- a
Alberto Cunha
1 week ago{"log.level":"info","@timestamp":"2022-09-14T20:38:00.511Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-09-14T20:38:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"127.0.0.1:54936","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GCYVJ2HZP8F3ENP5MB8E9HJQ"},"error":"rpc error: code = InvalidArgument desc = failed to extract auxData","grpc.code":"InvalidArgument","grpc.time_ms":0.223} - h
Hazel Boyle
1 week agohi, i'm trying out cerbos right now - does the actual check api cache its policies while the admin api doesn't? i've got
turned on with the disk storage, and when i update my policy i can see the changes immediately reflected inwatchForChanges
, but/admin/policy
is still making outdated decisions based on the old policy. if this is the case, how can i change this behaviour?/api/check
didn't work, and even if it did i wouldn't want to be regularly needing to call that, obviously/admin/store/reloadh
+127 replies - a
Alberto Cunha
1 week agoDoes anyone can give me some help?a1 replies - m
Maggie Walker
1 week agoIs it possible to do wildcard matching in CEL? e.g:
assuming there were two objects with:R.attr.account_id in P.attr.tenants.*.subaccount_idsP.attr.tenants.3.subaccount_ids P.attr.tenants.5.subaccount_idsm
+115 replies - a
Alberto Cunha
1 week agoHello! I´m trying to JWT token on cerbos with auxData. I´m using Strapi as backend and I´m actually thinking if this is really necessary, as the true access control will happen on backend. The front end will only block rendering of some components.a
+19 replies - p
Petra Barus
2 weeks agoHey team, I am evaluating Cerbos. For production environment, do you recommend using S3 or RDS Postgres?p
+16 replies - p
Petra Barus
1 week agoHi all, need help on content-digital commerce use case. So in this case a User can only view video after she purchased it. Let’s say there is a user
that purchased orderuser-1
that contains 2 videosorder-1
andvideo-1
. whenvideo-2
want touser-1
a videoview
, the system will do check. How to best achieve this? Should the system created a new principal policy on every successful purchase?video-1p9 replies 
Charith (Cerbos)
6 days agoIt should be under the policies directory1 replies- d
david
5 days agoHello everyone 👋 . Is it reasonable to use resource scopes as DDD-like “bounded contexts”? i.e. each microservice has its own scope so that resources with the same name (but different meaning) can exist within each?d6 replies - n
Nabil
2 weeks agoHello all! I am trying to wrap my head around a scenario with cerbos and would love some help! Everything I've seen with the docs and the API of cerbos treats authorization requests as a principal trying to act on specific/known resource(s) (the resource IDs must be known and sent to cerbos when checking). My application has scenarios that don't nicely fit with that and I am wondering what I am missing. For example: • There is a page in the app that displays all resource_x's for a user to browse and manage. Only a principal with the role_x may view it. How might I write a cerbos policy that implements this authz check? Am I required to fetch a list of all resource_x IDs to send along to cerbos? What if there are thousands of the resource? That seems like unnecessary overhead. • I am finding the majority of the authorization checks our app is needing to make are not for a principal accessing a specific resource (by its ID), but for a principal looking to access some collection of a resource (some hundreds or thousands of some resource type) Any help or ideas would be greatly appreciated! Thank you 🙂n18 replies