Based on https://github.com/cerbos/cerbos/pull/1439, may I know where I can find documentation on the configuration field to set policy expiration? And what happens when it expires? Will cerbos evict the entry from cache and at the next cycle, sync from the policy repo again?

Hello everyone, Glad to be here. For the people who have been using cerbos in their applications - We know Cerbos requires Principal, Action and Resource to evaluate the policy. How are you fetching Resource info to pass on to Cerbos? Is each of your service making a call to external system to fetch the resource or are you making it as part of the token? In case of token when a user request passes through many services (in microservices world), it will try to access various resources e.g. BFF API POST action to Domain API POST which will be completely different service. In such cases if element of BFF is considered a resource and element of Domain API is considered another resource then there are multiple resources that need to stay in the token and it may cause the token bloat. I was wondering what are you using to handle end to end authorization for a user request without token bloat and additional performance overhead of fetching the resource info from external systems thus slowing the authorization process down?

I'm having issues with the

cerbos-setup

github action. I am defining my step as:

- name: Get Cerbos CLI
        uses: cerbos/cerbos-setup-action@v1
        with:
          version: latest
          github_token: ${{secrets.INTERNAL_TOKEN}}

Where

${{secrets.INTERNAL_TOKEN}}

is a valid github api token (used in other steps without issue). Occasionally with this action, I get the following error:

HttpError: API rate limit exceeded for 52.190.17.193. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
    at /home/runner/work/_actions/cerbos/cerbos-setup-action/v1/webpack:/cerbos-setup-action/node_modules/@octokit/request/dist-node/index.js:86:1
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

I went so far as recreated a new token and storing it in github secrets..the issue still happens a few times a day. Is the action using the provided github token?

by the way, is there a URL endpoint I can call in cerbos to see the currently running version?

Hello! We have just started looking into Cerbos for our Authorization needs. I had one initial question how would you enforce Cerbos policies in the FE. Let’s say that you want to hide a certain feature in the FE based on a policy?

Heads up, we were seeing a memory leak issue on v0.20. We’ve upgrade to v.0.25, so hoping something in there might solve the problem. It’s pretty minimal so we figure kicking the box every ~2 weeks is a good solution for now.

Hello All! I am having trouble with Audit logs and would appreciate the support 🙂 : I am Building and Pushing the following Cerbos Docker Image into ECR:

FROM <http://ghcr.io/cerbos/cerbos:0.24.0|ghcr.io/cerbos/cerbos:0.24.0>

#To access the kernel inside the container

COPY --from=public.ecr.aws/docker/library/busybox:uclibc /bin /bin

COPY policies /policies

ENV CERBOS_CONFIG="/config/config.yaml"

EXPOSE 3593 3592

The policies directory is in the same directory as the DockerFile and is mounted onto the container. Then deploying the following Kubernetes manifest Deployment.yaml in my AWS EKS Cluster, Fargate Node: Mounting the /config/config.yaml and audit-logs directory onto the container. And audit logs are enabled and specified a path for the file inside the audit-logs directory

apiVersion: v1

kind: ConfigMap

metadata:

name: cerbos-config

data:

config.yaml: |

server:

httpListenAddr: ":3592"

grpcListenAddr: ":3593"

storage:

driver: "disk"

disk:

directory: /policies

schema:

enforcement: reject

audit:

enabled: true

accessLogsEnabled: true

decisionLogsEnabled: true

backend: file

file:

path: /audit-logs/cerbos.log

---

apiVersion: apps/v1

kind: Deployment

metadata:

annotations:

<http://prometheus.io/path|prometheus.io/path>: /metrics

<http://prometheus.io/port|prometheus.io/port>: "3000"

<http://prometheus.io/scrape|prometheus.io/scrape>: "true"

labels:

app: yl-api-cerbos

namespace: "{{ .Values.ENVIRONMENT }}"

name: yl-api-cerbos-deployment

namespace: "{{ .Values.ENVIRONMENT }}"

spec:

minReadySeconds: 0

progressDeadlineSeconds: 600

replicas: 3

selector:

matchExpressions: []

matchLabels:

cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9

strategy:

rollingUpdate:

maxSurge: 25%

maxUnavailable: 25%

type: RollingUpdate

template:

metadata:

labels:

app: yl-api-cerbos

cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9

namespace: "{{ .Values.ENVIRONMENT }}"

spec:

automountServiceAccountToken: true

containers:

image: "{{ .Values.AWS_ACCOUNT }}.dkr.ecr.{{ .Values.AWS_REGION }}.<http://amazonaws.com/{{|amazonaws.com/{{> .Values.SERVICE_NAME }}:{{ .Values.APP_VERSION }}"

imagePullPolicy: Always

livenessProbe:

failureThreshold: 3

httpGet:

path: /

port: 3592

initialDelaySeconds: 30

timeoutSeconds: 10

name: yl-api-cerbos

ports:

