https://cerbos.dev logo
#help
Title
# help
m

Mohan Prasath

12/17/2022, 12:30 PM
Hello all, I'm facing a problem in
/api/check/resources
I'm getting invalid actions on the response. My Server config
Copy code
server:
  httpListenAddr: ":3592"
  adminAPI:
    enabled: true
    adminCredentials:
      username: ''
      passwordHash: ''
  playgroundEnabled: true
storage:
  driver: "mysql"
  mysql:
    dsn: "user:password@tcp(localhost:3306)/cerbos"
    connPool:
      maxLifeTime: 60m
      maxIdleTime: 45s
      maxOpen: 4
      maxIdle: 1
request and response from
/admin/policy
Copy code
curl --request GET \
  --url '<http://172.31.39.159:3592/admin/policy?id=principal.student.vdefault>'
Response
Copy code
{
  "policies": [
    {
      "apiVersion": "api.cerbos.dev/v1",
      "metadata": {
        "hash": "13174666176308465445",
        "storeIdentifer": "principal.student.vdefault"
      },
      "principalPolicy": {
        "principal": "student",
        "version": "default",
        "rules": [
          {
            "resource": "student-management",
            "actions": [
              {
                "action": "read",
                "effect": "EFFECT_ALLOW"
              }
            ]
          }
        ]
      }
    }
  ]
}
Now I'm testing the
/api/check/resources
Copy code
curl --request POST \
  --url <http://172.31.39.159:3592/api/check/resources> \
  --header 'Content-Type: application/json' \
  --data '{
	"requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
	"principal": {
		"id": "student",
		"policyVersion": "default",
		"roles": [
			"student"
		],
		"attr": {
			"beta_tester": true
		}
	},
	"resources": [
		{
			"actions": [
				"read",
				"delete"
			],
			"resource": {
				"kind": "student-management",
				"policyVersion": "default",
				"id": "XX125",
				"attr": {
				}
			}
		}
	]
}'
Response
Copy code
{
  "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  "results": [
    {
      "resource": {
        "id": "XX125",
        "kind": "student-management",
        "policyVersion": "default"
      },
      "actions": {
        "delete": "EFFECT_DENY",
        "read": "EFFECT_DENY"
      }
    }
  ]
}
The expected response is action
read
should be as
EFFECT_ALLOW
Please explain why I'm getting EFFECT_DENY instead of EFFECT_ALLOW
o

oguzhan

12/17/2022, 4:15 PM
Hi! This happens because our current assumption is that there’ll always be a resource policy that then gets overridden per principal via principal policies. So, the way to make it work is to at least create an empty resource policy like the following;
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: student-management
We will consider to make resource policy optional in a future release.
m

Mohan Prasath

12/19/2022, 4:39 AM
Thank you for your response. Actually, I was looking for documentation on how to add a resource policy to cerbos. I can't find the relevant info here https://docs.cerbos.dev/cerbos/latest/api/admin_api.html
o

oguzhan

12/19/2022, 8:33 AM
You can use the
cerbosctl
to do that, specifically
cerbosctl put
command. https://docs.cerbos.dev/cerbos/latest/cli/cerbosctl.html#put Like this;
Copy code
cerbosctl --server=localhost:3593 --username=user --password=password --plaintext put ~/path/to/resource_policy.yaml
m

Mohan Prasath

12/19/2022, 8:37 AM
Are there any APIs to add a new resource policy?
o

oguzhan

12/19/2022, 8:39 AM
https://docs.cerbos.dev/cerbos/latest/api/admin_api.html#_addupdate_policies You can use this (
POST /admin/policy
) API endpoint to add every type policy, including resource policies.
m

Mohan Prasath

12/19/2022, 8:41 AM
Thanks @oguzhan But I can't find the CURL request to add or update resource policies. Can you please send it here?
o

oguzhan

12/19/2022, 8:50 AM
This should work;
Copy code
curl -X POST <http://127.0.0.1:3592/admin/policy> -u cerbos:cerbosAdmin -H 'Content-Type: application/json' -d '{"policies":[{"apiVersion":"api.cerbos.dev/v1","resourcePolicy":{"version":"default","resource":"student-management"}}]}'
cerbos
and
cerbosAdmin
being the Cerbos AdminAPI username and password, respectively.
m

Mohan Prasath

12/19/2022, 8:52 AM
Thank you so much.
5 Views