Jesum Yip
02/15/2023, 3:15 PMSunil
02/16/2023, 2:32 PMSteve High (NTWRK)
02/16/2023, 5:52 PMcerbos-setup
github action. I am defining my step as:
- name: Get Cerbos CLI
uses: cerbos/cerbos-setup-action@v1
with:
version: latest
github_token: ${{secrets.INTERNAL_TOKEN}}
Where ${{secrets.INTERNAL_TOKEN}}
is a valid github api token (used in other steps without issue).
Occasionally with this action, I get the following error:
HttpError: API rate limit exceeded for 52.190.17.193. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
at /home/runner/work/_actions/cerbos/cerbos-setup-action/v1/webpack:/cerbos-setup-action/node_modules/@octokit/request/dist-node/index.js:86:1
at processTicksAndRejections (node:internal/process/task_queues:96:5)
I went so far as recreated a new token and storing it in github secrets..the issue still happens a few times a day. Is the action using the provided github token?Jesum Yip
02/17/2023, 2:11 AMCarl Bäckström
02/21/2023, 3:43 PMMatthew Ebeweber
02/21/2023, 5:49 PMOmar Din
02/25/2023, 12:16 PMFROM <http://ghcr.io/cerbos/cerbos:0.24.0|ghcr.io/cerbos/cerbos:0.24.0>
#To access the kernel inside the container
COPY --from=public.ecr.aws/docker/library/busybox:uclibc /bin /bin
COPY policies /policies
ENV CERBOS_CONFIG="/config/config.yaml"
EXPOSE 3593 3592
The policies directory is in the same directory as the DockerFile and is mounted onto the container.
Then deploying the following Kubernetes manifest Deployment.yaml in my AWS EKS Cluster, Fargate Node:
Mounting the /config/config.yaml and audit-logs directory onto the container.
And audit logs are enabled and specified a path for the file inside the audit-logs directory
apiVersion: v1
kind: ConfigMap
metadata:
name: cerbos-config
data:
config.yaml: |
server:
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
storage:
driver: "disk"
disk:
directory: /policies
schema:
enforcement: reject
audit:
enabled: true
accessLogsEnabled: true
decisionLogsEnabled: true
backend: file
file:
path: /audit-logs/cerbos.log
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
<http://prometheus.io/path|prometheus.io/path>: /metrics
<http://prometheus.io/port|prometheus.io/port>: "3000"
<http://prometheus.io/scrape|prometheus.io/scrape>: "true"
labels:
app: yl-api-cerbos
namespace: "{{ .Values.ENVIRONMENT }}"
name: yl-api-cerbos-deployment
namespace: "{{ .Values.ENVIRONMENT }}"
spec:
minReadySeconds: 0
progressDeadlineSeconds: 600
replicas: 3
selector:
matchExpressions: []
matchLabels:
cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: yl-api-cerbos
cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9
namespace: "{{ .Values.ENVIRONMENT }}"
spec:
automountServiceAccountToken: true
containers:
image: "{{ .Values.AWS_ACCOUNT }}.dkr.ecr.{{ .Values.AWS_REGION }}.<http://amazonaws.com/{{|amazonaws.com/{{> .Values.SERVICE_NAME }}:{{ .Values.APP_VERSION }}"
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 3592
initialDelaySeconds: 30
timeoutSeconds: 10
name: yl-api-cerbos
ports:
- containerPort: 3593
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 3592
initialDelaySeconds: 30
timeoutSeconds: 10
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: false
volumeMounts:
- name: cerbos-logs
mountPath: /audit-logs/
- name: cerbos-config
mountPath: /config/
volumes:
- name: cerbos-config
configMap:
name: cerbos-config
- name: cerbos-logs
emptyDir: {}
I deploy the deployment and the yl-api-cerbos container is running as expected. However when I exec inside the container and check the cerbos.log file. I see that the file is empty.
When I run the command kubectl logs <POD_NAME> -c <CONTAINER_NAME> . i See the following logs:
{"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"maxprocs: Updating GOMAXPROCS=1: using minimum allowed GOMAXPROCS"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.235Z","log.logger":"cerbos.index","message":"Found 2 executable policies"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.236Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}
Why aren’t these logs captured in the cerbos.log file and How can I log these logs inside the file ?
Please advise if there is anything wrong with My Configurations. 😊
Many ThanksDipesh Bajgain
03/01/2023, 12:24 PMprincipal: {
id: "123",
roles: ["Editor"],
policyVersion: "default",
attributes: {
is_verified: user.is_verified,
},
},
Here in my attributes I have is_verified
flag so I want to check if the user is verified then only check any other policy for the user. Because if my user is not verified then I want to block all his access.
It would be really helpful for me if anyone can provide me the solution.Ryan Killeen
03/01/2023, 10:30 PMconfig
. Config is made up of several different properties, with granularly permissions. Imagine someone might have permission to view
or edit
all of the config, or may only have the ability to view or edit config.branding
, or config.someOtherResource
.
