Title
#help
o

Owen Cummings

11/09/2022, 7:27 PM
I am having trouble with Cerbos finding my schema files. Probably something dumb I’m missing but I’m out of ideas. When I turn on schema enforcement in the conf.yaml I receive an error that Cerbos can’t find the configured schama files. My $PWD looks like this:
.
├── README.md
├── _schemas
│   ├── desk.json
│   ├── entry.json
│   └── principal.json
├── conf.yaml
├── policies
│   ├── derived_roles
│   │   └── my_roles.yaml
│   └── resource
│       ├── desk.yaml
│       └── entry.yaml
├── start.sh
└── tests
    ├── desk_test.yaml
    ├── entry_test.yaml
    └── testdata
        ├── principals.yaml
        └── resources.yaml
My docker command looks like this:
docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yaml
My policy looks like this:
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: entry
  importDerivedRoles:
    - my_roles
  rules:
    - actions:
        - "entry:read"
      effect: EFFECT_ALLOW
      derivedRoles:
        - employee
      condition:
        match:
          any:
            of:
              - expr: P.attr.employee_id == R.attr.employee_id
              - expr: R.attr.location_id in P.attr.permissions.filter(x, P.attr.permissions[x].exists(y, y == "entry.read_all"))

    - actions:
        - "entry:read"
      effect: EFFECT_ALLOW
      derivedRoles:
        - global_admin
        - location_admin
        - receptionist

  schemas:
    principalSchema:
      ref: cerbos:///principal.json
    resourceSchema:
      ref: cerbos:///entry.json
Charith (Cerbos)

Charith (Cerbos)

11/09/2022, 7:52 PM
Hi. I am guessing that the main issue is that you have your
conf.yaml
file in the directory that Cerbos is looking for policies. If you move your
tests
and
_schemas
directories under the
policies
directory and configure Cerbos storage dir to
policies
, I think it will work.
7:55 PM
Like this:
|- conf.yaml
|- policies
   |- _schemas
   |- derived_roles
   |- resource
   |- tests
7:56 PM
docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yaml --set=storage.disk.directory=/blah/policies
o

Owen Cummings

11/09/2022, 7:58 PM
cool will try that thanks
8:05 PM
success! ty