- containerPort: 3593

readinessProbe:

failureThreshold: 3

httpGet:

path: /

port: 3592

initialDelaySeconds: 30

timeoutSeconds: 10

resources:

limits:

cpu: 500m

memory: 256Mi

requests:

cpu: 250m

memory: 128Mi

securityContext:

privileged: false

readOnlyRootFilesystem: false

runAsNonRoot: false

volumeMounts:

- name: cerbos-logs

mountPath: /audit-logs/

- name: cerbos-config

mountPath: /config/

volumes:

- name: cerbos-config

configMap:

name: cerbos-config

- name: cerbos-logs

emptyDir: {}

I deploy the deployment and the yl-api-cerbos container is running as expected. However when I exec inside the container and check the cerbos.log file. I see that the file is empty. When I run the command kubectl logs <POD_NAME> -c <CONTAINER_NAME> . i See the following logs:

{"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"maxprocs: Updating GOMAXPROCS=1: using minimum allowed GOMAXPROCS"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.235Z","log.logger":"cerbos.index","message":"Found 2 executable policies"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.236Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}

Why aren’t these logs captured in the cerbos.log file and How can I log these logs inside the file ? Please advise if there is anything wrong with My Configurations. 😊 Many Thanks

Hello everyone, I am using cerbos in my project and have created policy based on my need. But now I want to enforce a policy for all resources based on my principal attributes. How can I achieve that. For example my principal is:

principal: {
  id: "123",
  roles: ["Editor"],
  policyVersion: "default",
  attributes: {
    is_verified: user.is_verified,
  },
},

Here in my attributes I have

is_verified

flag so I want to check if the user is verified then only check any other policy for the user. Because if my user is not verified then I want to block all his access. It would be really helpful for me if anyone can provide me the solution.

Looking for some guidance around modeling policies for nested resources! There was an excellent answer here some time ago, but it looks like it was swallowed by Slack history. Imagine a resource named

config

. Config is made up of several different properties, with granularly permissions. Imagine someone might have permission to

view

or

edit

all of the config, or may only have the ability to view or edit

config.branding

, or

config.someOtherResource

. Currently our principal permissions are attribute-based, eg

["config:branding:*", "config:view"]

What would be an ideal way to author resource policies without a ton of repetition? Many actions on a single resource

config

? Separate resource policies for nested parts? Using scopes? Any guidance is appreciated, happy to provide more context and examples.

Has anyone been able to get tests integrated with AWS CodeBuild? Codebuild requires that the output format be in Cucumber-json or a few different xml formats. Is this possible to do? To be clear, I can run the tests just fine. It's just that the json output isn't useable by CodeBuild Reports.

So I've use CASL.js before and they have this thing where you can query if X can do Y to any Z. Does Cerbos have such a thing?

Is it possible to compose policies in the same way that I'd be able to compose AWS IAM policies? Let's say that I've got a policy that allows creating invoices and a policy that allows sending a payment request. And I want to create a policy for the financial admin that is simply referring to these 2 policies?

G’day Cerbos team! I have one simple question, we are evaluating using Cerbos for a multi tenant use case where eventually we would allow each tenant to have its own set of policies that build upon our default base policies, this could be upwards of 1000+ tenants at this point in time, and grow from there. My question being:

Has Cerbos been load tested with a great number of Scoped Policies, but only say two levels deep, say

organization.member

?

If not, we’ll try to run load testing, but also it would be good to have your opinion on managing performance, is it running more pods in K8S, adding more shared memory etc. Thank you

Hello! We are experimenting with Cerbos and wondering how one would go about enforcing specific permissions for an instance of a record rather than on the resource level. I.E: User1 has access to Document1 but not Document2

We are struggling a little bit with understanding how roles and permissions works in Cerbos. I come from an Auth0 world where you basically define a set of permissions (usually looking something like this

document:read

) and then bundle these up into dynamic roles. You would then be able to validate the permissions rather than the actual role of a user allowing new roles to be added more easily. Is this something that could be accomplished with Cerbos or is this even something we would want to do with Cerbos?

Probably a simple question, but: Is there any way to use wildcards in a resource policy when specifying the resource? Or does that additional data need to come in as an attribute?

