Hi cerbos team, quick question. From what I understand, if there are 2 rules that apply for a given input - the DENY rule takes precedence I want to have rules to deny access to a resource based on attr conditions, for all roles, except for a superUser role. What is the best way to do that? Is there maybe a way to specify that the superUser roles has EFFECT_ALLOW for all actions - and to specify that this rule overrides every other rule?

Hi Cerbos team. Is it possible to send in attributes for all associated projects? Say that a user is associated with 3 different projects. The user has different roles in different projects. Can I send the complete project state in the principal attributes, and then check if the principal has access to a resource based on the parent project of the resource? For example:

{
  id: 'john',
  attr: {
    projects: [{id: 1, role: 'user'},{id: 2, role: 'manager'},{id: 3, role: 'owner'}]
  }
}

with a resource like

{
  "kind": "file",
  "attr": {
    "parentProjectId": 1,
    "name": "taxes.txt",
    "createdAt": "2023-05-011T10:00:00.021-05:00"
  }
}

and then create a derived role like

derivedRoles:

  definitions:
    - name: project_owner
      condition:
        match:
          expr: <check if the role is 'owner' in the element of P.attr.projects with the id matching the R.attr.parentProjectId>

Is it possible to write such a match-string? I know I can single out the project before sending the check, but if I can send the whole project state of a user (that rarely changes) it would be preferred.

so I want to implement a custom function that given an array and some integer n returns all possible n-sized combinations of elements w/in the array - is implementing this as custom function the best way? are the modules I can import that implement stuff like this? maybe @Dennis (Cerbos) or @Alex Olivier (Cerbos)

Q: Does serverInfo return a success mean the policies have been loaded correctly as well? I’m moving cerbos from a server model behind an load balancer to a sidecar, meaning it’ll be deployed far more frequently and want to make sure 🙂

i'm using below snippent to add or update the policy.

func (c *Client) AddOrUpdatePolicy(ctx context.Context) error {
    policySet := &cerbosclient.PolicySet{}
    if err := c.CerbosAdminClient.AddOrUpdatePolicy(ctx, policySet); err != nil {
        c.log.Errorf("Failed to add or update policy", err)
        return err
    }

    return nil
}
it is nt working, can someone help me on this

hello. according to https://docs.cerbos.dev/cerbos/latest/policies/compile.html#_running_tests,

To run the tests, provide the path to the tests directory using the --tests flag.

However, I've found that if I do not provide the

--tests

flag, the

cerbos

binary still goes ahead and self-discovers the test yamls and runs them.

hi all - thank for your help so far, if there a way to use s.think like regex to define a resource policy where derived role naming choices/convention can be leveraged - example in thread

have my basic set of policies - currently using the recommended docker-powered test approach to validate/test - ex:

docker run -i -t -v /path/to/policy/dir:/policies <http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0> compile /policies

however I notice that I have to place all of my resources in a single flat directory structure , so I get a role import error w/in my resourcePolicy doc when I try to keep thing tidy w/ /policies/derivedRoles and /policies/resources - whats the quick fix here? Thank you Cerbos - sorry for @ing ppl

Hi Cerbos - another question say I have a backend endpoint w/ some path /base_path/list_all_widgets Normally GETting on this would returns all widgets - some of those are type A, B, C.. etc now I have derivedRoles, say A-Read, B-Read, . .etc. given that most example I see have the cerbos.isAllowed(..) call take place before hitting the resource in question - how should I approach this case? • Is it even correct to think of /base_path/list_all_widgets as a single resource? ◦ should I create some new paths: /base_path/list_widgets/arg=widget_type and /base_path/list_allowed_widget_types? • Is there a good example of how to handle this kind of case? •

Hi Cerbos team, I have several questions Let's start with my requirement, i do want to make a file storage system that the user who upload files can expose file(read, write) public or private also share to specific organize, team, person so, I made a simple request and policy like this in reply (I think it's too long)

any chatter around github flakiness impacting git stored policies? now that i’m moving to a sidecar model we’re pulling down the policies on every deploy. seeing some flakiness spinning things up.

Is it possible to push the authorization check into the service mesh? For example, I can push authentication into the service mesh by configuring istio to not allow connections without a valid JWT, and redirect users to get a JWT if they don't have one, then validate the ones that do exist prior to sending connections to my service. Can I do the same thing at the service mesh level to either prevent network requests from even hitting my system if they aren't allowed by the rules, or block or filter responses if the resources returned also fail rules with the user principle from istio?

Hi, is it possible to set up cerbos with an github app installation token instead of a PAT?

