https://cerbos.dev logo
Powered by
#help
  • a

    ANILA SOMAN

    10/26/2023, 11:11 AM
    hi team, In cluster we are adding the schema without trigger queries. will this have an impact on the authorization logic?
    Copy code
    CREATE DATABASE IF NOT EXISTS cerbos CHARACTER SET utf8mb4;

USE cerbos;

CREATE TABLE IF NOT EXISTS policy (
    id BIGINT PRIMARY KEY, 
    kind VARCHAR(128) NOT NULL,
    name VARCHAR(1024) NOT NULL,
    version VARCHAR(128) NOT NULL,
    scope VARCHAR(512),
    description TEXT,
    disabled BOOLEAN default false,
    definition BLOB);

CREATE TABLE IF NOT EXISTS policy_dependency (
    policy_id BIGINT NOT NULL,
    dependency_id BIGINT NOT NULL,
    PRIMARY KEY (policy_id, dependency_id),
    FOREIGN KEY (policy_id) REFERENCES policy(id) ON DELETE CASCADE);

CREATE TABLE IF NOT EXISTS policy_ancestor (
    policy_id BIGINT NOT NULL,
    ancestor_id BIGINT NOT NULL,
    PRIMARY KEY (policy_id, ancestor_id),
    FOREIGN KEY (policy_id) REFERENCES policy(id) ON DELETE CASCADE);

CREATE TABLE IF NOT EXISTS policy_revision (
    revision_id INTEGER AUTO_INCREMENT PRIMARY KEY,
    action ENUM('INSERT', 'UPDATE', 'DELETE'),
    id BIGINT NOT NULL,
    kind VARCHAR(128),
    name VARCHAR(1024),
    version VARCHAR(128),
    scope VARCHAR(512),
    description TEXT,
    disabled BOOLEAN, 
    definition BLOB,
    update_timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP);

CREATE TABLE IF NOT EXISTS attr_schema_defs (
    id VARCHAR(255) PRIMARY KEY,
    definition JSON);
    c
    • 2
    • 2
  • a

    ANILA SOMAN

    10/26/2023, 11:16 AM
    one more doubt is, we are using cerbos 0.30.0 version, which version mysql is suitable for cerbos 0.30.0?
    c
    • 2
    • 1
  • e

    Eric Brisco

    10/28/2023, 4:38 PM
    Just have a few questions about Cerbos. I integrated CASL, an ABAC library, and Cerbos seems quite similar. The main difference I am seeing, based on the Cerbos docs, is that Cerbos Policies are inherently queried over a network API, whereas CASL does not assume (or come with) any such network API. Is that roughly correct?
    c
    • 2
    • 1
  • d

    Dmitry Meyerson

    10/30/2023, 6:59 PM
    wondering when 0.31 will be released, ty!
    a
    • 2
    • 1
  • t

    Thomas Henson

    11/02/2023, 10:24 AM
    Hi all! I'm currently experimenting with deploying Cerbos as a sidecar container alongside our applications. I'd like to find out what resource requirements are recommended for running Cerbos in this way? Thanks in advance 😄
    c
    • 2
    • 5
  • a

    Akash LM

    11/02/2023, 5:11 PM
    Hi all, I'm deploying Cerbos with 'server.adminAPI.enabled' set to 'true,' and I have mounted the admin credentials as a secret volume inside Cerbos and I'm passing the file path in the ConfigMap. After installation, I'm getting this error log in the Cerbos pod: {"log.level":"log.logger":"cerbos.grpc","message":"Failed to check admin API credentials","error":"crypto/bcrypt: hashedSecret too short to be a bcrypted password"} Am I doing something wrong here?
    c
    • 2
    • 5
  • t

    Thomas Henson

    11/07/2023, 3:42 PM
    Hi guys, We are considering switching to a service deployment but I have a question from one of the developers:
    Are there any additional network implications as a service that result in longer calls than would exist as a coupled process? If you loop over a list of objects to filter a list of N items by policy, we want to be sure that its not going to add 10s of seconds on.
    A service deployment looks as though it will be better for our particular use case, but we just want to be sure it isn't going to impact performance drastically. Cheers 😄
    c
    r
    • 3
    • 3
  • a

    Ashwyn Nair

    11/07/2023, 6:23 PM
    Hi! Is it possible to determine which authorised actions a given actor is allowed to take on a resource without having to specify the actions in the request payload? i.e. instead of specifying to check the resources against the 
    actions: ['read', 'update, 'delete']
    , i would like for the policy to respond with all of the authorised actions the user can take. If I'm thinking about things correctly, this would make things a little more simple at call site?
    d
    • 2
    • 4
  • c

