https://cerbos.dev logo
Docs
Join the conversationJoin Slack
Channels
announcements
community
help
Powered by Linen
help
  • e

    Elodie Philippe

    02/23/2022, 10:45 AM
    Hi ! Is it possible to use regular expression to match `principal`to an
    id
    in a PrincipalPolicy?
    a
    • 2
    • 8
  • j

    Jesum Yip

    03/22/2022, 2:40 AM
    What does it mean when I see this error in my pod?
    {
      "log.level": "error",
      "@timestamp": "2022-03-22T02:36:56.777Z",
      "log.logger": "cerbos.blob",
      "message": "Failed to build index",
      "bucket": "<gs://abac-policies>",
      "workDir": "/root/tmp/cerbos/work",
      "error": "failed to build index: missing imports=1, duplicate definitions=0, load failures=0"
    }
    d
    • 2
    • 12
  • j

    Jesum Yip

    03/22/2022, 3:18 AM
    by the way, is there a page that documents the cerbos python client library?
    d
    • 2
    • 17
  • j

    Jan Kühnlein

    04/06/2022, 8:50 AM
    The test suite definition in the Validating and testing docs is missing the "id" field for resources. Otherwise testing with 0.15.0 fails.
    a
    • 2
    • 5
  • j

    Jan Kühnlein

    04/06/2022, 8:57 AM
    @Alex Olivier (Cerbos) any idea how to fix this error?
    {"log.level":"error","@timestamp":"2022-04-06T08:51:05.396Z","log.logger":"cerbos.git.store","message":"Failed to pull from remote","dir":"/work","error":"non-fast-forward update"}
    {"log.level":"error","@timestamp":"2022-04-06T08:51:05.396Z","log.logger":"cerbos.git.store","message":"Failed to check for updates","dir":"/work","error":"failed to pull from remote: non-fast-forward update"}
    a
    c
    e
    • 4
    • 22
  • c

    Colton

    04/08/2022, 7:36 PM
    Hi 👋 - I love the work you guys have done creating Cerbos. Question I have though comes down to deployment - can it be deployed with a netlify app?
    a
    • 2
    • 4
  • v

    Vladyslav Ishchenko

    05/05/2022, 10:20 AM
    Hi, Cerbos Team. Could you please help with solving this error? When running
    make image
    command I’m getting this error even though I have enough space on my mac. My setup is:
    MacBook Pro (13-inch, M1, 2020)
    a
    • 2
    • 2
  • v

    Vladyslav Ishchenko

    05/05/2022, 10:24 AM
    Also I’m not sure about one more thing. The
    $BUCKET_URL
    that I need to paste in
    conf.default.yml
    is the url of bucket with static website hosting enabled and with enabled public access, right? It wasn’t clear from the documentation which steps should be done in order to set up the bucket for Cerbos. Thanks in advance!
    a
    • 2
    • 2
  • j

    Jesum Yip

    05/05/2022, 1:00 PM
    Is https://docs.cerbos.dev/ down?
    a
    • 2
    • 3
  • r

    Rasmus Dencker

    05/25/2022, 1:22 PM
    Hey guys! We're intending to use Cerbos for a very fine-grained permission model. I just stumbled upon a potential blocker in the swagger docs, though; principals can "only" have 20 roles. In our case, we're going to have per-resource level roles; something like
    books.manage
    ,
    authors.read
    , ..., and principals can easily assume more than 20 roles. Is that doable in cerbos?
  • r

    Rasmus Dencker

    05/25/2022, 1:23 PM
    Should I just pop all the 'scopes' into
    attr
    and do configure with expr instead?
    a
    e
    • 3
    • 31
  • r

    Rasmus Dencker

    05/27/2022, 11:23 AM
    Does anyone have experience with Cerbos x Bazel?
    c
    • 2
    • 12
  • r

