12:31 AMscope
in the resource object. For example,
{
"requestId": "query-plan",
"resource": {
"kind": "top",
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
},
"principal": {
"id": "123",
"roles": [
"customer-user"
],
"attr": {
"custAllowedValues": "VALUE1",
"salhAllowedValues": "VALUE2"
}
},
"action": "VIEW"
}
Depending on the presence of the resource scope, the query planner returns the inverse condition.Nimit
11/04/2022, 8:22 AMCharith (Cerbos)
11/04/2022, 9:15 AMin
operator, which requires a list to operate on. In the request you're sending a string instead. So, because the condition is invalid, the planner ignores it.
If you use the correct data types in the request, the response is correct:
Request:
cat <<EOF | curl --silent "<http://localhost:3592/api/plan/resources?pretty>" -d @-
{
"requestId": "query-plan",
"resource": {
"kind": "top",
"scope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
},
"principal": {
"id": "123",
"roles": [
"customer-user"
],
"attr": {
"custAllowedValues": ["VALUE1"],
"salhAllowedValues": ["VALUE2"]
}
},
"action": "VIEW",
"includeMeta": true
}
EOF
Response:
{
"requestId": "query-plan",
"action": "VIEW",
"resourceKind": "top",
"filter": {
"kind": "KIND_CONDITIONAL",
"condition": {
"expression": {
"operator": "not",
"operands": [
{
"expression": {
"operator": "or",
"operands": [
{
"expression": {
"operator": "in",
"operands": [
{
"variable": "request.resource.attr.custAnal"
},
{
"value": [
"VALUE1"
]
}
]
}
},
{
"expression": {
"operator": "in",
"operands": [
{
"variable": "request.resource.attr.salhAnal"
},
{
"value": [
"VALUE2"
]
}
]
}
}
]
}
}
]
}
}
},
"meta": {
"filterDebug": "(not (or (in request.resource.attr.custAnal [\"VALUE1\"]) (in request.resource.attr.salhAnal [\"VALUE2\"])))",
"matchedScope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
Nimit
11/04/2022, 9:50 AMCharith (Cerbos)
11/04/2022, 9:55 AMNimit
11/04/2022, 10:08 AMCharith (Cerbos)
11/04/2022, 10:14 AMincludeMeta
in the request, you can see that it matched the scoped policy. If you want a flat out deny, you should remove the condition on the rule{
"requestId": "query-plan",
"action": "VIEW",
"resourceKind": "top",
"filter": {
"kind": "KIND_ALWAYS_DENIED"
},
"meta": {
"filterDebug": "(false)",
"matchedScope": "T8eeab29e-9622-48e6-967d-5137b485d8aa"
}
}
Nimit
11/04/2022, 10:17 AMCharith (Cerbos)
11/04/2022, 10:18 AM