    Charles Moga

    11/08/2023, 4:11 PM
    Hi All
  • c

    Charles Moga

    11/08/2023, 4:11 PM
    Am I right to assume that, with resource policies, I can have a record for each resource in the database? This would make it easy for admins to author them indepedently
    c
    • 2
    • 4
  • t

    Tobias

    11/10/2023, 3:00 PM
    Hey guys, is it possible to define values for global variables inside the policy tests? In our policies we use global variables that are based on environment variables. Currently I am struggling a bit with testing these policies. The setup looks like this: The globals are defined inside the 
    cerbos.yaml
    configuration:
    Copy code
    ...
engine:
  defaultPolicyVersion: 'default'
  globals:
    some_variable: ${SOME_ENV_VARIABLE}
...
    The 
    custom_policy.yaml
    looks like this:
    Copy code
    apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: 'default'
  resource: some_resource
  rules:
    - actions: ['view']
      effect: EFFECT_ALLOW
      roles:
        - user
      condition:
        match:
          all:
            of:
              - expr: R.attr.some_field == true
              - expr: P.attr.some_attr == false
              - expr: G.some_variable == true
    And the 
    custom_policy_test.yaml
    (in it's current state) looks like this:
    Copy code
    name: CustomTests
description: Tests for custom policy.

principals:
  someUser:
    id: u1
    roles:
      - user
    attr:
      some_attr: false

resources:
  someResource:
    id: restricted-network-request
    kind: some_resource
    policyVersion: default
    attr:
      some_field: true

tests:
  - name: Test custom policy
    input:
      principals:
        - someUser
      resources:
        - someResource
      actions:
        - view
    expected:
      - principal: someUser
        resource: someResource
        actions:
          view: EFFECT_ALLOW
    The tests are executed with 
    ./cerbos compile --tests=/path_to_tests /path_to_policies
    with Version 
    0.30.0
    c
    e
    • 3
    • 7
  • b

    Bradey Wood

    11/13/2023, 5:08 PM
    👋 Hello, team!
  • b

    Bradey Wood

    11/13/2023, 5:09 PM
    I have a weird issue where the repl gives me 1 answer, and my tests, the complete opposite answer. Would be grateful for some help...
  • b

    Bradey Wood

    11/13/2023, 5:09 PM
    Resource Policy:
  • b

    Bradey Wood

    11/13/2023, 5:11 PM
    Resource Policy:
    Copy code
    apiVersion: "api.cerbos.dev/v1"
description: |-
  This policy defines who can access an app
resourcePolicy:
  version: "template"
  resource: "mua:app"
  rules:
    - actions: ["access"]
      roles: ["*"]
      effect: EFFECT_ALLOW
      condition:
        match:
          expr: R.id in P.attr.appsEnabled
    Test:
    Copy code
    ---
name: access app
description: Tests for verifying who can access an app

principals:
  ioi_enabled:
    id: ioi_user
    roles: [user]
    attr:
      appsEnabled: ["ioi"]
  ecm_enabled:
    id: ecm_user
    roles: [user]
    attr:
      appsEnabled: ["ecm"]
  both_enabled:
    id: ioi_and_ecm_user
    roles: [user]
    attr:
      appsEnabled: ["ecm", "ioi"]

resources:
  ioi:
    id: ioi
    kind: "mua:app"
  ecm:
    id: ecm
    kind: "mua:app"

tests:
  - name: app enabled users can access the relevant app
    input:
      principals:
        - ioi_enabled
      resources:
        - ioi
      actions:
        - access
    expected:
      - principal: ioi_enabled
        resource: ioi
        actions:
          access: EFFECT_ALLOW
  • b

    Bradey Wood

    11/13/2023, 5:12 PM
    Repl details -- vars:
    Copy code
    request = {
  "resource": {
    "kind": "mua:app",
    "id": "ioi"
  },
  "principal": {
    "id": "ioi_user",
    "roles": [
      "user"
    ],
    "attr": {
      "appsEnabled": [
        "ioi"
      ]
    }
  }
}
    Rules:
    Copy code
    -> :rules
Conditional rules in 'resource.mua_app.vtemplate'

[#0]
    actions:
    - access
    condition:
      match:
        expr: R.id in P.attr.appsEnabled
    effect: EFFECT_ALLOW
    roles:
    - '*'


