I am very new to Cerbos, could you please suggest to me what i did wrong here?

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"

  # Importing `identity_roles` in so they can be used in the resource policy.
  importDerivedRoles:
    - identity_roles

  # This resource file is reviewed for when checking permissions when a resource
  # is of `kind` "user_request"
  resource: user_request
  rules:

    # If the `principal`s role is `admin` then all the actions are allowed.
    - actions: [ "*" ]
      roles:
        - root
      effect: EFFECT_ALLOW

    # A `admin_that_owns_the_tenant` can only access `user_request` that belong to resources in
    # their tenant,
    - actions: [ "*" ]
      roles:
        - admin
      effect: EFFECT_ALLOW
      condition:
        match:
          expr: request.resource.attr.tenant == request.principal.tenant

getting "error":"failed to get check for [user_requ est.default]: policy compilation error: 1 compilation errors\nresource user request.yaml Invalid expression in resource rule 'rule-002' (failed to compile

request.resource.attr.tenant == request.principal.tenant

[undefined field 'tenant'])"}

regardless i set tenant atribute in both resource and principal during request

Hey just a heads up that this week a lot of the Cerbos team is hitting the road - we will be at both Collision in Toronto and GopherCon Europe in Berlin and hopefully see a few of you there. Response here from us maybe a tad slower than usual, but we will answers anything that comes up when we can. Thanks!

What's the point of JSON resource schemas if, if the resource is shape is malformed, the request will be denied either way?

What's the best practice for ensuring that policies are actually questioned at all in application code?

👋 💎 Hey all, Cerbos didn't have an ORM adapter for Rails / activerecord, so we made a fork of

cerbos-query-plan-adapters

and added one. (Not yet in a gem or well-documented, but it passes all the ORM tests). Sharing it here! https://github.com/mark-piper/cerbos-query-plan-adapters/tree/mark-piper/activerecord

Hello, Cerbos community! We have an exciting announcement - Cerbos has surpassed the 1,500-star mark on GitHub! 🌟 Our journey began with a dream to provide developers with a reliable, efficient, and easy-to-use authorization solution, and each GitHub star we receive fortifies that we’re making a positive impact! To each and every one of you - THANK YOU! 🙌 Your faith in our project is a driving force behind our innovation and inspires us to push boundaries. Thank you once again for joining us on this journey and here’s to the next 1,500 stars! 🚀

Excited to see you guys at CIVO Navigate (List just got released of speakers)! 🎉

🐛 Looks like there's a bug in Cerbos where

request_id

is not logged. I've opened an issue https://github.com/cerbos/cerbos/issues/1690 and a PR to fix it: https://github.com/cerbos/cerbos/pull/1691

Hi guys is Cerbos also under CNCF incubation project ?

Can someone explain different about these different selections (cerbos core vs cerbos cloud) And in which situation we require to go with Cerbos Cloud ? we want to implement authZ for our enterprise customer. we have own development team.

Hello everyone, I have a use case where i have a microservice golang application deployed in kubernetes , For example MicroA have one endpoint get "/help" I want to expose the endpoint as kubernetes api resource so it can be selected from k8s RoleBinding and define a role with verbs for this enpoint , then import auth0 users and roles and assign to them Can Cerbos help me with this ? Thank you in advance

I am investigating solution that can do ABAC and also has some kind of time based throttling of access to permitted resources. eg. User:joe has access to resource:X1, X2, M1, M2. I want joe to read the X* resources max 20 times in a day, and write X* only 5 times, similarly for M* resource, want joe to read:50 times but write 10 times in a day. Can current Cerbos support this use case

Hello everyone 👋 I'm now evaluating Cerbos as a candidate for a POC. Can someone please explain to me, or point me to some article where I could find more information about how Cerbos manages multiple sidecar instances and data ownership/synchronization? I'd like to use dynamic storage to be able to CRUD my policies. Do I need to configure the same database instance from all Sidecar Cerbos Instances? What instance do I send my AdminAPI CRUD requests against? How does the synchronization of policies work? If it's a single database indeed, doesn't it become a potential bottleneck? I'm sorry if this was already discussed here. I couldn't find any mention of it - neither in Slack Channels nor in the docs 🙂

I have a small question about the docs in this link: https://docs.cerbos.dev/cerbos/latest/tutorial/03_calling-cerbos There is a section which claims to use this JSON as the payload for the

