https://cerbos.dev logo
Title
a

Ankit Khosla

11/23/2022, 2:16 PM
Hi all, a principal policy I created against create action is returning
false
inside the node app. But, the same policy when tested in playground is returning
true
for create action.
Owner has full access over manager and store_manager
apiVersion: api.cerbos.dev/v1
principalPolicy:
  version: default
  principal: owner
  rules:
    - resource: manager
      actions:
        - action: "*"
          effect: EFFECT_ALLOW
          condition:
            match:
              expr: R.attr.clientNumber == P.attr.clientNumber
    - resource: store_manager
      actions:
        - action: "*"
          effect: EFFECT_ALLOW
          condition:
            match:
              expr: R.attr.clientNumber == P.attr.clientNumber
Request body:
{
  "principal": {
    "id": "owner",
    "roles": [
      "OWNER"
    ],
    "attr": {
      "clientNumber": 1234
    }
  },
  "resource": {
    "kind": "manager",
    "id": "1",
    "attr": {
      "clientNumber": 1234
    }
  },
  "action": "CREATE"
}
c

Charith (Cerbos)

11/23/2022, 2:25 PM
It works with a curl request as well so I am not sure what's wrong. Can you paste your request code snippet here please.
a

Ankit Khosla

11/23/2022, 4:36 PM
Hi @Charith (Cerbos) I’ve provided the request body. I’ve created a small node server connected to cerbos along with docker-compose.
a

Andrew Haines (Cerbos)

11/24/2022, 9:21 AM
Hi Ankit, one difference between the SDK and the raw API is that the principal and request attributes are passed in via
attributes
rather than
attr
. So the request body needs to be slightly altered to work with the Node.js app.
I tried with this request body and got
true
as the response:
{
  "principal": {
    "id": "owner",
    "roles": [
      "OWNER"
    ],
    "attributes": {
      "clientNumber": 1234
    }
  },
  "resource": {
    "kind": "manager",
    "id": "1",
    "attributes": {
      "clientNumber": 1234
    }
  },
  "action": "CREATE"
}
a

Ankit Khosla

11/24/2022, 10:53 AM
Ah, got it. Thanks! @Andrew Haines (Cerbos). Would be great if we add
attributes
in this example. https://github.com/cerbos/cerbos-sdk-javascript/tree/main/packages/grpc#example-usage
a

Andrew Haines (Cerbos)

11/24/2022, 10:54 AM
Good call, will do!