526互联

cerbos minio s3 存储试用

发布时间 2023-10-12 22:43:28作者: 荣锋亮

cerbos 支持blob 存储,以下是关于minio s3 的集成试用

环境准备

  • docker-compose
version: "3"
services:
    minio:
       image: minio/minio
       ports:
         - "9000:9000"
         - "9001:9001"
       command: server /data --console-address ":9001"
       environment:
         MINIO_ACCESS_KEY: minio
         MINIO_SECRET_KEY: minio123
    cerbos:
       image:  ghcr.io/cerbos/cerbos:latest
       volumes:
         - ./policies:/policies
         - ./config:/config
       env_file:
       - ./.env
       command: server --config=/config/conf.yaml
       ports:
         - "3592:3592"
         - "3593:3593"
    cerbos-compile:
       profiles:
         - compile
       image:  ghcr.io/cerbos/cerbos:latest
       volumes:
         - ./policies:/policies
       command: compile /policies
       env_file:
       - ./.env
       ports:
         - "3594:3592"
         - "3595:3593"
  • 配置
    conf.yaml
 
---
server:
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"
 
# storage:
#   driver: "disk"
#   disk:
#     directory: /policies
#     watchForChanges: true
 
storage:
  driver: "blob"
  blob:
    # aws golang sdk minio 参考配置
    bucket: "s3://demoapp-cerbos/policies?endpoint=minio:9000&disableSSL=true&s3ForcePathStyle=true&region=us-east-1"
    prefix: policies
    workDir: ${HOME}/tmp/cerbos/work
    updatePollInterval: 15s
    downloadTimeout: 30s
    requestTimeout: 10s

环境变量.env
主要是s3 需要的

 
AWS_ACCESS_KEY_ID=minio
AWS_SECRET_ACCESS_KEY=minio123
  • s3策略
    直接创建对应的demoapp-cerbos bucket 并创建一个policies 的path,内容如下
 
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: contact
  rules:
  - actions: ["*"]
    effect: EFFECT_ALLOW
    roles:
      - admin    
  - actions: ["read", "create"]
    effect: EFFECT_ALLOW
    roles:
      - user
    condition:
      match:
          expr: request.principal.attr.department == "Sales"
 
  - actions: ["update", "delete"]
    effect: EFFECT_ALLOW
    roles:
      - user
    condition:
      match:
          expr: request.resource.attr.ownerId == request.principal.id
 

s3 效果

 

代码集成测试

还是以前的nodejs 代码

 
const { HTTP } = require("@cerbos/http");
 
const cerbos = new HTTP("http://localhost:3592");
 
const demo = async function () {
    let result = await cerbos.isAllowed({
        principal: {
            id: "user@example.com",
            roles: ["user"],
            attr: { department: "Sales" },
        },
        resource: {
            kind: "contact",
            id:"333",
            attr: { ownerId: "user@example.com" },
        },
        action: "delete",
    });
    console.log(result)
}
 
demo()
  • 效果

 

说明

cerbos 对于s3 的支持有几个配置参数(拉取时间),同时还会包含cache 所以使用的时候需要注意

参考资料

https://github.com/cerbos/cerbos-sdk-javascript
https://docs.cerbos.dev/cerbos/latest/configuration/storage