Is there a way for SDK clients to specify which (git)branch of the cerbos policies we want to evaluate? #cicd #dev

Is there a recommended Resource policy condition for determining that a valid JWT was provided? I need to make a policy that doesn't have any Role conditions and only looks at the JWT since the Principals won't have any Roles defined

Hi, am trying to use in clause in condition, as shown below

resource: products
  rules:
  - actions: ["customExperiences"]
    roles:
      -  USER
    condition:
      match:
        all:
          of:
            - expr: "2021_START" in request.principal.attr.package

am getting error saying "Failed to read: failed to convert YAML to JSON: yaml: line 17: did not find expected key" can you help me on this

Hey, is it possible (or idiomatic) to define what a role has access to, using principal policies, as opposed as to specifying this for each resources? Eg instead of creating a

pots.yml, pans.yml, knives.yml

and then define what the roles can do in each of the resource policies. you would create

cook.yml

and define what the role

cook

can do inside that single file for all resources

pots, pans, knives

? I guess you could have resource policies named

cook_pans.yml

,

cook_knives.yml

, but just want to ask if there’s a good pattern. Thanks

I'm having some issues with the Java Client. We have followed the deployment setup outlined here to deploy Cerbos as a k8s sidecar. Instead of the ghostunnel application we have a spring-boot API that is using the Java client. We use the following code to iniatlize the client:

final CerbosBlockingClient cerbosClient = new CerbosClientBuilder("unix:/sock/cerbos.sock").withPlaintext().buildBlockingClient();

The client is created without error, but once we try to issue an API call, we get the following error in our logs:

nested exception is dev.cerbos.sdk.CerbosException: RPC exception [Status{code=UNAVAILABLE, description=io exception, cause=io.grpc.netty.shaded.io.netty.channel.AbstractChannel$AnnotatedConnectException: connect(..) failed: Address family not supported by protocol: /sock/cerbos.soc

Not sure if we are specifying the unix socket correctly in this example and struggling to find examples online that do this.

Is there a way to pass in a resource, action, effect and determine all of the principles or roles that would match?

Is there any documentation describing exactly what JWT verification Cerbos is capable of? Just signature verification? Which algorithms? Or does it do other claim verification like

iat

and

exp

timestamp based checks?

Hey hey, is there any documentation describing how to add policies to a database using an ORM instead of yml files?

Does anyone know best practices to add cerbos to a docker-compose file? I’m having issues getting the config.yml file added in 🙂

services:
  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
    container_name: cerbos
    volumes:
      - ./illiquid_assets_api/api/cerbos/policies:/policies
    ports:
      - "3592:3592"
      - "3593:3593"
    command: server --config=/
    restart: unless-stopped

• illiquid_assets_api / api / cerbos / config.yml • illiquid_assets_api / api / cerbos / policies / policy.yml

consider the following: if i have a user with these attributes: 1. Name = John 2. Age = 35 3. Location = Moon I then model these derived roles: 1. Derived Role = "middle-class-user" if Age = 35 2. Derived Role = "super-user" if Name = John AND Age > 30 In this case, when cerbos evaluates a derived role, it will arbitrarily decide whether the user is "middle-class-user" or "super-user" correct? This is due to the ambiguity of the derived role policy?

Hello everyone, I am trying to create a cerbos docker image and I get the error as

{"log.level":"error","@timestamp":"2023-03-23T07:50:37.865Z","log.logger":"cerbos.index","message":"Index build failed","load_failures":[{"file":"config.yaml","error":"failed to unmarshal JSON: proto: (line 1:2): unknown field \"server\""}]}
cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=0, load failures=1

My docker compose config is as below:

version: "3.8"

services:
  app:
    restart: always
    container_name: dashboard
    image: dashboard
    build:
      context: .
      target: development
    volumes:
      - ./src:/app/src
    ports:
      - 3000:3000
    command: npm run dev

  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
    container_name: cerbos
    volumes:
      - ./cerbos:/config
      - ./cerbos:/policies
    ports:
      - "3592:3592"
      - "3593:3593"
    restart: unless-stopped
    command: server --config /config/config.yaml

And my cerbos config file is as below:

server:
  playgroundEnabled: true
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"

storage:
  driver: "disk"
  disk:
    directory: /policies
    watchForChanges: true

Hey everyone, I have setup cerbos in my local machine using docker-compose as mentioned in above message and while trying to connect to cerbos using the js sdk I am getting cors error as

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <http://localhost:3592/api/check/resources>. (Reason: CORS request did not succeed). Status code: (null).

And my updated config file is as below:

---
storage:
  driver: "disk"
  disk:
    directory: /policies
    watchForChanges: true

server:
  playgroundEnabled: true
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"
  cors:
    allowedHeaders: ['content-type'] 
    allowedOrigins: ['*']
    disabled: false
    maxAge: 10s

set the channel topic: Browse through the whole history of previously asked questions @ https://community.cerbos.dev