Owen Cummings
11/09/2022, 7:27 PM.
├── README.md
├── _schemas
│ ├── desk.json
│ ├── entry.json
│ └── principal.json
├── conf.yaml
├── policies
│ ├── derived_roles
│ │ └── my_roles.yaml
│ └── resource
│ ├── desk.yaml
│ └── entry.yaml
├── start.sh
└── tests
├── desk_test.yaml
├── entry_test.yaml
└── testdata
├── principals.yaml
└── resources.yaml
My docker command looks like this:
docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yaml
My policy looks like this:
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: entry
importDerivedRoles:
- my_roles
rules:
- actions:
- "entry:read"
effect: EFFECT_ALLOW
derivedRoles:
- employee
condition:
match:
any:
of:
- expr: P.attr.employee_id == R.attr.employee_id
- expr: R.attr.location_id in P.attr.permissions.filter(x, P.attr.permissions[x].exists(y, y == "entry.read_all"))
- actions:
- "entry:read"
effect: EFFECT_ALLOW
derivedRoles:
- global_admin
- location_admin
- receptionist
schemas:
principalSchema:
ref: cerbos:///principal.json
resourceSchema:
ref: cerbos:///entry.json
Charith (Cerbos)
11/09/2022, 7:52 PMconf.yaml
file in the directory that Cerbos is looking for policies. If you move your tests
and _schemas
directories under the policies
directory and configure Cerbos storage dir to policies
, I think it will work.|- conf.yaml
|- policies
|- _schemas
|- derived_roles
|- resource
|- tests
docker run --rm --name cerbos -p 3592:3592 -p 3593:3593 -v $PWD:/blah <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> server --config=/blah/conf.yaml --set=storage.disk.directory=/blah/policies
Owen Cummings
11/09/2022, 7:58 PM