cerbos 支持blob 存储,以下是关于minio s3 的集成试用
环境准备
- docker-compose
version: "3"
services:
minio:
image: minio/minio
ports:
- "9000:9000"
- "9001:9001"
command: server /data --console-address ":9001"
environment:
MINIO_ACCESS_KEY: minio
MINIO_SECRET_KEY: minio123
cerbos:
image: ghcr.io/cerbos/cerbos:latest
volumes:
- ./policies:/policies
- ./config:/config
env_file:
- ./.env
command: server --config=/config/conf.yaml
ports:
- "3592:3592"
- "3593:3593"
cerbos-compile:
profiles:
- compile
image: ghcr.io/cerbos/cerbos:latest
volumes:
- ./policies:/policies
command: compile /policies
env_file:
- ./.env
ports:
- "3594:3592"
- "3595:3593"
services:
- 配置
conf.yaml
---
server:
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
# storage:
# driver: "disk"
# disk:
# directory: /policies
# watchForChanges: true
storage:
driver: "blob"
blob:
# aws golang sdk minio 参考配置
bucket: "s3://demoapp-cerbos/policies?endpoint=minio:9000&disableSSL=true&s3ForcePathStyle=true®ion=us-east-1"
prefix: policies
workDir: ${HOME}/tmp/cerbos/work
updatePollInterval: 15s
downloadTimeout: 30s
requestTimeout: 10s
server:
环境变量.env
主要是s3 需要的
AWS_ACCESS_KEY_ID=minio
AWS_SECRET_ACCESS_KEY=minio123
- s3策略
直接创建对应的demoapp-cerbos bucket 并创建一个policies 的path,内容如下
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: contact
rules:
- actions: ["*"]
effect: EFFECT_ALLOW
roles:
- admin
- actions: ["read", "create"]
effect: EFFECT_ALLOW
roles:
- user
condition:
match:
expr: request.principal.attr.department == "Sales"
- actions: ["update", "delete"]
effect: EFFECT_ALLOW
roles:
- user
condition:
match:
expr: request.resource.attr.ownerId == request.principal.id
apiVersion: api.cerbos.dev/v1
s3 效果
代码集成测试
还是以前的nodejs 代码
const { HTTP } = require("@cerbos/http");
const cerbos = new HTTP("http://localhost:3592");
const demo = async function () {
let result = await cerbos.isAllowed({
principal: {
id: "user@example.com",
roles: ["user"],
attr: { department: "Sales" },
},
resource: {
kind: "contact",
id:"333",
attr: { ownerId: "user@example.com" },
},
action: "delete",
});
console.log(result)
}
demo()
- 效果
说明
cerbos 对于s3 的支持有几个配置参数(拉取时间),同时还会包含cache 所以使用的时候需要注意
参考资料
https://github.com/cerbos/cerbos-sdk-javascript
https://docs.cerbos.dev/cerbos/latest/configuration/storage