    Rasmus Dencker

    05/28/2022, 6:46 PM
    I'm writing a Go script which generates Cerbos yaml manifests. Instead of having to rewrite ResourcePolicy etc structs, can I hook in and use some struct from the Cerbos repo? I tried using
    <http://github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1|github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1>
    which aaaalmost works; it just yields a bunch of extra
    op
    nodes in the yaml:
  • r

    Rasmus Dencker

    05/28/2022, 6:47 PM
    d
    • 2
    • 3
  • h

    Harry Zinoviou

    05/31/2022, 9:47 AM
    hi, I'm new to Cerbos, looking into using it as a sidecar container. I'm trying to understand what this log output means:
    {"log.level":"info","@timestamp":"2022-05-30T17:47:05.452Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined"}
    {"log.level":"info","@timestamp":"2022-05-30T17:47:05.452Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"}
    {"log.level":"debug","@timestamp":"2022-05-30T17:47:05.454Z","log.logger":"cerbos.index","message":"Index build failed","missing":null,"missing_scopes":null,"load_failures":null,"duplicates":[{"file":"account_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/account_resource.yaml"},{"file":"quant_roles.yaml","otherFile":"..2022_05_30_17_45_35.387152270/quant_roles.yaml"},{"file":"team_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/team_resource.yaml"},{"file":"user_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/user_resource.yaml"}],"disabled":[]}
    {"log.level":"info","@timestamp":"2022-05-30T17:47:05.454Z","log.logger":"cerbos.server","message":"maxprocs: No GOMAXPROCS change to reset"}
    cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=4, load failures=0
    Does that mean there is an issue with the content in the policy files? The files are defined in a configmap and then mounted to the container. I've also ran a local compile with no errors.
    o
    c
    a
    • 4
    • 6
  • r

    Rasmus Dencker

    06/02/2022, 4:35 PM
    After enabling tracing I'm getting this error:
    {"log.level":"warn","@timestamp":"2022-06-02T16:23:26.596Z","log.logger":"cerbos.otel","message":"OpenTelemetry error","error":"starting span \"ExportMetrics\": unsupported sampler: 0x7df690"}
    - any clue?
    e
    c
    • 3
    • 10
  • r

    Rasmus Dencker

    06/03/2022, 8:47 AM
    The OpenTelemetry spec accepts a list of propagators (
    OTEL_PROPAGATORS
    ). AFAIK, it chooses the first valid propagator for incoming requests. Would that be feasible to implement in Cerbos? Right now I have to choose between tracecontext and b3. I prefer tracecontext, but some of the 3rd party services we use only support b3, so it'd be super cool if Cerbos had an
    auto
    option to detect the propagation headers from an incoming request
    c
    • 2
    • 9
  • t

    Topi Hernández Mares

    06/16/2022, 2:51 PM
    Hi! I'm trying to add tests to my python backend using the python sdk, but I'm getting the following error:
    def is_allowed(
            self,
            action: str,
            principal: Principal,
            resource: Resource,
            request_id: Optional[str] = None,
            aux_data: Optional[AuxData] = None,
        ) -> bool:
            """Check permission for a single action
        
            Args:
                action (str): action being performed
                principal (Principal): principal who is performing the action
                resource (Resource): resource on which the action is being performed
                request_id (None|str): request ID for the request (default None)
                aux_data (None|AuxData): auxiliary data for the request
            """
            resp = self.check_resources(
                principal=principal,
                resources=ResourceList().add(resource, {action}),
                request_id=request_id,
                aux_data=aux_data,
            )
        
    >       return resp.get_resource(resource.id).is_allowed(action)
    E       AttributeError: 'NoneType' object has no attribute 'is_allowed'
    I've been looking at the client code and I found that
    get_resource
    returns
    None
    when the request fails, but I don't know what is failing.
    c
    • 2
    • 12
  • t

    Topi Hernández Mares

    06/16/2022, 7:32 PM
    Hi, me again. Is it possible to have Cerbos running on a CircleCI Job and load the policies?
    c
    • 2
    • 2
  • c

