Does "semantic": "AnyOf" work?

Ziti Overlay
1

My Edge Router Policy has #eu attribute

{
  "name": "ID",
  "appData": "",
  "edgeRouterRoles": [
    "#eu"
  ],
  "identityRoles": [
    "@ID"
  ],
  "semantic": "AnyOf",
  "tags": {
    "zrok": "v1.0.4 [3f5db643]"
  }
}

The Service Edge Router Policy has #eu attribute also

{
  "name": "test",
  "appData": "",
  "edgeRouterRoles": [
    "#eu",
    "#au",
    "@7H8BaaKm9F"
  ],
  "serviceRoles": [
    "@4TDIgoL24R7kDi6z3EQZCe"
  ],
  "semantic": "AnyOf",
  "tags": {
    "zrok": "v1.0.6 [1ac77fa5]",
    "zrokShareToken": "test"
  }
}

I have gotten the error:

{
  "file": "/__w/zrok/zrok/agent/accessPrivate.go:45",
  "func": "github.com/openziti/zrok/agent.(*Agent).AccessPrivate.func1",
  "level": "info",
  "msg": "map[error:error for request Q-NWsh1BL: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection errorType:*rest_util.APIFormattedError file:/github/home/go/pkg/mod/github.com/openziti/sdk-golang@v1.2.1/ziti/ziti.go:1689 func:github.com/openziti/sdk-golang/ziti.(*ContextImpl).createSession level:warning msg:failure creating Dial session to service test time:2025-09-20T11:28:27.232647638+02:00]",
  "time": "2025-09-20T11:28:34.233Z"
}

ziti 1.6.7 + zrok 1.1.2

2

You can use ziti edge policy-advisor identities <identity name or id>? <service name or id>? to check if the policies look correct.

Note that even if policies are correct, if not all edge-routers are online, you can still get the 'no edge routers available' error.

The AnyOf semantic is heavily used, so while not impossible, I'd be surprised if you were encountering a bug.

3

It seems to work as expected.

Thank you

1 Like