Skip to main content

Policy Management

The tcb policy command (v3.5.7+) is used to manage OPA Rego authentication policies for CloudBase environments, including viewing policy lists, retrieving policy content, and setting user policies. Once a Rego policy is set, legacy gateway authentication will be invalidated. The old commands tcb permission set/get are deprecated — please migrate to tcb policy.

OPA Authentication Policy Concepts

For how OPA authentication policies work, the input context structure, the allow / deny decision matrix, and real-world cases, see OPA Authentication Policy Introduction. For the steps and policy translation reference to migrate from legacy gateway authentication to OPA Rego, see Migration Guide.

tcb policy list

View the list of gateway authentication policies for the environment.

Returns an empty list in PG environments and OPA engine environments.

tcb policy list [options]

Parameters

ParameterDescriptionDefault
-e, --env-id <envId>Environment ID
--resource-type <type>Filter by resource type, available value: policyAll
--jsonOutput JSON

Output Fields

FieldDescription
PolicyIdPolicy ID
ResourceTypeResource type
ResourceIdResource ID
ResourceTitleResource title
ResourceNameResource name
EffectEffect (Allow/Deny)
IsAccessIs accessible
RoleIdentityRole identity
RoleNameRole name
SafeRuleSafe rule

Examples

# View all policies
tcb policy list -e my-env-id

# Filter by resource type
tcb policy list --resource-type policy -e my-env-id

# Output in JSON format
tcb policy list --json -e my-env-id

tcb policy get

Retrieve authentication policy content (Rego format). By default, it retrieves the user-configured policy. Use --extension to retrieve the platform-configured policy for the environment.

tcb policy get [options]

Parameters

ParameterDescription
-e, --env-id <envId>Environment ID
--extensionRetrieve the platform-configured policy for the environment (default: user policy)
--jsonOutput JSON

Examples

# Retrieve user policy
tcb policy get -e my-env-id

# Retrieve platform extension policy
tcb policy get --extension -e my-env-id

# Output in JSON format
tcb policy get --json -e my-env-id

tcb policy set

Set the user Rego authentication policy. Once saved, the legacy gateway authentication will be invalidated.

tcb policy set [regoContent]

Parameters

ParameterDescription
<regoContent>Rego policy content (required)
-e, --env-id <envId>Environment ID
--jsonOutput JSON
Important

Once a Rego policy is set, the legacy gateway authentication will be invalidated. Please confirm the policy content is correct before executing.

Rego Policy Format

The policy must start with package authz.user and use OPA Rego syntax:

package authz.user

default allow := false

# Example: Allow anonymous users to access cloud functions
allow if {
input.cloudbase.resource_type == "functions"
input.subject.auth_type == "anonymous"
}

For details on input fields, please refer to OPA Authentication Policy Introduction.

Examples

# Pass Rego content directly
tcb policy set 'package authz.user

default allow := false

# Allow anonymous users to access cloud functions
allow if {
input.cloudbase.resource_type == "functions"
input.subject.auth_type == "anonymous"
}' -e my-env-id

# Output in JSON format
tcb policy set 'package authz.user

default allow := false' --json -e my-env-id