-> :exec #0
└──R.id in P.attr.appsEnabled [true]
    Tests:
    Copy code
    cerbos compile policies --verbose --run=app

Test results
├──view deal (resource_policies/ECM/deal_test.yaml) [SKIPPED]
└─┬access app (resource_policies/MUA/app_test.yaml) [1 FAILED]
  └─┬app enabled users can access the relevant app
    └─┬ioi_enabled
      └─┬ioi
        └─┬access [FAILED]
          └──OUTCOME: expected: EFFECT_ALLOW, actual: EFFECT_DENY


TRACES
access app - ioi_enabled.ioi.access
  action=access
    activated
    effect → deny
    No matching policies

16 tests executed [15 SKIPPED] [1 FAILED]
cerbos: error: tests failed
    c
    • 2
    • 4
  • b

    Bradey Wood

    11/13/2023, 5:15 PM
    I hope I'm doing something stupid, but I've read, and reread this code and I cannot see why it works via one mechanism, and not the other 🤯
    c
    • 2
    • 1
  • b

    Bradey Wood

    11/13/2023, 5:22 PM
    Another, unrelated comment -- I can get the binary to segfault when I have strange files in 
    testdata
    ...
    Copy code
    cerbos compile policies --verbose --run=app

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x11f238a]

goroutine 1 [running]:
<http://github.com/cerbos/cerbos/internal/verify.(*TestFixture).lookupResource(0xc001869320|github.com/cerbos/cerbos/internal/verify.(*TestFixture).lookupResource(0xc001869320>, 0x7f8263477878?, {0xc000890f50, 0x8})
        <http://github.com/cerbos/cerbos/internal/verify/test_fixture.go:484|github.com/cerbos/cerbos/internal/verify/test_fixture.go:484> +0x4a
<http://github.com/cerbos/cerbos/internal/verify.(*TestFixture).buildTest(0xc0018f6090|github.com/cerbos/cerbos/internal/verify.(*TestFixture).buildTest(0xc0018f6090>?, 0xc000f6a370, 0xc0018f6090, {{0xc001635350, 0x0}, {{0xc000890f00, 0xc}, {0xc000890f50, 0x8}}})
        <http://github.com/cerbos/cerbos/internal/verify/test_fixture.go:432|github.com/cerbos/cerbos/internal/verify/test_fixture.go:432> +0x12d
<http://github.com/cerbos/cerbos/internal/verify.(*TestFixture).buildTests(0x0|github.com/cerbos/cerbos/internal/verify.(*TestFixture).buildTests(0x0>?, 0x0?, 0x0?)
        <http://github.com/cerbos/cerbos/internal/verify/test_fixture.go:411|github.com/cerbos/cerbos/internal/verify/test_fixture.go:411> +0x107
<http://github.com/cerbos/cerbos/internal/verify.(*TestFixture).getTests|github.com/cerbos/cerbos/internal/verify.(*TestFixture).getTests>(0x4163b0?, 0xc000f6a370)
        <http://github.com/cerbos/cerbos/internal/verify/test_fixture.go:391|github.com/cerbos/cerbos/internal/verify/test_fixture.go:391> +0xee
<http://github.com/cerbos/cerbos/internal/verify.(*TestFixture).runTestSuite(0x1e|github.com/cerbos/cerbos/internal/verify.(*TestFixture).runTestSuite(0x1e>?, {0x34876e0, 0xc000ff4ac0}, {0x345d780, 0xc0014c0de0}, 0x34874e8?, {0xc001015560, 0x24}, 0xc000f6a370, 0x1)
        <http://github.com/cerbos/cerbos/internal/verify/test_fixture.go:187|github.com/cerbos/cerbos/internal/verify/test_fixture.go:187> +0x1fc
<http://github.com/cerbos/cerbos/internal/verify.Verify.func5({0xc001015560|github.com/cerbos/cerbos/internal/verify.Verify.func5({0xc001015560>, 0x24})
        <http://github.com/cerbos/cerbos/internal/verify/verify.go:143|github.com/cerbos/cerbos/internal/verify/verify.go:143> +0x5ef
<http://github.com/cerbos/cerbos/internal/verify.Verify(|github.com/cerbos/cerbos/internal/verify.Verify(>{0x34876e0, 0xc000ff4ac0}, {0x345da20, 0xc0013923f0}, {0x345d780, 0xc0014c0de0}, {{0xc0008707d0?, 0xc000e0f170?}, 0xc0?})
        <http://github.com/cerbos/cerbos/internal/verify/verify.go:151|github.com/cerbos/cerbos/internal/verify/verify.go:151> +0x48f
<http://github.com/cerbos/cerbos/cmd/cerbos/compile.(*Cmd).Run(0xc001408d00|github.com/cerbos/cerbos/cmd/cerbos/compile.(*Cmd).Run(0xc001408d00>, 0xc000d1c280)
        <http://github.com/cerbos/cerbos/cmd/cerbos/compile/compile.go:146|github.com/cerbos/cerbos/cmd/cerbos/compile/compile.go:146> +0x886
reflect.Value.call({0x2809480?, 0xc001408d00?, 0x2b93da0?}, {0x2bb01d5, 0x4}, {0xc0006fa480, 0x1, 0x0?})
        reflect/value.go:596 +0xce7
reflect.Value.Call({0x2809480?, 0xc001408d00?, 0x2797460?}, {0xc0006fa480?, 0x2b93da0?, 0xc000130f70?})
        reflect/value.go:380 +0xb9
<http://github.com/alecthomas/kong.callFunction(|github.com/alecthomas/kong.callFunction(>{0x2809480?, 0xc001408d00?, 0x0?}, 0x2baf710?)
        <http://github.com/alecthomas/kong@v0.8.1/callbacks.go:98|github.com/alecthomas/kong@v0.8.1/callbacks.go:98> +0x40b
<http://github.com/alecthomas/kong.(*Context).RunNode(0xc0007cb880|github.com/alecthomas/kong.(*Context).RunNode(0xc0007cb880>, 0xc000f6c4b0, {0x0, 0x0, 0xc000d1c280?})
        <http://github.com/alecthomas/kong@v0.8.1/context.go:765|github.com/alecthomas/kong@v0.8.1/context.go:765> +0x810
<http://github.com/alecthomas/kong.(*Context).Run(0x25f1be0|github.com/alecthomas/kong.(*Context).Run(0x25f1be0>?, {0x0?, 0xc00149fee0?, 0x7?})
        <http://github.com/alecthomas/kong@v0.8.1/context.go:790|github.com/alecthomas/kong@v0.8.1/context.go:790> +0x132
main.main()
        <http://github.com/cerbos/cerbos/cmd/cerbos/main.go:45|github.com/cerbos/cerbos/cmd/cerbos/main.go:45> +0x2b6
  • b

