https://cerbos.dev logo
Docs
Join the conversationJoin Slack
Channels
announcements
community
help
Powered by Linen
help
  • j

    Jesum Yip

    02/15/2023, 3:15 PM
    Based on https://github.com/cerbos/cerbos/pull/1439, may I know where I can find documentation on the configuration field to set policy expiration? And what happens when it expires? Will cerbos evict the entry from cache and at the next cycle, sync from the policy repo again?
    a
    c
    • 3
    • 4
  • s

    Sunil

    02/16/2023, 2:32 PM
    Hello everyone, Glad to be here. For the people who have been using cerbos in their applications - We know Cerbos requires Principal, Action and Resource to evaluate the policy. How are you fetching Resource info to pass on to Cerbos? Is each of your service making a call to external system to fetch the resource or are you making it as part of the token? In case of token when a user request passes through many services (in microservices world), it will try to access various resources e.g. BFF API POST action to Domain API POST which will be completely different service. In such cases if element of BFF is considered a resource and element of Domain API is considered another resource then there are multiple resources that need to stay in the token and it may cause the token bloat. I was wondering what are you using to handle end to end authorization for a user request without token bloat and additional performance overhead of fetching the resource info from external systems thus slowing the authorization process down?
    a
    • 2
    • 2
  • s

    Steve High (NTWRK)

    02/16/2023, 5:52 PM
    I'm having issues with the
    cerbos-setup
    github action. I am defining my step as:
    - name: Get Cerbos CLI
            uses: cerbos/cerbos-setup-action@v1
            with:
              version: latest
              github_token: ${{secrets.INTERNAL_TOKEN}}
    Where
    ${{secrets.INTERNAL_TOKEN}}
    is a valid github api token (used in other steps without issue). Occasionally with this action, I get the following error:
    HttpError: API rate limit exceeded for 52.190.17.193. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
        at /home/runner/work/_actions/cerbos/cerbos-setup-action/v1/webpack:/cerbos-setup-action/node_modules/@octokit/request/dist-node/index.js:86:1
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
    I went so far as recreated a new token and storing it in github secrets..the issue still happens a few times a day. Is the action using the provided github token?
    o
    • 2
    • 8
  • j

    Jesum Yip

    02/17/2023, 2:11 AM
    by the way, is there a URL endpoint I can call in cerbos to see the currently running version?
    d
    a
    • 3
    • 3
  • c

    Carl Bäckström

    02/21/2023, 3:43 PM
    Hello! We have just started looking into Cerbos for our Authorization needs. I had one initial question how would you enforce Cerbos policies in the FE. Let’s say that you want to hide a certain feature in the FE based on a policy?
    a
    • 2
    • 4
  • m

    Matthew Ebeweber

    02/21/2023, 5:49 PM
    Heads up, we were seeing a memory leak issue on v0.20. We’ve upgrade to v.0.25, so hoping something in there might solve the problem. It’s pretty minimal so we figure kicking the box every ~2 weeks is a good solution for now.
    a
    c
    • 3
    • 18
  • o

