keyword "role" is treated as role name by mistake

oracle / speedle

Speedle is an open source project for access control.

https://speedle.io

Universal Permissive License v1.0

158 stars 52 forks source link

keyword "role" is treated as role name by mistake #7

Closed caiwl closed 5 years ago

caiwl commented 5 years ago

Seems the keyword "role" is treated as role name in below scenario. It is a bug.

spctl create rolepolicy -c "grant user wcai role admin if b =c" --service-name=sjSXI7xvE6uRtohxQWDiVSK9v8zPpXxHL rolepolicy created {"id":"4c2tsjz4s2kae3getn2j","name":"","effect":"grant","roles":["role"],"principals":["user:wcai"],"metadata":{"createtime":"2019-04-09T11:38:08Z"}}

xinnong-wang commented 5 years ago

@caiwl You should use the following instead:

spctl create rolepolicy -c "grant user wcai admin if b =c" --service-name=sjSXI7xvE6uRtohxQWDiVSK9v8zPpXxHL

rolepolicy can only grant principals to role, so you shouldn't use role admin.

caiwl commented 5 years ago

@xinnong-wang the keyword "role" is optional by design here. Users may or may not add "role". We will support both cases.

xinnong-wang commented 5 years ago

https://speedle.io/docs/spdl/

ROLE = (role)? SUBJECT_IDENTIFIER

@caiwl You are right.