Title
#help
i

Imadul Islam

11/04/2022, 6:41 AM
Hello Sample Finance Application Policyhttps://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje I was trying to convert this playground’s policies to JSON so that I can save them through Admin API. The following is the payload.
{
  "policies": [
    {
      "apiVersion": "api.cerbos.dev/v1",
      "description": "Common dynamic roles used within the Finance Demo app",
      "resourcePolicy": {
        "version": "default",
        "importDerivedRoles": [
          "common_roles"
        ],
        "resource": "expense",
        "rules": [
          {
            "actions": [
              "*"
            ],
            "effect": "EFFECT_ALLOW",
            "roles": [
              "ADMIN"
            ]
          },
          {
            "actions": [
              "view"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "OWNER",
              "FINANCE",
              "REGION_MANAGER"
            ]
          },
          {
            "actions": [
              "view:approver"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "FINANCE"
            ]
          },
          {
            "actions": [
              "view:approver"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "OWNER"
            ],
            "condition": {
              "match": {
                "expr": "request.resource.attr.status == \"APPROVED\""
              }
            }
          },
          {
            "actions": [
              "update"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "OWNER"
            ],
            "condition": {
              "match": {
                "expr": "request.resource.attr.status == \"OPEN\""
              }
            }
          },
          {
            "actions": [
              "approve"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "FINANCE_MANAGER"
            ],
            "condition": {
              "match": {
                "expr": "request.resource.attr.ownerId != request.principal.id"
              }
            }
          },
          {
            "actions": [
              "approve"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "FINANCE"
            ],
            "condition": {
              "match": {
                "all": {
                  "of": [
                    {
                      "expr": "request.resource.attr.amount < 1000"
                    },
                    {
                      "expr": "request.resource.attr.ownerId != request.principal.id"
                    }
                  ]
                }
              }
            }
          },
          {
            "actions": [
              "delete"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "FINANCE_MANAGER"
            ]
          },
          {
            "actions": [
              "delete"
            ],
            "effect": "EFFECT_ALLOW",
            "derivedRoles": [
              "OWNER"
            ],
            "condition": {
              "match": {
                "all": {
                  "of": [
                    {
                      "expr": "request.resource.attr.status == \"OPEN\""
                    },
                    {
                      "expr": "timestamp(request.resource.attr.createdAt).timeSince() < duration(\"1h\")"
                    }
                  ]
                }
              }
            }
          }
        ]
      },
      "derivedRoles": {
        "name": "common_roles",
        "definitions": [
          {
            "name": "OWNER",
            "parentRoles": [
              "USER"
            ],
            "condition": {
              "match": {
                "expr": "request.resource.attr.ownerId == request.principal.id"
              }
            }
          },
          {
            "name": "FINANCE",
            "parentRoles": [
              "USER"
            ],
            "condition": {
              "match": {
                "expr": "request.principal.attr.department == \"FINANCE\""
              }
            }
          },
          {
            "name": "FINANCE_MANAGER",
            "parentRoles": [
              "MANAGER"
            ],
            "condition": {
              "match": {
                "expr": "request.principal.attr.department == \"FINANCE\""
              }
            }
          },
          {
            "name": "REGION_MANAGER",
            "parentRoles": [
              "MANAGER"
            ],
            "condition": {
              "match": {
                "expr": "request.resource.attr.region == request.principal.attr.region"
              }
            }
          }
        ]
      }
    }
  ]
}
I am getting the following error.
{
  "code": 3,
  "message": "proto: (line 141:13): error parsing \"derivedRoles\", oneof cerbos.policy.v1.Policy.policy_type is already set"
}
What I am doing wrong? Thanks
oguzhan

oguzhan

11/04/2022, 7:42 AM
Hi @Imadul Islam, Each policy file should only define one of the following;
derivedRoles
principalPolicy
resourcePolicy
Currently, the policy you are trying to add has both
derivedRoles
and
resourcePolicy
. The request should include each policy as a whole in the
policies
list like this;
{
  "policies": [
     {"apiVersion": "api.cerbos.dev/v1", "description:": "...", resourcePolicy: {...}}, # first policy
     {"apiVersion": "api.cerbos.dev/v1", "description:": "...", derivedRoles: {...}}   # second policy
  ]
}
7:49 AM
Playground has an export button on the top left corner that you can use to download all policies as a zip file. After unzipping the policies you could point
cerbosctl put
to the policies folder to add them all to the cerbos;
cerbosctl --server=localhost:3593 --username=user --password=password --plaintext put ~/Downloads/downloaded-policies-dir
This way you don’t have to have any conversions.
i

Imadul Islam

11/04/2022, 2:23 PM
Thanks it finally worked.