    Omar Din

    02/25/2023, 12:16 PM
    Hello All! I am having trouble with Audit logs and would appreciate the support 🙂 : I am Building and Pushing the following Cerbos Docker Image into ECR:
    FROM <http://ghcr.io/cerbos/cerbos:0.24.0|ghcr.io/cerbos/cerbos:0.24.0>
    #To access the kernel inside the container
    COPY --from=public.ecr.aws/docker/library/busybox:uclibc /bin /bin
    COPY policies /policies
    ENV CERBOS_CONFIG="/config/config.yaml"
    EXPOSE 3593 3592
    The policies directory is in the same directory as the DockerFile and is mounted onto the container. Then deploying the following Kubernetes manifest Deployment.yaml in my AWS EKS Cluster, Fargate Node: Mounting the /config/config.yaml and audit-logs directory onto the container. And audit logs are enabled and specified a path for the file inside the audit-logs directory
    apiVersion: v1
    kind: ConfigMap
    metadata:
    name: cerbos-config
    data:
    config.yaml: |
    server:
    httpListenAddr: ":3592"
    grpcListenAddr: ":3593"
    storage:
    driver: "disk"
    disk:
    directory: /policies
    schema:
    enforcement: reject
    audit:
    enabled: true
    accessLogsEnabled: true
    decisionLogsEnabled: true
    backend: file
    file:
    path: /audit-logs/cerbos.log
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    annotations:
    <http://prometheus.io/path|prometheus.io/path>: /metrics
    <http://prometheus.io/port|prometheus.io/port>: "3000"
    <http://prometheus.io/scrape|prometheus.io/scrape>: "true"
    labels:
    app: yl-api-cerbos
    namespace: "{{ .Values.ENVIRONMENT }}"
    name: yl-api-cerbos-deployment
    namespace: "{{ .Values.ENVIRONMENT }}"
    spec:
    minReadySeconds: 0
    progressDeadlineSeconds: 600
    replicas: 3
    selector:
    matchExpressions: []
    matchLabels:
    cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9
    strategy:
    rollingUpdate:
    maxSurge: 25%
    maxUnavailable: 25%
    type: RollingUpdate
    template:
    metadata:
    labels:
    app: yl-api-cerbos
    cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9
    namespace: "{{ .Values.ENVIRONMENT }}"
    spec:
    automountServiceAccountToken: true
    containers:
    image: "{{ .Values.AWS_ACCOUNT }}.dkr.ecr.{{ .Values.AWS_REGION }}.<http://amazonaws.com/{{|amazonaws.com/{{> .Values.SERVICE_NAME }}:{{ .Values.APP_VERSION }}"
    imagePullPolicy: Always
    livenessProbe:
    failureThreshold: 3
    httpGet:
    path: /
    port: 3592
    initialDelaySeconds: 30
    timeoutSeconds: 10
    name: yl-api-cerbos
    ports:
    - containerPort: 3593
    readinessProbe:
    failureThreshold: 3
    httpGet:
    path: /
    port: 3592
    initialDelaySeconds: 30
    timeoutSeconds: 10
    resources:
    limits:
    cpu: 500m
    memory: 256Mi
    requests:
    cpu: 250m
    memory: 128Mi
    securityContext:
    privileged: false
    readOnlyRootFilesystem: false
    runAsNonRoot: false
    volumeMounts:
    - name: cerbos-logs
    mountPath: /audit-logs/
    - name: cerbos-config
    mountPath: /config/
    volumes:
    - name: cerbos-config
    configMap:
    name: cerbos-config
    - name: cerbos-logs
    emptyDir: {}
    I deploy the deployment and the yl-api-cerbos container is running as expected. However when I exec inside the container and check the cerbos.log file. I see that the file is empty. When I run the command kubectl logs <POD_NAME> -c <CONTAINER_NAME> . i See the following logs:
    {"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"maxprocs: Updating GOMAXPROCS=1: using minimum allowed GOMAXPROCS"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.235Z","log.logger":"cerbos.index","message":"Found 2 executable policies"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.236Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}
    Why aren’t these logs captured in the cerbos.log file and How can I log these logs inside the file ? Please advise if there is anything wrong with My Configurations. 😊 Many Thanks
    o
    • 2
    • 3
  • d

    Dipesh Bajgain

    03/01/2023, 12:24 PM
    Hello everyone, I am using cerbos in my project and have created policy based on my need. But now I want to enforce a policy for all resources based on my principal attributes. How can I achieve that. For example my principal is:
    principal: {
      id: "123",
      roles: ["Editor"],
      policyVersion: "default",
      attributes: {
        is_verified: user.is_verified,
      },
    },
    Here in my attributes I have
    is_verified
    flag so I want to check if the user is verified then only check any other policy for the user. Because if my user is not verified then I want to block all his access. It would be really helpful for me if anyone can provide me the solution.
    c
    • 2
    • 2
  • r

    Ryan Killeen

    03/01/2023, 10:30 PM
    Looking for some guidance around modeling policies for nested resources! There was an excellent answer here some time ago, but it looks like it was swallowed by Slack history. Imagine a resource named
    config
    . Config is made up of several different properties, with granularly permissions. Imagine someone might have permission to
    view
    or
    edit
    all of the config, or may only have the ability to view or edit
    config.branding
    , or
    config.someOtherResource
    . Currently our principal permissions are attribute-based, eg
    ["config:branding:*", "config:view"]
    What would be an ideal way to author resource policies without a ton of repetition? Many actions on a single resource
    config
    ? Separate resource policies for nested parts? Using scopes? Any guidance is appreciated, happy to provide more context and examples.
    c
    s
    • 3
    • 5
  • p

    Peter Franzen

    03/01/2023, 10:53 PM
    Has anyone been able to get tests integrated with AWS CodeBuild? Codebuild requires that the output format be in Cucumber-json or a few different xml formats. Is this possible to do? To be clear, I can run the tests just fine. It's just that the json output isn't useable by CodeBuild Reports.
    c
    • 2
    • 2
  • y

    Yousef Sultan

    03/02/2023, 7:23 AM
    So I've use CASL.js before and they have this thing where you can query if X can do Y to any Z. Does Cerbos have such a thing?
    a
    • 2
    • 5
  • h

