Imadul Islam
11/04/2022, 6:41 AM{
"policies": [
{
"apiVersion": "api.cerbos.dev/v1",
"description": "Common dynamic roles used within the Finance Demo app",
"resourcePolicy": {
"version": "default",
"importDerivedRoles": [
"common_roles"
],
"resource": "expense",
"rules": [
{
"actions": [
"*"
],
"effect": "EFFECT_ALLOW",
"roles": [
"ADMIN"
]
},
{
"actions": [
"view"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER",
"FINANCE",
"REGION_MANAGER"
]
},
{
"actions": [
"view:approver"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE"
]
},
{
"actions": [
"view:approver"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"expr": "request.resource.attr.status == \"APPROVED\""
}
}
},
{
"actions": [
"update"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"expr": "request.resource.attr.status == \"OPEN\""
}
}
},
{
"actions": [
"approve"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE_MANAGER"
],
"condition": {
"match": {
"expr": "request.resource.attr.ownerId != request.principal.id"
}
}
},
{
"actions": [
"approve"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE"
],
"condition": {
"match": {
"all": {
"of": [
{
"expr": "request.resource.attr.amount < 1000"
},
{
"expr": "request.resource.attr.ownerId != request.principal.id"
}
]
}
}
}
},
{
"actions": [
"delete"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"FINANCE_MANAGER"
]
},
{
"actions": [
"delete"
],
"effect": "EFFECT_ALLOW",
"derivedRoles": [
"OWNER"
],
"condition": {
"match": {
"all": {
"of": [
{
"expr": "request.resource.attr.status == \"OPEN\""
},
{
"expr": "timestamp(request.resource.attr.createdAt).timeSince() < duration(\"1h\")"
}
]
}
}
}
}
]
},
"derivedRoles": {
"name": "common_roles",
"definitions": [
{
"name": "OWNER",
"parentRoles": [
"USER"
],
"condition": {
"match": {
"expr": "request.resource.attr.ownerId == request.principal.id"
}
}
},
{
"name": "FINANCE",
"parentRoles": [
"USER"
],
"condition": {
"match": {
"expr": "request.principal.attr.department == \"FINANCE\""
}
}
},
{
"name": "FINANCE_MANAGER",
"parentRoles": [
"MANAGER"
],
"condition": {
"match": {
"expr": "request.principal.attr.department == \"FINANCE\""
}
}
},
{
"name": "REGION_MANAGER",
"parentRoles": [
"MANAGER"
],
"condition": {
"match": {
"expr": "request.resource.attr.region == request.principal.attr.region"
}
}
}
]
}
}
]
}
I am getting the following error.
{
"code": 3,
"message": "proto: (line 141:13): error parsing \"derivedRoles\", oneof cerbos.policy.v1.Policy.policy_type is already set"
}
What I am doing wrong?
Thanksoguzhan
11/04/2022, 7:42 AMderivedRoles
principalPolicy
resourcePolicy
Currently, the policy you are trying to add has both derivedRoles
and resourcePolicy
.
The request should include each policy as a whole in the policies
list like this;
{
"policies": [
{"apiVersion": "api.cerbos.dev/v1", "description:": "...", resourcePolicy: {...}}, # first policy
{"apiVersion": "api.cerbos.dev/v1", "description:": "...", derivedRoles: {...}} # second policy
]
}
cerbosctl put
to the policies folder to add them all to the cerbos;
cerbosctl --server=localhost:3593 --username=user --password=password --plaintext put ~/Downloads/downloaded-policies-dir
This way you don’t have to have any conversions.Imadul Islam
11/04/2022, 2:23 PM