    Charith (Cerbos)

    06/16/2022, 7:37 PM
    I haven't specifically tried it on CircleCI. But I imagine they support running containers or binaries as services. You can either use the Test containers integration in the SDK (take a look at the SDK tests) or use
    cerbos run
    command to launch Cerbos, execute your tests and then shutdown Cerbos. There's an example with test containers here: https://github.com/cerbos/cerbos-sdk-python Here's the documentation for `cerbos run`: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html#run
  • t

    TS

    06/16/2022, 10:12 PM
    Hi, I'm trying to deploy cerbos server to a cluster following your example but I'm getting this error. I just changed the repo URL, branch (it exists in remote), and subDir. I created a personal access token with repo scope
    d
    • 2
    • 58
  • t

    Topi Hernández Mares

    06/22/2022, 2:33 PM
    Hello again! I'm having a weird behavior with the Python SDK, let me try to explain it here. I'm getting the following error, but only in a specific scenario:
    RuntimeError("Cannot send a request, as the client has been closed.")
    This only happens when I make two or more requests to Cerbos with the SDK
    c
    • 2
    • 11
  • t

    Topi Hernández Mares

    07/06/2022, 1:43 PM
    Hi, me again! I'm getting a strange behavior with Cerbos. Every now and then, a request to Cerbos get's "lost". I make a call to the API with the Python SDK and get the following error:
    The read operation timed out
    . I thought that increasing the
    timeout_secs
    param in the client could fix this issue, but id didn't. I enabled audit logs on my Cerbos container to see if there is any error in that side, but I discovered that whenever I get the error
    The read operation timed out
    , I don't get any logs, not even the one about
    Handled Request
    c
    s
    • 3
    • 36
  • d

    david

    07/19/2022, 12:19 PM
    Hello 👋 . I am currently evaluating Cerbos against our authz requirements and Im trying to understand how I would write a request/policy to filter a potentially large amount of resources that are hierarchically organized. As an example: a directory structure of fixed depth (2 levels) where each depth of folder can have its own permissions and also the file nodes can have their own permissions. The system would require a way to filter the list of files to just those “viewable” or “editable” by the user. I see some examples in the playground, but they appear to deal with small quantities of resources, and also the documentation indicates that up to 50 (a default) resources can be included in a request. Are there any other examples? Or maybe a policy pattern for handling this scenario? Thanks !
    a
    • 2
    • 4
  • s

    Steve High (NTWRK)

    07/22/2022, 1:33 PM
    Hello There I'm doing some bare metal dev and am running cerbos as a standalone (installed via homebrew). I was able to work through some of the TLS issues, but now when I make calls, I am getting this:
    "request failed: rpc error: code = Unimplemented desc = unknown method CheckResources for service cerbos.svc.v1.CerbosService
    I installed the standalone a few days ago, and it looks like it's the latest version. Homebrew thinks I am on
    v0.19.0
    . WHen I run
    cerbos -v
    , it returns
    0.7.0
    . Just wanna make sure this is a goreleaser hiccup, or if i am actually on an old version. I'll try building from source and see if there's a difference
    c
    • 2
    • 12
  • d

    david

    07/25/2022, 10:12 AM
    Is there an equivalent to
    c, err := client.New(*cerbosAddr, client.WithTLSInsecure())
    for the Javascript GRPC client? i.e. use TLS, but allow insecure.
    a
    o
    • 3
    • 7
  • m

    Ming Fang

    07/25/2022, 8:19 PM
    can you please add bash to the docker image? it's virtually important to support it without being able to shell in to debug
    c
    • 2
    • 1
  • g