    Bradey Wood

    11/13/2023, 5:23 PM
    instead of creating 
    resources.yaml
    in my test data, I mistakenly named it 
    deals.yaml
    and this seems to cause the segfault... just in case you guys weren't aware.
  • b

    Bradey Wood

    11/13/2023, 5:23 PM
    version:
    Copy code
    cerbos --version
0.31.0
Build timestamp: 2023-10-31T07:58:39Z
Build commit: 625bc0d022e55377f6f9e70ec634d1493916a265
Go version: go1.21.3
vcs: git
vcs.revision: 625bc0d022e55377f6f9e70ec634d1493916a265
vcs.time: 2023-10-31T07:55:53Z
vcs.modified: false
    c
    • 2
    • 3
  • c

    Charles Moga

    11/14/2023, 11:11 AM
    Hi all
  • c

    Charles Moga

    11/14/2023, 11:12 AM
    Copy code
    I am trying to workout this snippet and adapt for our use case:

CheckResult result=client.check(
    Principal.newInstance("john","employee")
        .withPolicyVersion("20210210")
        .withAttribute("department",stringValue("marketing"))
        .withAttribute("geography",stringValue("GB")),
    Resource.newInstance("leave_request","xx125")
        .withPolicyVersion("20210210")
        .withAttribute("department",stringValue("marketing"))
        .withAttribute("geography",stringValue("GB"))
        .withAttribute("owner",stringValue("john")),
    "view:public","approve");

if(result.isAllowed("approve")){ // returns true if `approve` action is allowed
    ...
}

Our use case is a rest API with post, get, update and delete, and I have mapped against resources.
Fo example, we have "admin" with the following access:

resource|create |read  |update |delete
---------------------------------------
user    | true  | true | true  | true 
payment | false | true | false | false 


Now when request hits '/user', we have an interceptor,
that takes "user" as the resource, action (post, get, update, or delete) JWT that contains user data including the role, which is admin.
And I am trying to figure out how I can adapt the code above to authorize/deny a request
    o
    • 2
    • 2
  • b

