authzed
Caveat for ABAC+RBAC working on playground but not on local dev #2194
-
|
Hi, To address this scenario, I created a group to represent admin and managers and document are associated to groups. I tried the same in spicedb playground and is working fine But when I tried the same in the local machine, the permission is denied for the first assert. Need to know what configuration is missing in my local machine Result of CheckPermission: {
"checked_at": {
"token": "GhUKEzE3MzYzNDA4NDM0OTI1ODg1MDA="
},
"permissionship": "PERMISSIONSHIP_NO_PERMISSION",
"partial_caveat_info": null,
"debug_trace": {
"check": {
"resource": {
"object_type": "document",
"object_id": "doc2"
},
"permission": "read",
"permission_type": "PERMISSION_TYPE_PERMISSION",
"subject": {
"object": {
"object_type": "user",
"object_id": "tom"
},
"optional_relation": ""
},
"result": "PERMISSIONSHIP_CONDITIONAL_PERMISSION",
"caveat_evaluation_info": {
"expression": "requirement == group_id",
"result": "RESULT_FALSE",
"context": {
"fields": {
"group_id": {
"string_value": "admin"
},
"requirement": {
"string_value": "manager"
}
}
},
"partial_caveat_info": null,
"caveat_name": "group_owner"
},
"duration": {
"seconds": "0",
"nanos": 541700
},
"optional_expires_at": null,
"sub_problems": {
"traces": [
{
"resource": {
"object_type": "group",
"object_id": "admins,managers"
},
"permission": "read",
"permission_type": "PERMISSION_TYPE_PERMISSION",
"subject": {
"object": {
"object_type": "user",
"object_id": "tom"
},
"optional_relation": ""
},
"result": "PERMISSIONSHIP_HAS_PERMISSION",
"caveat_evaluation_info": null,
"duration": {
"seconds": "0",
"nanos": 541700
},
"optional_expires_at": null,
"sub_problems": {
"traces": [
{
"resource": {
"object_type": "admin",
"object_id": "admin1,admin2,admin3,admin4,admin5,admin6,admin7"
},
"permission": "read",
"permission_type": "PERMISSION_TYPE_PERMISSION",
"subject": {
"object": {
"object_type": "user",
"object_id": "tom"
},
"optional_relation": ""
},
"result": "PERMISSIONSHIP_HAS_PERMISSION",
"caveat_evaluation_info": null,
"duration": {
"seconds": "0",
"nanos": 541700
},
"optional_expires_at": null,
"sub_problems": {
"traces": [
{
"resource": {
"object_type": "admin",
"object_id": "admin1,admin2,admin3,admin4,admin5,admin6,admin7"
},
"permission": "owner",
"permission_type": "PERMISSION_TYPE_RELATION",
"subject": {
"object": {
"object_type": "user",
"object_id": "tom"
},
"optional_relation": ""
},
"result": "PERMISSIONSHIP_HAS_PERMISSION",
"caveat_evaluation_info": null,
"duration": {
"seconds": "0",
"nanos": 0
},
"optional_expires_at": null,
"was_cached_result": false
}
]
}
}
]
}
}
]
}
},
"schema_used": "caveat group_owner(group_id string, requirement string) {\n\trequirement == group_id\n}\n\ndefinition admin {\n\trelation owner: user\n\trelation parent: office\n\tpermission read = owner + parent->read\n\tpermission write = owner\n\tpermission access = owner\n}\n\ndefinition document {\n\trelation owner: group with group_owner\n\tpermission read = owner->read\n\tpermission write = owner->write\n}\n\ndefinition group {\n\trelation member: admin\n\tpermission read = member->read\n\tpermission write = member->write\n}\n\ndefinition office {\n\trelation parent: office\n\trelation manager: admin#owner\n\trelation child: office | admin\n\tpermission read = manager + parent->read\n\tpermission access = child->access\n}\n\ndefinition user {}"
},
"optional_expires_at": null
} |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 4 replies
-
|
I just ran this locally and it still seems to work as expected: How are you testing it locally? |
Beta Was this translation helpful? Give feedback.
-
|
I tested with grpc request through postman Following is my WriteRelationships message With the CheckPermission message as follows |
Beta Was this translation helpful? Give feedback.
-
|
Are you sure that the consistency syntax is correct on postman? I've never used postman for gRPC; does it error when it can't correctly serialize something or silently omit it? I could see this being a silent fallback to I'd also retry with a minimal subset of the relations you're writing, and make sure that the relations match your intent. |
Beta Was this translation helpful? Give feedback.
-
|
Ultimately, I want to interact through Java API. But before that, I am trying to verify whether endpoints are working fine or not through postman |
Beta Was this translation helpful? Give feedback.
-
|
Remove the |
Beta Was this translation helpful? Give feedback.
-
|
I tried after removing |
Beta Was this translation helpful? Give feedback.
-
|
Hi @jithinprasadr, thank you for reporting this! This should be fixed in the latest release: v1.44.2. |
Beta Was this translation helpful? Give feedback.
Hi @jithinprasadr, thank you for reporting this! This should be fixed in the latest release: v1.44.2.