    Horia Constantin

    03/07/2023, 1:22 PM
    Is it possible to compose policies in the same way that I'd be able to compose AWS IAM policies? Let's say that I've got a policy that allows creating invoices and a policy that allows sending a payment request. And I want to create a policy for the financial admin that is simply referring to these 2 policies?
    c
    • 2
    • 1
  • g

    Guillaume Picard

    03/08/2023, 2:31 AM
    G’day Cerbos team! I have one simple question, we are evaluating using Cerbos for a multi tenant use case where eventually we would allow each tenant to have its own set of policies that build upon our default base policies, this could be upwards of 1000+ tenants at this point in time, and grow from there. My question being:
    Has Cerbos been load tested with a great number of Scoped Policies, but only say two levels deep, say
    organization.member
    ?
    If not, we’ll try to run load testing, but also it would be good to have your opinion on managing performance, is it running more pods in K8S, adding more shared memory etc. Thank you
    c
    • 2
    • 2
  • c

    Carl Bäckström

    03/08/2023, 2:12 PM
    Hello! We are experimenting with Cerbos and wondering how one would go about enforcing specific permissions for an instance of a record rather than on the resource level. I.E: User1 has access to Document1 but not Document2
    a
    c
    • 3
    • 4
  • c

    Carl Bäckström

    03/08/2023, 4:55 PM
    We are struggling a little bit with understanding how roles and permissions works in Cerbos. I come from an Auth0 world where you basically define a set of permissions (usually looking something like this
    document:read
    ) and then bundle these up into dynamic roles. You would then be able to validate the permissions rather than the actual role of a user allowing new roles to be added more easily. Is this something that could be accomplished with Cerbos or is this even something we would want to do with Cerbos?
    g
    c
    • 3
    • 3
  • p

    Peter Franzen

    03/08/2023, 11:57 PM
    Probably a simple question, but: Is there any way to use wildcards in a resource policy when specifying the resource? Or does that additional data need to come in as an attribute?
    d
    • 2
    • 1
  • s

    sdktr

    03/09/2023, 3:02 PM
    Is there a way for SDK clients to specify which (git)branch of the cerbos policies we want to evaluate? #cicd #dev
    a
    p
    c
    • 4
    • 4
  • p

    Peter Franzen

    03/09/2023, 6:38 PM
    Is there a recommended Resource policy condition for determining that a valid JWT was provided? I need to make a policy that doesn't have any Role conditions and only looks at the JWT since the Principals won't have any Roles defined
    c
    • 2
    • 1
  • k

    Kiran V

    03/09/2023, 11:51 PM
    Hi, am trying to use in clause in condition, as shown below
    resource: products
      rules:
      - actions: ["customExperiences"]
        roles:
          -  USER
        condition:
          match:
            all:
              of:
                - expr: "2021_START" in request.principal.attr.package
    am getting error saying "Failed to read: failed to convert YAML to JSON: yaml: line 17: did not find expected key" can you help me on this
    d
    • 2
    • 2
  • g

    Guillaume Picard

    03/10/2023, 11:55 AM
    Hey, is it possible (or idiomatic) to define what a role has access to, using principal policies, as opposed as to specifying this for each resources? Eg instead of creating a
    pots.yml, pans.yml, knives.yml
    and then define what the roles can do in each of the resource policies. you would create
    cook.yml
    and define what the role
    cook
    can do inside that single file for all resources
    pots, pans, knives
    ? I guess you could have resource policies named
    cook_pans.yml
    ,
    cook_knives.yml
    , but just want to ask if there’s a good pattern. Thanks
    a
    • 2
    • 1
  • j

    Jay StGelais

    03/10/2023, 6:51 PM
    I'm having some issues with the Java Client. We have followed the deployment setup outlined here to deploy Cerbos as a k8s sidecar. Instead of the ghostunnel application we have a spring-boot API that is using the Java client. We use the following code to iniatlize the client:
    final CerbosBlockingClient cerbosClient = new CerbosClientBuilder("unix:/sock/cerbos.sock").withPlaintext().buildBlockingClient();
    The client is created without error, but once we try to issue an API call, we get the following error in our logs:
    nested exception is dev.cerbos.sdk.CerbosException: RPC exception [Status{code=UNAVAILABLE, description=io exception, cause=io.grpc.netty.shaded.io.netty.channel.AbstractChannel$AnnotatedConnectException: connect(..) failed: Address family not supported by protocol: /sock/cerbos.soc
    Not sure if we are specifying the unix socket correctly in this example and struggling to find examples online that do this.
    c
    • 2
    • 8
  • m

    Mike Miller

    03/11/2023, 1:44 PM
    Is there a way to pass in a resource, action, effect and determine all of the principles or roles that would match?
    d
    • 2
    • 2
  • o

