https://cerbos.dev logo
Title
w

William Vitali

12/16/2022, 4:58 PM
Hello all, I am facing an issue here and can't seem to find why. I am using version 0.23.1 This policy works :
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  importDerivedRoles:
    - common_roles
  resource: "candidate:object"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - admin_africa
      condition:
        match:
          expr: request.resource.attr.continents == "africa"
But if I replace the last line with
expr: "africa" in request.resource.attr.continents
then I have the error {"log.level":"warn","@timestamp":"2022-12-16T16:55:20.233Z","log.logger":"cerbos.dir.watch","message":"Failed to read policy from file","dir":"/policies","file":"resource_candidate.yaml","error":"failed to convert YAML to JSON: yaml: line 14: did not find expected key"} Does anybody know why I can't use the "in" keyword here ?
a

Alex Olivier (Cerbos)

12/16/2022, 5:01 PM
Hey this is a YAML escaping edge case - a line can’t begin with
"
the following will work though:
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  importDerivedRoles:
    - common_roles
  resource: "candidate:object"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - admin_africa
      condition:
        match:
          expr: >
            "africa" in request.resource.attr.continents
w

William Vitali

12/16/2022, 5:03 PM
aah perfect thank you ! 🙏
a

Alex Olivier (Cerbos)

12/16/2022, 5:04 PM
You aren’t the first to run into this - we are planning to get some linting around it soon