• a

    Alberto Cunha

    1 week ago
    {"log.level":"info","@timestamp":"2022-09-14T20:38:00.511Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-09-14T20:38:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"127.0.0.1:54936","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GCYVJ2HZP8F3ENP5MB8E9HJQ"},"error":"rpc error: code = InvalidArgument desc = failed to extract auxData","grpc.code":"InvalidArgument","grpc.time_ms":0.223}
  • h

    Hazel Boyle

    1 week ago
    hi, i'm trying out cerbos right now - does the actual check api cache its policies while the admin api doesn't? i've got
    watchForChanges
    turned on with the disk storage, and when i update my policy i can see the changes immediately reflected in
    /admin/policy
    , but
    /api/check
    is still making outdated decisions based on the old policy. if this is the case, how can i change this behaviour?
    /admin/store/reload
    didn't work, and even if it did i wouldn't want to be regularly needing to call that, obviously
    h
    Alex Olivier (Cerbos)
    +1
    27 replies
    Copy to Clipboard
  • a

    Alberto Cunha

    1 week ago
    Does anyone can give me some help?
    a
    1 replies
    Copy to Clipboard
  • m

    Maggie Walker

    1 week ago
    Is it possible to do wildcard matching in CEL? e.g:
    R.attr.account_id in P.attr.tenants.*.subaccount_ids
    assuming there were two objects with:
    P.attr.tenants.3.subaccount_ids
    P.attr.tenants.5.subaccount_ids
    m
    Charith (Cerbos)
    +1
    15 replies
    Copy to Clipboard
  • a

    Alberto Cunha

    1 week ago
    Hello! I´m trying to JWT token on cerbos with auxData. I´m using Strapi as backend and I´m actually thinking if this is really necessary, as the true access control will happen on backend. The front end will only block rendering of some components.
    a
    Dennis (Cerbos)
    +1
    9 replies
    Copy to Clipboard
  • p

    Petra Barus

    2 weeks ago
    Hey team, I am evaluating Cerbos. For production environment, do you recommend using S3 or RDS Postgres?
    p
    Emre (Cerbos)
    +1
    6 replies
    Copy to Clipboard
  • p

    Petra Barus

    1 week ago
    Hi all, need help on content-digital commerce use case. So in this case a User can only view video after she purchased it. Let’s say there is a user
    user-1
    that purchased order
    order-1
    that contains 2 videos
    video-1
    and
    video-2
    . when
    user-1
    want to
    view
    a video
    video-1
    , the system will do check. How to best achieve this? Should the system created a new principal policy on every successful purchase?
    p
    Charith (Cerbos)
    9 replies
    Copy to Clipboard
  • Charith (Cerbos)

    Charith (Cerbos)

    6 days ago
    It should be under the policies directory
    Charith (Cerbos)
    1 replies
    Copy to Clipboard
  • d

    david

    5 days ago
    Hello everyone 👋 . Is it reasonable to use resource scopes as DDD-like “bounded contexts”? i.e. each microservice has its own scope so that resources with the same name (but different meaning) can exist within each?
    d
    Charith (Cerbos)
    6 replies
    Copy to Clipboard
  • n

    Nabil

    2 weeks ago
    Hello all! I am trying to wrap my head around a scenario with cerbos and would love some help! Everything I've seen with the docs and the API of cerbos treats authorization requests as a principal trying to act on specific/known resource(s) (the resource IDs must be known and sent to cerbos when checking). My application has scenarios that don't nicely fit with that and I am wondering what I am missing. For example: • There is a page in the app that displays all resource_x's for a user to browse and manage. Only a principal with the role_x may view it. How might I write a cerbos policy that implements this authz check? Am I required to fetch a list of all resource_x IDs to send along to cerbos? What if there are thousands of the resource? That seems like unnecessary overhead. • I am finding the majority of the authorization checks our app is needing to make are not for a principal accessing a specific resource (by its ID), but for a principal looking to access some collection of a resource (some hundreds or thousands of some resource type) Any help or ideas would be greatly appreciated! Thank you 🙂
    n
    Alex Olivier (Cerbos)
    18 replies
    Copy to Clipboard