Able the encrypt using the SDK examples, unable to decrypt

[caread850]

I have an instance of the platform and Keycloak installed and I have provisioned Keycloak from the service and that ran with no issues. I am attempting to encrypt and decrypt using the examples within the project but not having much luck:

> ./examples encrypt "This is a test"

...

rpc error: code = NotFound desc = resource not found

As far as I can tell, this just takes a string value and the rest of the defaults should be fine.

Also, is there any documentation on how the user attributes in Keycloak are used to control the ABAC decisions for granting decryption? From what I can see, the client uses the Client/secret credentials in Keycloak, but attributes are associated with users in Keycloak. There must be some way to joint these two entities together in a manageable way?

[jrschumacher]

The attributes within the IdP (in this case Keycloak) do not specifically drive access. The way we derive access control is through entitlement.

Entitlement is handled through Subject Mappings where by the user is referred to as the subject.

The CLI is the best way to manage your subject mappings unless you want to draft your own gRPC requests. https://github.com/opentdf/otdfctl

[caread850]

Thanks for the reply. Just running through the CLI adding attributes seems straight forward. Adding subject condition sets was a little trickier as I couldn't find the format for the JSON required by the --subject-sets-file-json. For those reading, it is something like this:

[
    {
        "condition_groups": [
            {
                "conditions": [
                    {
                        "subject_external_selector_value": ".nationality",
                        "operator": 1,
                        "subject_external_values": [
                            "AUS",
                            "NZL",
                            "USA",
                            "GBR",
                            "CAN"
                        ]
                    },
                    {
                        "operator": 3
                    },
                    {
                        "subject_external_selector_value": ".clearance",
                        "operator": 1,
                        "subject_external_values": [
                            "TOP SECRET",
                            "SECRET",
                            "CLASSIFIED",
                            "OFFICIAL: PROTECTED",
                            "OFFICIAL",
                            "UNCLASSIFIED"
                        ]
                    }
                ],
                "boolean_operator": 2
            }
        ]
    }
]

The policy sections subject-condition-sets seems to be missing a list command at the moment, but no big deal, I can work around that.

Trying to create a subject-mapping is a little trickier. I think I have the command format correct, but I get a Failed to create subject mapping: rpc error: code = InvalidArgument desc = resource relation invalid when trying to run a subject-mappings create.

I have a valid attribute ID and subject condition set id:

...policy subject-mappings create --attribute-value-id 4c63e72a-2db9-434c-8ef6-e451473dbfe0 --action-standard "DECRYPT" --subject-condition-set-id 3c56a6c9-9635-427f-b808-5e8fd395802c

4c63e72a-2db9-434c-8ef6-e451473dbfe0 │xxxxxxxx.space │nationality  │ANY_OF │[]     │true   │[]     │Mon Sep…│Mon Sep…
a021b958-db69-42ce-9b5f-1dd97fb9f835 │xxxxxxxx.space │clearance    │ANY_OF │[]     │true   │[]     │Mon Sep…│Mon Sep…

Id          │3c56a6c9-9635-427f-b808-5e8fd395802c 
SubjectSets │[{"condition_groups":[{"conditions":…
Created At  │Mon Sep  2 05:16:42 UTC 2024         
Updated At  │Mon Sep  2 05:16:42 UTC 2024         

[caread850]

I'll prompt this question in another thread and mark this as complete. Thanks!