Title
i
Imadul Islam
11/04/2022, 6:41 AMHello
Sample Finance Application Policy
https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje
I was trying to convert this playground’s policies to JSON so that I can save them through Admin API. The following is the payload.
{
"policies": [
{
"apiVersion": "api.cerbos.dev/v1",
"description": "Common dynamic roles used within the Finance Demo app",
"resourcePolicy": {
"version": "default",
"importDerivedRoles": [
"common_roles"
],
"resource": "expense",
"rules": [
{
"actions": [
"*"
],
"effect": "EFFECT_ALLOW",
"roles": [
"ADMIN"
]
},
{
"actions": [
"view"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER",
"FINANCE",
"REGION_MANAGER"
]
},
{
"actions": [
"view:approver"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE"
]
},
{
"actions": [
"view:approver"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"expr": "request.resource.attr.status == \"APPROVED\""
}
}
},
{
"actions": [
"update"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"expr": "request.resource.attr.status == \"OPEN\""
}
}
},
{
"actions": [
"approve"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE_MANAGER"
],
"condition": {
"match": {
"expr": "request.resource.attr.ownerId != request.principal.id"
}
}
},
{
"actions": [
"approve"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE"
],
"condition": {
"match": {
"all": {
"of": [
{
"expr": "request.resource.attr.amount < 1000"
},
{
"expr": "request.resource.attr.ownerId != request.principal.id"
}
]
}
}
}
},
{
"actions": [
"delete"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE_MANAGER"
]
},
{
"actions": [
"delete"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"all": {
"of": [
{
"expr": "request.resource.attr.status == \"OPEN\""
},
{
"expr": "timestamp(request.resource.attr.createdAt).timeSince() < duration(\"1h\")"
}
]
}
}
}
}
]
},
"derivedRoles": {
"name": "common_roles",
"definitions": [
{
"name": "OWNER",
"parentRoles": [
"USER"
],
"condition": {
"match": {
"expr": "request.resource.attr.ownerId == request.principal.id"
}
}
},
{
"name": "FINANCE",
"parentRoles": [
"USER"
],
"condition": {
"match": {
"expr": "request.principal.attr.department == \"FINANCE\""
}
}
},
{
"name": "FINANCE_MANAGER",
"parentRoles": [
"MANAGER"
],
"condition": {
"match": {
"expr": "request.principal.attr.department == \"FINANCE\""
}
}
},
{
"name": "REGION_MANAGER",
"parentRoles": [
"MANAGER"
],
"condition": {
"match": {
"expr": "request.resource.attr.region == request.principal.attr.region"
}
}
}
]
}
}
]
}{
"code": 3,
"message": "proto: (line 141:13): error parsing \"derivedRoles\", oneof cerbos.policy.v1.Policy.policy_type is already set"
}o
oguzhan
11/04/2022, 7:42 AMHi @Imadul Islam,
Each policy file should only define one of the following;
derivedRoles
principalPolicy
resourcePolicyderivedRolesresourcePolicypolicies{
"policies": [
{"apiVersion": "api.cerbos.dev/v1", "description:": "...", resourcePolicy: {...}}, # first policy
{"apiVersion": "api.cerbos.dev/v1", "description:": "...", derivedRoles: {...}} # second policy
]
}Playground has an export button on the top left corner that you can use to download all policies as a zip file.
After unzipping the policies you could point
cerbosctl putcerbosctl --server=localhost:3593 --username=user --password=password --plaintext put ~/Downloads/downloaded-policies-diri
Imadul Islam
11/04/2022, 2:23 PMThanks it finally worked.