    Bradey Wood

    11/14/2023, 11:41 AM
    I have a (minor) feature request, in the output of a test run, would it be possible to print out the 
    EFFECT_ALLOW
    or 
    EFFECT_DENY
    alongside the 
    OK
    -- I have PO's who are looking at test output and confusing 
    OK
    (it passed the test) with 
    EFFECT_ALLOW
    -- the action was allowed.
    c
    • 2
    • 4
  • c

    Charles Moga

    11/15/2023, 3:43 AM
    Anyone has run into this before
  • c

    Charles Moga

    11/15/2023, 3:43 AM
    Copy code
    java.lang.NoClassDefFoundError: io/grpc/internal/AbstractManagedChannelImplBuilder
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1013)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
  • c

    Charles Moga

    11/15/2023, 3:44 AM
    I am using
    Copy code
    implementation("dev.cerbos:cerbos-sdk-java:0.7.0")
	implementation("io.grpc:grpc-core:1.59.0")
    c
    • 2
    • 2
  • b

    Bradey Wood

    11/15/2023, 9:54 AM
    Any help/direction on how to parse the AST from a query plan against DynamoDB? Not adverse to writing something to walk the AST but was wondering if there is a reference implementation somewhere that I can look at...
    c
    • 2
    • 1
  • a

    Ankit Khosla

    11/18/2023, 4:38 PM
    Hi all, Following 
    condition
    is not working. It should only 
    ALLOW
    when 
    tenantId
    and 
    organizationId
    matches. But it’s not working as expected. Any suggestions? 
    org_staff_roles.yaml
    Copy code
    # yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/derived_roles>
apiVersion: api.cerbos.dev/v1
derivedRoles:
  name: org_staff_roles
  definitions:
    - name: MANAGER
      parentRoles:
        - admin
      condition:
        match:
          all: 
            of:
              - expr: R.attr.tenantId == P.attr.tenantId
              - expr: R.attr.organizationId == P.attr.organizationId
    - name: READ_ONLY
      parentRoles:
        - user
      condition:
        match:
          all: 
            of:
              - expr: R.attr.tenantId == P.attr.tenantId
              - expr: R.attr.organizationId == P.attr.organizationId
    - name: APPROVER
      parentRoles:
        - user
      condition:
        match:
          all: 
            of:
              - expr: R.attr.tenantId == P.attr.tenantId
              - expr: R.attr.organizationId == P.attr.organizationId
    resource-policy.yml
    Copy code
    apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: inventory
  version: default
  importDerivedRoles:
    - user_roles
    - admin_roles
    - org_staff_roles
  rules:
    - actions: ["*"]
      effect: EFFECT_ALLOW
      roles:
        - ORG_ADMIN
        - SUPER_ADMIN
      name: inventory_admin_rule
    - actions:
        [ 
          "create",
          "read",
          "update",
          "delete",
          "approve"
        ]
      effect: EFFECT_ALLOW
      roles:
        - MANAGER
      name: inventory_manager_rule
    - actions:
        [
          "approve"
        ]
      effect: EFFECT_ALLOW
      roles:
        - APPROVER
      name: inventory_creator_rule
    - actions:
        [ 
          "read",
        ]
      effect: EFFECT_ALLOW
      roles:
        - CHECKER
      name: inventory_checker_rule
    request body: Should be 
    DENY
    all actions since, 
    organizationId
    does not match between, resource and principal. But it’s being 
    ALLOWED
    .
    Copy code
    {
  "requestId": "123123",
  "principal": {
    "id": "123",
    "roles": [
      "MANAGER"
    ],
    "attr": {
      "organizationId": "123",
      "tenantId": "1234"
    }
  },
  "resources": [
    {
      "resource": {
        "kind": "inventory",
        "id": "1234",
        "attr": {
          "organizationId": "123333",
          "tenantId": "1234"
        }
      },
      "actions": [
        "approve",
        "create",
        "delete",
        "read",
        "update"
      ]
    }
  ]
}
    d
    g
    c
    • 4
    • 41
  • b

    Bradey Wood

    11/20/2023, 4:22 PM
    Question: can you set a version in a schema?
    c
    • 2
    • 3
  • s

    Sai Kumar Gade

    11/21/2023, 9:28 AM
    Hello all, I want to use Cerbos in front end application using React, any suggestions how to start with? Thanks
    o
    e
    • 3
    • 4
1...7891011Latest