keyword "role" is treated as role name by mistake

Question

keyword "role" is treated as role name by mistake

caiwl opened this issue 6 years ago · 3 comments

Seems the keyword "role" is treated as role name in below scenario. It is a bug.

spctl create rolepolicy -c "grant user wcai role admin if b =c" --service-name=sjSXI7xvE6uRtohxQWDiVSK9v8zPpXxHL
rolepolicy created
{"id":"4c2tsjz4s2kae3getn2j","name":"","effect":"grant","roles":["role"],"principals":["user:wcai"],"metadata":{"createtime":"2019-04-09T11:38:08Z"}}

Answer 1 · 2019-04-09T13:01:39.000Z

@caiwl You should use the following instead:

spctl create rolepolicy -c "grant user wcai admin if b =c" --service-name=sjSXI7xvE6uRtohxQWDiVSK9v8zPpXxHL

rolepolicy can only grant principals to role, so you shouldn't use role admin.

Answer 2 · 2019-04-09T13:05:04.000Z

@xinnong-wang the keyword "role" is optional by design here. Users may or may not add "role". We will support both cases.

Answer 3 · 2019-04-09T13:22:35.000Z

https://speedle.io/docs/spdl/

ROLE = (role)? SUBJECT_IDENTIFIER

@caiwl You are right.