    Owen Cummings

    03/14/2023, 3:50 PM
    Is there any documentation describing exactly what JWT verification Cerbos is capable of? Just signature verification? Which algorithms? Or does it do other claim verification like
    iat
    and
    exp
    timestamp based checks?
    c
    • 2
    • 2
  • s

    Saul Martin

    03/15/2023, 11:18 AM
    Hey hey, is there any documentation describing how to add policies to a database using an ORM instead of yml files?
    c
    • 2
    • 2
  • s

    Saul Martin

    03/20/2023, 4:59 PM
    Does anyone know best practices to add cerbos to a docker-compose file? I’m having issues getting the config.yml file added in 🙂
    services:
      cerbos:
        image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
        container_name: cerbos
        volumes:
          - ./illiquid_assets_api/api/cerbos/policies:/policies
        ports:
          - "3592:3592"
          - "3593:3593"
        command: server --config=/
        restart: unless-stopped
    • illiquid_assets_api / api / cerbos / config.yml • illiquid_assets_api / api / cerbos / policies / policy.yml
    o
    c
    • 3
    • 8
  • j

    Jesum Yip

    03/23/2023, 6:13 AM
    consider the following: if i have a user with these attributes: 1. Name = John 2. Age = 35 3. Location = Moon I then model these derived roles: 1. Derived Role = "middle-class-user" if Age = 35 2. Derived Role = "super-user" if Name = John AND Age > 30 In this case, when cerbos evaluates a derived role, it will arbitrarily decide whether the user is "middle-class-user" or "super-user" correct? This is due to the ambiguity of the derived role policy?
    d
    • 2
    • 6
  • d

    Dipesh Bajgain

    03/23/2023, 7:54 AM
    Hello everyone, I am trying to create a cerbos docker image and I get the error as
    {"log.level":"error","@timestamp":"2023-03-23T07:50:37.865Z","log.logger":"cerbos.index","message":"Index build failed","load_failures":[{"file":"config.yaml","error":"failed to unmarshal JSON: proto: (line 1:2): unknown field \"server\""}]}
    cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=0, load failures=1
    My docker compose config is as below:
    version: "3.8"
    
    services:
      app:
        restart: always
        container_name: dashboard
        image: dashboard
        build:
          context: .
          target: development
        volumes:
          - ./src:/app/src
        ports:
          - 3000:3000
        command: npm run dev
    
      cerbos:
        image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
        container_name: cerbos
        volumes:
          - ./cerbos:/config
          - ./cerbos:/policies
        ports:
          - "3592:3592"
          - "3593:3593"
        restart: unless-stopped
        command: server --config /config/config.yaml
    And my cerbos config file is as below:
    server:
      playgroundEnabled: true
      httpListenAddr: ":3592"
      grpcListenAddr: ":3593"
    
    storage:
      driver: "disk"
      disk:
        directory: /policies
        watchForChanges: true
    a
    • 2
    • 2
  • d

    Dipesh Bajgain

    03/24/2023, 5:42 AM
    Hey everyone, I have setup cerbos in my local machine using docker-compose as mentioned in above message and while trying to connect to cerbos using the js sdk I am getting cors error as
    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <http://localhost:3592/api/check/resources>. (Reason: CORS request did not succeed). Status code: (null).
    And my updated config file is as below:
    ---
    storage:
      driver: "disk"
      disk:
        directory: /policies
        watchForChanges: true
    
    server:
      playgroundEnabled: true
      httpListenAddr: ":3592"
      grpcListenAddr: ":3593"
      cors:
        allowedHeaders: ['content-type'] 
        allowedOrigins: ['*']
        disabled: false
        maxAge: 10s
    d
    • 2
    • 1
  • a

    Aldin Kiselica

    03/24/2023, 8:55 AM
    set the channel topic: Browse through the whole history of previously asked questions @ https://community.cerbos.dev
  • s

    sdktr

    03/24/2023, 9:00 PM
    How can Cerbos be made aware of it running behind a frontend proxy running tls/https offload? So cerbos is running on http, but the clients use https schema to access the api
    c
    • 2
    • 1
Powered by Linen
Title
s

sdktr

03/24/2023, 9:00 PM
How can Cerbos be made aware of it running behind a frontend proxy running tls/https offload? So cerbos is running on http, but the clients use https schema to access the api
c

Charith (Cerbos)

03/25/2023, 8:30 AM
Why do you need to make Cerbos aware that it's running behind a proxy? If you're thinking of audit logs, they record the
x-forwarded-for
header and you can configure Cerbos to record any other custom headers that identify the client as well. https://docs.cerbos.dev/cerbos/latest/configuration/audit.html
View count: 5