Is it possible to use environment variables in policies? Something like

expr: P.attr.foo = env["FOO"]

?

When using GIT repo as data source, sometimes the following error occurs:

{
  "log.level": "error",
  "@timestamp": "2023-06-02T11:50:25.391Z",
  "log.logger": "cerbos.git.store",
  "message": "Failed to check for updates",
  "dir": "/work",
  "error": "failed to pull from remote: worktree contains unstaged changes"
}

This is happening when I’m running tests in parallel: 1. constantly pushing random number of policies, both modified and new 2. constantly running process calling

isAllowed

method on SDK What could it be? I’m afraid that when a policy is being modified and authz request is being received at the same time, the check could fail. Also sometimes pod crashes and is being restarted with normal

Shutting down

message, althought k8s resources are not limited.

hey all - thank you for your help so far - I was able to follow the helm deployment instructions here - https://docs.cerbos.dev/cerbos/latest/installation/helm.html everything makes sense -2 followup question in the thread

Hello, Cerbos team. Is there a way to set up cerbos to pull policies from codecommit repository instead of github repository?

Looking at the delpoyment options, if you choose sidecar, are policy updates only changeable with a full application deployment?

Hi, after reading the docs, i have mixed feelings about the

derivedRoles

. In this case, it's about too much responsibilities in Cerbos. My expectation is, those

deriveRoles

is normal

role

, but it's determined via the

request

object instead. Could this simplify the system ? So i could send the

role

directly via

request

.

The "blocking point" here, is the inflexibility of the query language on condition.

Hi, I am getting this "failed to clone" error when trying to configure a git repo as storage, I know for a fact that the credentials are correct for a user with write access to the repo, I even tried hardcoding the password and making the repo public, all attempts returning the same error, any ideas of what I am doing wrong?

Hey guys it’s me again. Quick architecture question, currently we have an instance of cerbos running as a sidecar for our backend, it controls access to individual endpoints based on roles and attributes from the user session or the resources, but we don’t expose it to the internet. Now we want to do some access control in our clients so they’re conditionally shown certain parts of the UI. Our UI pages/fragments don’t match 1-to-1 with the permissions we use for the backend, so our first inclination was perhaps to have a second instance of cerbos, this one as a lambda function, that can be accessible by the clients that have different policies that map directly to UI components. Does this sound like a fair approach or is there a different pattern you can recommend?

Another, perhaps semi-related question. Is there any way to embed the cerbos PDP in the client for very simple is_allowed decisions?

Heads up, starting noticing some fetch failures in our pull request tests this morning. Specifically, calls to cerbos were failing. We pull the latest image in our tests, so pinning to 0.26.0 should hopefully fix.

thank for your help team cerbos - looking at the templates here - looks like there is no way to set the namespace? https://artifacthub.io/packages/helm/cerbos/cerbos ? (

is there a prebuilt cerbos image is not distroless?

Hey, has there been a change made so that when cerbos spins up, it doesn't automatically make the schema / tables? recently it was creating it when it first span up, but now I just get a bunch of errors about table missing

Hi Cerbos team. I have the following configuration in Cerbos:

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: feature
  scope: A
  importDerivedRoles:
    - derived_roles
  rules:
    - actions:
        - feature:**
      effect: EFFECT_ALLOW
      derivedRoles:
        - ADMIN
        - USER

In the default scope I setup all effects to DENY, to switch them on for the child scopes. This scope,

A

currently has access to all features if you are associated with the project. But now we have a single feature that we would like to disable based on condition (something like this)

- actions:
        - feature:viewer:toolbar:design
      effect: EFFECT_DENY
      derivedRoles:
        - ADMIN
        - USER
      condition:
        match:
          expr: P.attr.projects.filter(t, t.id == R.attr.projectId).all(t, t.hasDesignSeat == false)

But that generates contradicting rules, and it returns ALLOW for the action

feature:viewer:toolbar:design

I understand where it comes from, but how do I a address this? I see two options, both with the same issue. Either I define all of the actions instead of using wildcards except

feature:viewer:toolbar:design

for the standard case, which would make the ALLOW list quite large. Or I swap the default scope to ALLOW instead of DENY, which would allow me to just DENY

feature:viewer:toolbar:design

in this scope (and the rest is allowed in the default scope. But that introduces the issues in the other scopes, where I would need to block all the action not allowed there, which also ends up being quite a lot of action lists. And logically, (in our case at least) it is easier to grasp the access scope when listing allowed actions instead of the blocked. Is there a way to prioritize actions? One suggestion would be to make more specific actions trump loosely defined actions (

a:b:c

>

a:b:*

), within the same scope, if that could be possible.

Curious about the Cerbos Config

compile.cacheDuration

setting. Is there a way to set this to infinite? They default value is 1 minutes, does this mean that Cerbos is recompiling my policies every minute? The way I am using Cerbos is building a Docker image with my policies in the image and using the disk driver, so they never change unless I redeploy a new version of the image. Would there be any performance benefit to caching forever?

wondering - what is the recommended way to add some auth to the cerbos endpoint - token? user/pass? depending on how I deploy Cerbos I know I can use networking rules, L7 stuff (ex: istio) to give me auth, but is there a deployment-agnostic approach - ideally some sort of a cerbos config?

