cerbos minio s3 存储试用
cerbos 支持blob 存储,以下是关于minio s3 的集成试用
环境准备
- docker-compose
version: "3"
services:
minio:
image: minio/minio
ports:
- "9000:9000"
- "9001:9001"
command: server /data --console-address ":9001"
environment:
MINIO_ACCESS_KEY: minio
MINIO_SECRET_KEY: minio123
cerbos:
image: ghcr.io/cerbos/cerbos:latest
volumes:
- ./policies:/policies
- ./config:/config
env_file:
- ./.env
command: server --config=/config/conf.yaml
ports:
- "3592:3592"
- "3593:3593"
cerbos-compile:
profiles:
- compile
image: ghcr.io/cerbos/cerbos:latest
volumes:
- ./policies:/policies
command: compile /policies
env_file:
- ./.env
ports:
- "3594:3592"
- "3595:3593"
- 配置
conf.yaml
---
server:
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
# storage:
# driver: "disk"
# disk:
# directory: /policies
# watchForChanges: true
storage:
driver: "blob"
blob:
# aws golang sdk minio 参考配置
bucket: "s3://demoapp-cerbos/policies?endpoint=minio:9000&disableSSL=true&s3ForcePathStyle=true®ion=us-east-1"
prefix: policies
workDir: ${HOME}/tmp/cerbos/work
updatePollInterval: 15s
downloadTimeout: 30s
requestTimeout: 10s
环境变量.env
主要是s3 需要的
AWS_ACCESS_KEY_ID=minio
AWS_SECRET_ACCESS_KEY=minio123
- s3策略
直接创建对应的demoapp-cerbos bucket 并创建一个policies 的path,内容如下
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: contact
rules:
- actions: ["*"]
effect: EFFECT_ALLOW
roles:
- admin
- actions: ["read", "create"]
effect: EFFECT_ALLOW
roles:
- user
condition:
match:
expr: request.principal.attr.department == "Sales"
- actions: ["update", "delete"]
effect: EFFECT_ALLOW
roles:
- user
condition:
match:
expr: request.resource.attr.ownerId == request.principal.id
s3 效果
代码集成测试
还是以前的nodejs 代码
const { HTTP } = require("@cerbos/http");
const cerbos = new HTTP("http://localhost:3592");
const demo = async function () {
let result = await cerbos.isAllowed({
principal: {
id: "user@example.com",
roles: ["user"],
attr: { department: "Sales" },
},
resource: {
kind: "contact",
id:"333",
attr: { ownerId: "user@example.com" },
},
action: "delete",
});
console.log(result)
}
demo()
- 效果
说明
cerbos 对于s3 的支持有几个配置参数(拉取时间),同时还会包含cache 所以使用的时候需要注意
参考资料
https://github.com/cerbos/cerbos-sdk-javascript
https://docs.cerbos.dev/cerbos/latest/configuration/storage
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· .NET10 - 预览版1新功能体验(一)
2022-10-12 maven resource 覆盖配置使用
2020-10-12 关于drill http存储插件http 超时的一些说明
2020-10-12 tds-fdw PostgreSQL said: DB-Library error: DB #: 20002, DB Msg: Adaptive Server connection failed, OS #: 0, OS Msg: Success, Level: 9 问题解决.md
2018-10-12 一个不错的nomad raw_exec && docker 运行例子(集成访问网关)
2017-10-12 devops 几个方便的工具
2017-10-12 web 模板引擎