Owen Cummings
11/07/2022, 11:39 PMlocation_roles: P.attr.roles[R.attr.location_id]
If I hard code this to `location_roles: P.attr.roles["1"]`everything seems to work as expected.
apiVersion: api.cerbos.dev/v1
variables:
location_roles: P.attr.roles[R.attr.location_id]
derivedRoles:
name: my_roles
definitions:
- name: global_admin
parentRoles:
- user
condition:
match:
expr: ("Global Admin" in V.location_roles)
{"log.level":"info","@timestamp":"2022-11-07T23:34:00.201Z","log.logger":"cerbos.payload","message":"server request payload logged as grpc.request.content field","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"grpc.request.content":{"msg":{"action":"entry:read","principal":{"id":"1","policyVersion":"default","roles":["user"],"attr":{"employee_id":"123","permissions":{"1":["entry.read_all"]},"roles":{"1":["Employee"]}}},"resource":{"kind":"entry","attr":{"location_id":"1"},"policyVersion":"default"},"includeMeta":true}}}
{"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Resources query plan request failed","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"error":"error evaluating condition \"(\\\"Employee\\\" in V.location_roles)\": invalid qualifier type: *structpb.Value"}
{"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"error":"rpc error: code = Internal desc = Resources query plan request failed","grpc.code":"Internal","grpc.time_ms":2.047}
Dennis (Cerbos)
11/07/2022, 11:48 PMOwen Cummings
11/07/2022, 11:52 PMDennis (Cerbos)
11/07/2022, 11:57 PMR.attr.location_id in P.attr.roles.filter(x, P.attr.roles[x].exists(y, y == "Global Admin"))
In the above expression the RHS can be pre-evaluated, so the produced AST can be simple R.attr.location_id in [<list of constants>]
Owen Cummings
11/08/2022, 12:29 AMDennis (Cerbos)
11/08/2022, 12:38 AMR.attr.location_id in <list of constants>
.
If your question is more general, there’s a tutorial https://docs.cerbos.dev/cerbos/latest/tutorial/00_intro.html that gives an example of how to design the policy.Owen Cummings
11/08/2022, 12:41 AMDennis (Cerbos)
11/08/2022, 12:44 AMP
and R
are both present in the struct indexing expression like in your P.attr.roles[R.attr.location_id].
My trick was to separate them into subexpressions.Owen Cummings
11/08/2022, 12:46 AMDennis (Cerbos)
11/08/2022, 12:57 AMOwen Cummings
11/08/2022, 4:51 PMDennis (Cerbos)
11/08/2022, 6:14 PM