    Gabi Zarhin

    07/27/2022, 1:10 PM
    Hello there(…) 🙂 We are considering creating an authorization mechanism in our application using Cerbos. part of the policy we characterized defines that a user has a permission for a certain resource (A), if he has said permission to a resource (B) that contains it (A) i.e. its parent, grand-parent and so on. As far as i understood from the documentation, there is a way for defining such hierarchy for principals (derived roles), but the question is if there is a proper way of doing that for resources as well? for example: a user has “write” access to a file if he has “write” access to the folder containing the file? thanks very much in advanced 🙂
    c
    • 2
    • 2
  • d

    Dennis (Cerbos)

    08/02/2022, 1:46 AM
    The request can contain multiple resources, so the response will contain multiple decisions. The resource ID helps to identify the decision for the given resource.
    j
    • 2
    • 10
  • a

    Asma Rahim

    08/01/2022, 11:10 AM
    Hello All, I hope everyone is great. Has anyone tried out this project to implement cerbos w AWS cognito?
    a
    c
    • 3
    • 48
Powered by Linen
Title
a

Asma Rahim

08/01/2022, 11:10 AM
Hello All, I hope everyone is great. Has anyone tried out this project to implement cerbos w AWS cognito?
a

Alex Olivier (Cerbos)

08/01/2022, 11:35 AM
Hey good to hear from you again! We have a full tutorial for using Cerbos with Cognito - https://cerbos.dev/blog/using-aws-cognito-with-cerbos-how-to Hopefully that will be a good guide to get you started
a

Asma Rahim

08/01/2022, 12:25 PM
Hi Alex, how have you been? I was following this tutorial, but stuck w the installation process. The installation crashes due to this issue:
ModuleNotFoundError: No module named 'pip._vendor.html5lib' inside wrapper
I followed the solutions offered here and here
c

Charith (Cerbos)

08/01/2022, 1:26 PM
Hey Asma. Are you using the
pw
script?
a

Asma Rahim

08/02/2022, 4:20 AM
Hi Charith, hope you are doing well. Yes I am using the
pw
script. I used this command to install
./pw install
ping
c

Charith (Cerbos)

08/02/2022, 7:34 AM
Hmm.. I am not sure what the issue is then. Pw installs its own Python interpreter in a virtual environment so it should be a clean one
What is your global Python version?
a

Asma Rahim

08/02/2022, 7:36 AM
its 3.9.5
c

Charith (Cerbos)

08/02/2022, 7:39 AM
Oh, I think the project requires Python 3.10 and up: https://github.com/cerbos/python-cognito-cerbos/blob/b5ce1f169826b47a64bee9602201636ad8a83bef/pyproject.toml#L22
a

Asma Rahim

08/02/2022, 8:04 AM
Does the global python matter?
Or do I just update the version in my venv?
c

Charith (Cerbos)

08/02/2022, 8:09 AM
Honestly, I am not absolutely sure. The
pw
script is a Python script itself so it probably uses the global Python interpreter during bootstrap to setup the virtual env and other things. IIRC, Python 3.10 had some backward incompatible changes so that could be why you're getting those errors.
a

Asma Rahim

08/02/2022, 8:22 AM
I see, I am not too keen on updating my python (global) as it might break other things
but let me check
c

Charith (Cerbos)

08/02/2022, 8:24 AM
You can have a local installation of Python without upgrading the global one
a

Asma Rahim

08/02/2022, 12:05 PM
I see.
So, is there any way I can use Cerbos without having a dependency on this Python app?
a

Alex Olivier (Cerbos)

08/02/2022, 12:06 PM
Yes you can use the python SDK directly https://github.com/cerbos/cerbos-sdk-python
This sample app is just an example of using Cerbos along with AWS Cognito
a

Asma Rahim

08/02/2022, 12:07 PM
Our team is not in favour of using an app interfacing Cerbos / React Web client to determine authorization
a

Alex Olivier (Cerbos)

08/02/2022, 12:07 PM
You can also just call the API directly https://docs.cerbos.dev/cerbos/latest/api/index.html#check-resources
a

