Policy condition doesn't support OR expressions

[marcin-ptaszynski]

Policy condition allows to define property, is_owner

      - action: 'update'
        condition:
        - type: is_owner
        - type: property
          match:
            status:
              - ACTIVE
              - CREATE_IN_PROGRESS
              - UPDATE_IN_PROGRESS
              - DELETE_IN_PROGRESS
              - ERROR
        effect: allow
        id: member
        principal: Member

which will apply AND rule. Unfortunately, there is no way to implement "shared admin resource", which can be created by normal user within his project, but admin can also create and then publish it for all tenants with "is_public" flag.

Policy could look like this:

      - action: 'read'
        condition:
        - type: or
          operands:
          - type: is_owner
          - type: property
            match:
              is_public: true
        effect: allow
        id: member
        principal: Member

Note:
Policy itself should be simple, but the bigger problem is db layer, which doesn't allow for OR operators (only AND, =, WHERE IN).

[nati]

You can just have two separate policy whichever matches it will be applied.
defining generic policy language isn't easy.. so I would like to keep policy later simple with minimal function, and let application developer use extension for complicated cases.