Hi All, I have run into an issue using js sdk on Firefox (but works perfectly fine with Chrome). Here is the setup: 1. Cerbos running in docker 2. Web app makes a request:

const cerbos = new HTTP(`192.168.0.17:3592}`);
const result = await cerbos.checkResources({
        principal: principal,
        resources: resources
    });

Like I said, this works on Chrome but blows up on Fierfox with CORS Missing Allow Origin I tested default docker image and custom config where I specify CORS, both results are same

---
server:
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"

engine:
  defaultPolicyVersion: "default"

auxData:
  jwt:
    disableVerification: true

storage:
  driver: "disk"
  disk:
    directory: "/policies"
    watchForChanges: true

cors: # CORS defines the CORS configuration for the server.
    allowedHeaders: ['content-type'] # AllowedHeaders is the contents of the allowed-headers header.
    allowedOrigins: ['*'] # AllowedOrigins is the contents of the allowed-origins header.
    disabled: false # Disabled sets whether CORS is disabled.
    maxAge: 10s # MaxAge is the max age of the CORS preflight check.

Any ideas?

Screen Shot 2023-06-17 at 4.56.48 PM.png

Are there any naming conventions for resource names with two parts in it? Would it be snake case

car_tire

?

Helloooo - we're in the process of evaluating Cerbos as a authorization provider, and I'm looking for a concrete example for how we'd support something like "list all orders the user has access to"? AFAIK, we'd be looking at using the

Query Planner API

, but I'm curious if there are any examples on how it's used? A bit more about our setup below: •

node

+

graphql

+

mongodb w/ mongoose

backend • We have

businesses

with

users

and

orders

attached to them ◦

business

<->

user

is an

n:m

relation ◦

business

<->

order

is a

1:n

relation • Users are assigned roles on a business by business basis ◦

viewer

-> can

read

all business orders ◦

owner

-> can

read

and

update

all business orders ◦

contractor

-> can

read

some business orders (contractors are granted read permissions to a specific set of orders on a case by case basis) Authorizing standard CRUD operations on a single

order

resource has been straightforward, but I'm not exactly sure how we should go about fetching and paginating a list of orders the a

user

can

view

for a given

business

Any insight would be helpful!

Is there a best practice as to checking for authorization on a non-specific resource? I.e. "can this user list products?" as far as I can see, the resource ID is mandatory in the /check call and the SDKs

Hi Cerbos team, just a small question I do implement a agent service that calling cerbos to check resource in JS like this

const cerbos = new Cerbos("my_domain", { tls: true });

It's working well and I do want to do it in Rust

let options =
        CerbosClientOptions::new(CerbosEndpoint::HostPort("my_domain", 3592));
 let mut client = CerbosAsyncClient::new(options).await?;

it said CheckResources call failed, i'm not sure that it because I add 3592 or not, butI add it due to CerbosEndpoint require it. May you direct me to the right way?

hi 👋. is there a best practice for conditional rendering of UI, e.g. only show an edit button if the user has permission to edit? I couldn't find any docs on this. at first, we put some logic into the frontend, but we realized that we were essentially duplicating some derived role conditions. is it as simple as having an api endpoint that the frontend can use to reach cerbos to ask if the user has permission to edit?

Hi, i tried some add, update, disable policy operations. policies are creating, updating and listing successfully but when i tried to disable the policy i am not sure its disabling or not. it is giving success message but in policy table disabled field is still showing 0 after calling the disable api. i tried to disable the human-resource-update policy but its not showing any change

func (a Adapter) DeletePolicy(ctx context.Context, in *cerbospb.DeletePolicyPayload) (*cerbospb.DeletePolicyResponse, error) {

    _, err := a.cerbosClient.CerbosAdminClient.DisablePolicy(context.Background(), in.Id)
    if err != nil {
        log.Printf("failed to disable policy: %s", err)
        if statusError, ok := status.FromError(err); ok {
            // Extract gRPC status information
            return nil, status.Errorf(statusError.Code(), "failed to disable policy: %s", statusError.Message())
        }
        return nil, status.Errorf(codes.Internal, "failed to disable policy: %s", err)
    }

    return &cerbospb.DeletePolicyResponse{
        Success: true,
    }, nil
}

Hi, I have a use case where only team admins can remove users from the team, and the way a team admin is defined in our system is not via an intrinsic user property that assigns them their role, but via a table that relates users with teams and a role, as a user can belong to many teams and have a different role in each one. Does it make sense for me to pass all of the user's teams in the payload of

isAllowed

as part of the principal's attributes and treating the team itself as the resource, to check in a derived role condition if the team's id is present in the teams array with a role of "Admin"?

is https://lite-ea.cerbos.cloud/ operational? I am getting this error when I click "Generate Bundle"

may i know when the chapter 11> Running in Production will be ready ? https://book.cerbos.dev/10-integrating-cerbos/index.html

Hey guys! Just a headsup: seems like the testing example in the docs is a bit outdated https://pkg.go.dev/github.com/cerbos/cerbos@v0.28.0/client#readme-easy-unit-integration-tests