Hello all, I'm facing a problem in

/api/check/resources

I'm getting invalid actions on the response. My Server config

server:
  httpListenAddr: ":3592"
  adminAPI:
    enabled: true
    adminCredentials:
      username: ''
      passwordHash: ''
  playgroundEnabled: true
storage:
  driver: "mysql"
  mysql:
    dsn: "user:password@tcp(localhost:3306)/cerbos"
    connPool:
      maxLifeTime: 60m
      maxIdleTime: 45s
      maxOpen: 4
      maxIdle: 1

request and response from

/admin/policy

curl --request GET \
  --url '<http://172.31.39.159:3592/admin/policy?id=principal.student.vdefault>'

Response

{
  "policies": [
    {
      "apiVersion": "api.cerbos.dev/v1",
      "metadata": {
        "hash": "13174666176308465445",
        "storeIdentifer": "principal.student.vdefault"
      },
      "principalPolicy": {
        "principal": "student",
        "version": "default",
        "rules": [
          {
            "resource": "student-management",
            "actions": [
              {
                "action": "read",
                "effect": "EFFECT_ALLOW"
              }
            ]
          }
        ]
      }
    }
  ]
}

Now I'm testing the

/api/check/resources

curl --request POST \
  --url <http://172.31.39.159:3592/api/check/resources> \
  --header 'Content-Type: application/json' \
  --data '{
	"requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
	"principal": {
		"id": "student",
		"policyVersion": "default",
		"roles": [
			"student"
		],
		"attr": {
			"beta_tester": true
		}
	},
	"resources": [
		{
			"actions": [
				"read",
				"delete"
			],
			"resource": {
				"kind": "student-management",
				"policyVersion": "default",
				"id": "XX125",
				"attr": {
				}
			}
		}
	]
}'

Response

{
  "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  "results": [
    {
      "resource": {
        "id": "XX125",
        "kind": "student-management",
        "policyVersion": "default"
      },
      "actions": {
        "delete": "EFFECT_DENY",
        "read": "EFFECT_DENY"
      }
    }
  ]
}

The expected response is action

read

should be as

EFFECT_ALLOW

Please explain why I'm getting EFFECT_DENY instead of EFFECT_ALLOW

Hi! This happens because our current assumption is that there’ll always be a resource policy that then gets overridden per principal via principal policies. So, the way to make it work is to at least create an empty resource policy like the following;

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: student-management

We will consider to make resource policy optional in a future release.

Thank you for your response. Actually, I was looking for documentation on how to add a resource policy to cerbos. I can't find the relevant info here https://docs.cerbos.dev/cerbos/latest/api/admin_api.html

You can use the

cerbosctl

to do that, specifically

cerbosctl put

command. https://docs.cerbos.dev/cerbos/latest/cli/cerbosctl.html#put Like this;

cerbosctl --server=localhost:3593 --username=user --password=password --plaintext put ~/path/to/resource_policy.yaml

Are there any APIs to add a new resource policy?

https://docs.cerbos.dev/cerbos/latest/api/admin_api.html#_addupdate_policies You can use this (

POST /admin/policy

) API endpoint to add every type policy, including resource policies.

Thanks @oguzhan But I can't find the CURL request to add or update resource policies. Can you please send it here?

This should work;

curl -X POST <http://127.0.0.1:3592/admin/policy> -u cerbos:cerbosAdmin -H 'Content-Type: application/json' -d '{"policies":[{"apiVersion":"api.cerbos.dev/v1","resourcePolicy":{"version":"default","resource":"student-management"}}]}'

cerbos

and

cerbosAdmin

being the Cerbos AdminAPI username and password, respectively.

Thank you so much.