Asma Rahim

08/02/2022, 12:08 PM
Do we have support for Javascript or Java? Also, how will the deployment part of it should be managed? We already have Cerbos as a sidecar in our polyglot system so we're looking for more seamless options.
a

Alex Olivier (Cerbos)

08/02/2022, 12:08 PM
Yes! You can find all the SDKs here https://cerbos.dev/ecosystem
A sidecar is our recommend approach
a

Asma Rahim

08/02/2022, 12:09 PM
yes, this is how we are currently using Cerbos https://cerboscommunity.slack.com/archives/C02A364JYMQ/p1659442068825049?thread_ts=1659352235.582889&amp;cid=C02A364JYMQ
a

Alex Olivier (Cerbos)

08/02/2022, 12:09 PM
Our Javascript SDK comes with a client-side version now also
@cerbos/http
https://github.com/cerbos/cerbos-sdk-javascript/blob/main/packages/http/README.md
a

Asma Rahim

08/02/2022, 12:10 PM
Really? Just asking out of curiosity, what value does the Python Client with the Fast API add to cerbos?
a

Alex Olivier (Cerbos)

08/02/2022, 12:10 PM
Depends where you need to make authorization checks - we support many backends aswell as calling dirctly
If your backend if a python+fastapi app - you can use the python SDK if your backend is node you can use the JS SDK etc
a

Asma Rahim

08/02/2022, 12:15 PM
Is the JS sdk compatible with React JS ?
a

Alex Olivier (Cerbos)

08/02/2022, 12:16 PM
Yup you can use it in any JS app
a

Asma Rahim

08/02/2022, 12:16 PM
We can just forego the backend that way
Great, thanks!
a

Alex Olivier (Cerbos)

08/02/2022, 12:18 PM
Depending on your usecase, you likely will need to check permissions in the backend also
a

Asma Rahim

08/02/2022, 1:09 PM
Right, thanks for the help @Alex Olivier (Cerbos) @Charith (Cerbos)
Hi again, I was wondering if I could test multiple actions against the same role and resource via the JS SDK
@cerbos/http
import { HTTP } from "@cerbos/http";

const cerbos = new HTTP("<http://localhost:3592>");

await cerbos.isAllowed({
  principal: { id: "<mailto:user@example.com|user@example.com>", roles: ["USER"] },
  resource: { kind: "document", id: "1" },
  action: "view",
}); // => true
I tried by passing
actions
as an array
["eat", "sleep", "repeat"]
Is there any documentation for this SDK besides the readme on github?
a

Alex Olivier (Cerbos)

08/03/2022, 1:19 PM
If you use the checkResource method you can pass in a list of actions
a

Asma Rahim

08/03/2022, 1:19 PM
I'm more eager using the SDK since its less work and is clean-looking
a

Alex Olivier (Cerbos)

08/03/2022, 1:20 PM
Yes that method is part of the SDK
Cerbos.checkResource
https://github.com/cerbos/cerbos-sdk-javascript/blob/main/docs/core.client.checkresource.md
a

Asma Rahim

08/03/2022, 1:40 PM
@Alex Olivier (Cerbos) so there's no method that checks against multiple resources?
Like the
/api/check_resource_batch
a

Alex Olivier (Cerbos)

08/03/2022, 1:41 PM
yup-
checkResources
https://github.com/cerbos/cerbos-sdk-javascript/blob/main/docs/core.client.checkresources.md
you can find all the methods here https://github.com/cerbos/cerbos-sdk-javascript/blob/main/docs/core.client.md
const decision = await cerbos.checkResources({
  principal: { id: "<mailto:user@example.com|user@example.com>", roles: ["USER"] },
  resources: [
    {
      resource: { kind: "document", id: "1" },
      actions: ["view", "edit"],
    },
    {
      resource: { kind: "image", id: "1" },
      actions: ["delete"],
    },
  ],
});

decision.isAllowed({
  resource: { kind: "document", id: "1" },
  action: "view",
}); // => true
View count: 6