Hello, We are studying Cerbos and I have a question - I'm exploring the multi-tenant SaaS demo and I'm probably missing something. We have a multi-tenant solution that manages companies in which a user can be a Project Manager in one company and a Company Administrator in another company. The companies, users and their role mappings are all managed in MySQL database (Python Django based application with DRF). I'm not clear what is the right approach to handle this scenario with Cerbos. AFAIU, the multi-tenant SaaS demo is built with a single role per user and users only exist in a single tenant. What happens if my role is context aware to the specific company I'm currently working in, but I can have multiple roles? can you direct me to the right place in docs or a sample? Thx

Hello guys! Is there some mechanism for role inheritance? For example, say I have 3 policies A, B, C and 3 roles. Role 1 can access policy A, role 2 can access policy B and role 3 can access policy C. What would be the best way of defining a role 4 such that it inherits all the policies of roles 1 and 2 (i.e. A and B, but not C) aside from creating the new role and manually changing my policies? Is this something that could be done with derived roles?

hey team... we're reviewing using Cerbos in a multitenant ROR app. it has system-defined roles (eg. users can do X, admins can do X+Y), but down the line we'll need to support admins creating other policies (eg. guests can do some of X and have read access to specific records). How can these dynamic policies be achieved with Cerbos without hardcoding them into a yml file? Thanks

Hello guys! I’m trying to adopt Cerbos to power our org needs and so far with static roles definitions it looks really good. However, I’m now coding a POC to allow users to configure roles for other users and I couldn’t find any querying mechanism to fetch policies say by

scope

or

resource kind

or both. The only way to do that is

.list()

method which seems to be highly inefficient with

1000s

of items in the DB. The why: tenants may override/create their own roles based on the list of available resources (fetched from authorization server policies) and their actions (extracted from policies). Is that even possible? Thank you 🙏

Hey guys! Question about performance. Let’s say at some point FGA will be needed, there will be Resource Policies per individual object (

kind: Parent.Entity.aFhAsd273hd2asda

). This might grow to 100k+ policies in DB. How does Cerbos behave at a scale?

Hi Guys, I am trying to get up and running with Cerbos for local development ideally using docker compose, are there any guides covering this? Keeping in mind that I'd interacting with Cerbos from a node.js application, Thanks 🙏

Is it possible to use environment variables in policies? Something like

expr: P.attr.foo = env["FOO"]

?

When using GIT repo as data source, sometimes the following error occurs:

{
  "log.level": "error",
  "@timestamp": "2023-06-02T11:50:25.391Z",
  "log.logger": "cerbos.git.store",
  "message": "Failed to check for updates",
  "dir": "/work",
  "error": "failed to pull from remote: worktree contains unstaged changes"
}

This is happening when I’m running tests in parallel: 1. constantly pushing random number of policies, both modified and new 2. constantly running process calling

isAllowed

method on SDK What could it be? I’m afraid that when a policy is being modified and authz request is being received at the same time, the check could fail. Also sometimes pod crashes and is being restarted with normal

Shutting down

message, althought k8s resources are not limited.

hey all - thank you for your help so far - I was able to follow the helm deployment instructions here - https://docs.cerbos.dev/cerbos/latest/installation/helm.html everything makes sense -2 followup question in the thread

Hello, Cerbos team. Is there a way to set up cerbos to pull policies from codecommit repository instead of github repository?

Looking at the delpoyment options, if you choose sidecar, are policy updates only changeable with a full application deployment?

Hi, after reading the docs, i have mixed feelings about the

derivedRoles

. In this case, it's about too much responsibilities in Cerbos. My expectation is, those

deriveRoles

is normal

role

, but it's determined via the

request

object instead. Could this simplify the system ? So i could send the

role

directly via

request

.

The "blocking point" here, is the inflexibility of the query language on condition.

Hi, I am getting this "failed to clone" error when trying to configure a git repo as storage, I know for a fact that the credentials are correct for a user with write access to the repo, I even tried hardcoding the password and making the repo public, all attempts returning the same error, any ideas of what I am doing wrong?

Hey guys it’s me again. Quick architecture question, currently we have an instance of cerbos running as a sidecar for our backend, it controls access to individual endpoints based on roles and attributes from the user session or the resources, but we don’t expose it to the internet. Now we want to do some access control in our clients so they’re conditionally shown certain parts of the UI. Our UI pages/fragments don’t match 1-to-1 with the permissions we use for the backend, so our first inclination was perhaps to have a second instance of cerbos, this one as a lambda function, that can be accessible by the clients that have different policies that map directly to UI components. Does this sound like a fair approach or is there a different pattern you can recommend?

Another, perhaps semi-related question. Is there any way to embed the cerbos PDP in the client for very simple is_allowed decisions?

Heads up, starting noticing some fetch failures in our pull request tests this morning. Specifically, calls to cerbos were failing. We pull the latest image in our tests, so pinning to 0.26.0 should hopefully fix.