Policy Management
The tcb policy command (v3.5.7+) is used to manage OPA Rego authentication policies for CloudBase environments, including viewing policy lists, retrieving policy content, and setting user policies. Once a Rego policy is set, legacy gateway authentication will be invalidated. The old commands tcb permission set/get are deprecated — please migrate to tcb policy.
For how OPA authentication policies work, the input context structure, the allow / deny decision matrix, and real-world cases, see OPA Authentication Policy Introduction. For the steps and policy translation reference to migrate from legacy gateway authentication to OPA Rego, see Migration Guide.
tcb policy list
View the list of gateway authentication policies for the environment.
Returns an empty list in PG environments and OPA engine environments.
tcb policy list [options]
Parameters
| Parameter | Description | Default |
|---|---|---|
-e, --env-id <envId> | Environment ID | — |
--resource-type <type> | Filter by resource type, available value: policy | All |
--json | Output JSON | — |
Output Fields
| Field | Description |
|---|---|
| PolicyId | Policy ID |
| ResourceType | Resource type |
| ResourceId | Resource ID |
| ResourceTitle | Resource title |
| ResourceName | Resource name |
| Effect | Effect (Allow/Deny) |
| IsAccess | Is accessible |
| RoleIdentity | Role identity |
| RoleName | Role name |
| SafeRule | Safe rule |
Examples
# View all policies
tcb policy list -e my-env-id
# Filter by resource type
tcb policy list --resource-type policy -e my-env-id
# Output in JSON format
tcb policy list --json -e my-env-id
tcb policy get
Retrieve authentication policy content (Rego format). By default, it retrieves the user-configured policy. Use --extension to retrieve the platform-configured policy for the environment.
tcb policy get [options]
Parameters
| Parameter | Description |
|---|---|
-e, --env-id <envId> | Environment ID |
--extension | Retrieve the platform-configured policy for the environment (default: user policy) |
--json | Output JSON |
Examples
# Retrieve user policy
tcb policy get -e my-env-id
# Retrieve platform extension policy
tcb policy get --extension -e my-env-id
# Output in JSON format
tcb policy get --json -e my-env-id
tcb policy set
Set the user Rego authentication policy. Once saved, the legacy gateway authentication will be invalidated.
tcb policy set [regoContent]
Parameters
| Parameter | Description |
|---|---|
<regoContent> | Rego policy content (required) |
-e, --env-id <envId> | Environment ID |
--json | Output JSON |
Once a Rego policy is set, the legacy gateway authentication will be invalidated. Please confirm the policy content is correct before executing.
Rego Policy Format
The policy must start with package authz.user and use OPA Rego syntax:
package authz.user
default allow := false
# Example: Allow anonymous users to access cloud functions
allow if {
input.cloudbase.resource_type == "functions"
input.subject.auth_type == "anonymous"
}
For details on input fields, please refer to OPA Authentication Policy Introduction.
Examples
# Pass Rego content directly
tcb policy set 'package authz.user
default allow := false
# Allow anonymous users to access cloud functions
allow if {
input.cloudbase.resource_type == "functions"
input.subject.auth_type == "anonymous"
}' -e my-env-id
# Output in JSON format
tcb policy set 'package authz.user
default allow := false' --json -e my-env-id
Related Commands
tcb permission— Legacy gateway resource permission management (deprecated)tcb role— Manage roles and access policies- Console configuration: CloudBase Console