/api/check

endpoint:

{
  "principal": {
    "id": "user_1",     // the user ID
    "roles": ["user"],  // list of roles from user's profile
    "attr": {}          // a map of attributes about the user - not used yet
  },
  "resource": {
    "kind": "contact",  // the type of the resources
    "instances": {      // a map of the resource instance(s) being checked
        "contact_1": {  // key is the ID of the resource instance
            "attr": {}  // a map of attributes about the resource - not used yet
        }
    }
  },
  "actions": ["read"]   // the list of actions to be done on the resource
}

This is pointing users to the deprecated version of the endpoint and doesn't work with the new endpoint. An example of a valid payload would be something like this:

{
  "principal": {
    "id": "user_1",
    "roles": [
      "user"
    ],
    "attr": {}
  },
  "resources": [
    {
      "actions": [
        "read",
        "write"
      ],
      "resource": {
        "id": "XX125",
        "kind": "contact"
      }
    }
  ]
}

If my point is valid, I can open an issue and PR to fix this section.

has any one done any kind of integration between a crm system and cerbos policies? a business user modifies a customer's subscription in the crm system and the end result is cerbos policies get updated to reflect that.

quick question - with a principal policy, there's a value for

principalPolicy.principal

. how is this reference? is it in a derived role?

assuming i have this resource policy:

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: invict_triage
  importDerivedRoles:
    - avengers_global_users
  rules:
    - actions:
        - subscribed
      effect: EFFECT_ALLOW
      derivedRoles:
        - avengers_invict_user
      condition:
        match:
          expr: request.resource.attr.data_org_id == "blablabla"

what's a clean way to add actions READ and actions WRITE permissions to the resource

invict_triage

for this specific derivedRole WITHOUT modifying the YAML above?

Hi, are there any examples of ABAC implementation using cerbos. Any example in git?

set the channel description: Archives can be found at https://community.cerbos.dev

Hi guys, for the

cors

block can we use

*

in it?

cors:
  allowedOrigins:
  - '*.<http://domain.com|domain.com>'

and if so, would the

<http://my.sub.domain.com|my.sub.domain.com>

be allowed?

Hi guys, I know that in principal policies the

principal

refers to the

id

of the user, is there a way to make a general principal policy for a specific role? my use case is I have an

admin

role that has all permissions and I don't want to repeat for example

- actions: ["*"]
      effect: EFFECT_ALLOW
      roles:
        - admin

for each policy that I have

Can we setup cerbos playground on k8s? If yes, please let me know steps and settings requires to change in helm chart values.yaml

Welcome!

kam

joined #community.

Hi all would you be able to point me to a cerbos demo?

Hey, community! We have a spare ticket for an upcoming conference in London. Sept 7-8 https://london-2023.devrelcon.dev/ We’d like to give the ticket away to one of you, or your devrel team member 😊 Please let us know whether you’d be interested in the ticket, in this thread. The first person who responds will get the ticket. P.S. once we confirm the person who will be receiving the ticket, we will send you a private message asking for some additional information required for us to assign the ticket to this individual ⭐

Hey all, I'm a Community Engineer at BoxyHQ and I'm a big fan of Cerbos. I published an article today related to open-source which is a topic we all love ❤️ - Specifically centered around "how to get started contributing to open-source", because we all have to start somewhere 🙂. I would love feedback. https://dev.to/nathan_tarbert/navigating-the-open-source-landscape-finding-your-first-contribution-3fap

how can i get only indore employee data using cerbos "employee": [ { "id": "1", "firstName": "Tom", "lastName": "Cruise", "city": "indore" }, { "id": "2", "firstName": "Maria", "lastName": "Sharapova", "city":"indore" }, { "id": "3", "firstName": "James", "lastName": "Bond", "city":"ujjain" } ]

I have a policy for users. I want only admins to be able to update user roles. Can someone point me in the right direction? This is my example yaml:

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: user
  rules:
  - actions:
    - create
    roles:
    - admin
    - user
    effect: EFFECT_ALLOW
  - actions:
    - update
    - read
    roles:
    - user
    effect: EFFECT_ALLOW
    condition:
      match:
        expr: request.resource.id == request.principal.id
  - actions:
    - create
    - update
    - list
    - read
    roles:
    - admin
    effect: EFFECT_ALLOW