Currently our principal permissions are attribute-based, eg ["config:branding:*", "config:view"]
What would be an ideal way to author resource policies without a ton of repetition? Many actions on a single resource config
? Separate resource policies for nested parts? Using scopes? Any guidance is appreciated, happy to provide more context and examples.Peter Franzen
03/01/2023, 10:53 PMYousef Sultan
03/02/2023, 7:23 AMHoria Constantin
03/07/2023, 1:22 PMGuillaume Picard
03/08/2023, 2:31 AMHas Cerbos been load tested with a great number of Scoped Policies, but only say two levels deep, sayIf not, we’ll try to run load testing, but also it would be good to have your opinion on managing performance, is it running more pods in K8S, adding more shared memory etc. Thank you?organization.member
Carl Bäckström
03/08/2023, 2:12 PMCarl Bäckström
03/08/2023, 4:55 PMdocument:read
) and then bundle these up into dynamic roles.
You would then be able to validate the permissions rather than the actual role of a user allowing new roles to be added more easily. Is this something that could be accomplished with Cerbos or is this even something we would want to do with Cerbos?Peter Franzen
03/08/2023, 11:57 PMsdktr
03/09/2023, 3:02 PMPeter Franzen
03/09/2023, 6:38 PMKiran V
03/09/2023, 11:51 PMresource: products
rules:
- actions: ["customExperiences"]
roles:
- USER
condition:
match:
all:
of:
- expr: "2021_START" in request.principal.attr.package
am getting error saying "Failed to read: failed to convert YAML to JSON: yaml: line 17: did not find expected key" can you help me on thisGuillaume Picard
03/10/2023, 11:55 AMpots.yml, pans.yml, knives.yml
and then define what the roles can do in each of the resource policies.
you would create cook.yml
and define what the role cook
can do inside that single file for all resources pots, pans, knives
?
I guess you could have resource policies named cook_pans.yml
, cook_knives.yml
, but just want to ask if there’s a good pattern.
ThanksJay StGelais
03/10/2023, 6:51 PMfinal CerbosBlockingClient cerbosClient = new CerbosClientBuilder("unix:/sock/cerbos.sock").withPlaintext().buildBlockingClient();
The client is created without error, but once we try to issue an API call, we get the following error in our logs:
nested exception is dev.cerbos.sdk.CerbosException: RPC exception [Status{code=UNAVAILABLE, description=io exception, cause=io.grpc.netty.shaded.io.netty.channel.AbstractChannel$AnnotatedConnectException: connect(..) failed: Address family not supported by protocol: /sock/cerbos.soc
Not sure if we are specifying the unix socket correctly in this example and struggling to find examples online that do this.Mike Miller
03/11/2023, 1:44 PMOwen Cummings
03/14/2023, 3:50 PMiat
and exp
timestamp based checks?Saul Martin
03/15/2023, 11:18 AMSaul Martin
03/20/2023, 4:59 PMservices:
cerbos:
image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
container_name: cerbos
volumes:
- ./illiquid_assets_api/api/cerbos/policies:/policies
ports:
- "3592:3592"
- "3593:3593"
command: server --config=/
restart: unless-stopped
• illiquid_assets_api / api / cerbos / config.yml
• illiquid_assets_api / api / cerbos / policies / policy.ymlJesum Yip
03/23/2023, 6:13 AMDipesh Bajgain
03/23/2023, 7:54 AM{"log.level":"error","@timestamp":"2023-03-23T07:50:37.865Z","log.logger":"cerbos.index","message":"Index build failed","load_failures":[{"file":"config.yaml","error":"failed to unmarshal JSON: proto: (line 1:2): unknown field \"server\""}]}
cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=0, load failures=1
My docker compose config is as below:
version: "3.8"
services:
app:
restart: always
container_name: dashboard
image: dashboard
build:
context: .
target: development
volumes:
- ./src:/app/src
ports:
- 3000:3000
command: npm run dev
cerbos:
image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
container_name: cerbos
volumes:
- ./cerbos:/config
- ./cerbos:/policies
ports:
- "3592:3592"
- "3593:3593"
restart: unless-stopped
command: server --config /config/config.yaml
And my cerbos config file is as below:
server:
playgroundEnabled: true
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
storage:
driver: "disk"
disk:
directory: /policies
watchForChanges: true
Dipesh Bajgain
03/24/2023, 5:42 AMCross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <http://localhost:3592/api/check/resources>. (Reason: CORS request did not succeed). Status code: (null).
And my updated config file is as below:
---
storage:
driver: "disk"
disk:
directory: /policies
watchForChanges: true
server:
playgroundEnabled: true
httpListenAddr: ":3592"
grpcListenAddr: ":3593"
cors:
allowedHeaders: ['content-type']
allowedOrigins: ['*']
disabled: false
maxAge: 10s
Aldin Kiselica
03/24/2023, 8:55 AMsdktr
03/24/2023, 9:00 PMsdktr
03/24/2023, 9:00 PMCharith (Cerbos)
03/25/2023, 8:30 AMx-forwarded-for
header and you can configure Cerbos to record any other custom headers that identify the client as well. https://docs.cerbos.dev/cerbos/latest/configuration/audit.html