Hi ! Is it possible to use regular expression to match `principal`to an

id

in a PrincipalPolicy?

What does it mean when I see this error in my pod?

{
  "log.level": "error",
  "@timestamp": "2022-03-22T02:36:56.777Z",
  "log.logger": "cerbos.blob",
  "message": "Failed to build index",
  "bucket": "<gs://abac-policies>",
  "workDir": "/root/tmp/cerbos/work",
  "error": "failed to build index: missing imports=1, duplicate definitions=0, load failures=0"
}

by the way, is there a page that documents the cerbos python client library?

The test suite definition in the Validating and testing docs is missing the "id" field for resources. Otherwise testing with 0.15.0 fails.

@Alex Olivier (Cerbos) any idea how to fix this error?

{"log.level":"error","@timestamp":"2022-04-06T08:51:05.396Z","log.logger":"cerbos.git.store","message":"Failed to pull from remote","dir":"/work","error":"non-fast-forward update"}

{"log.level":"error","@timestamp":"2022-04-06T08:51:05.396Z","log.logger":"cerbos.git.store","message":"Failed to check for updates","dir":"/work","error":"failed to pull from remote: non-fast-forward update"}

Hi 👋 - I love the work you guys have done creating Cerbos. Question I have though comes down to deployment - can it be deployed with a netlify app?

Hi, Cerbos Team. Could you please help with solving this error? When running

make image

command I’m getting this error even though I have enough space on my mac. My setup is:

MacBook Pro (13-inch, M1, 2020)

Also I’m not sure about one more thing. The

$BUCKET_URL

that I need to paste in

conf.default.yml

is the url of bucket with static website hosting enabled and with enabled public access, right? It wasn’t clear from the documentation which steps should be done in order to set up the bucket for Cerbos. Thanks in advance!

Is https://docs.cerbos.dev/ down?

Hey guys! We're intending to use Cerbos for a very fine-grained permission model. I just stumbled upon a potential blocker in the swagger docs, though; principals can "only" have 20 roles. In our case, we're going to have per-resource level roles; something like

books.manage

,

authors.read

, ..., and principals can easily assume more than 20 roles. Is that doable in cerbos?

Should I just pop all the 'scopes' into

attr

and do configure with expr instead?

Does anyone have experience with Cerbos x Bazel?

I'm writing a Go script which generates Cerbos yaml manifests. Instead of having to rewrite ResourcePolicy etc structs, can I hook in and use some struct from the Cerbos repo? I tried using

<http://github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1|github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1>

which aaaalmost works; it just yields a bunch of extra

op

nodes in the yaml:

hi, I'm new to Cerbos, looking into using it as a sidecar container. I'm trying to understand what this log output means:

{"log.level":"info","@timestamp":"2022-05-30T17:47:05.452Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined"}
{"log.level":"info","@timestamp":"2022-05-30T17:47:05.452Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"}
{"log.level":"debug","@timestamp":"2022-05-30T17:47:05.454Z","log.logger":"cerbos.index","message":"Index build failed","missing":null,"missing_scopes":null,"load_failures":null,"duplicates":[{"file":"account_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/account_resource.yaml"},{"file":"quant_roles.yaml","otherFile":"..2022_05_30_17_45_35.387152270/quant_roles.yaml"},{"file":"team_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/team_resource.yaml"},{"file":"user_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/user_resource.yaml"}],"disabled":[]}
{"log.level":"info","@timestamp":"2022-05-30T17:47:05.454Z","log.logger":"cerbos.server","message":"maxprocs: No GOMAXPROCS change to reset"}
cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=4, load failures=0

Does that mean there is an issue with the content in the policy files? The files are defined in a configmap and then mounted to the container. I've also ran a local compile with no errors.

After enabling tracing I'm getting this error:

{"log.level":"warn","@timestamp":"2022-06-02T16:23:26.596Z","log.logger":"cerbos.otel","message":"OpenTelemetry error","error":"starting span \"ExportMetrics\": unsupported sampler: 0x7df690"}

- any clue?

The OpenTelemetry spec accepts a list of propagators (

OTEL_PROPAGATORS

). AFAIK, it chooses the first valid propagator for incoming requests. Would that be feasible to implement in Cerbos? Right now I have to choose between tracecontext and b3. I prefer tracecontext, but some of the 3rd party services we use only support b3, so it'd be super cool if Cerbos had an

auto

option to detect the propagation headers from an incoming request

Hi! I'm trying to add tests to my python backend using the python sdk, but I'm getting the following error:

def is_allowed(
        self,
        action: str,
        principal: Principal,
        resource: Resource,
        request_id: Optional[str] = None,
        aux_data: Optional[AuxData] = None,
    ) -> bool:
        """Check permission for a single action
    
        Args:
            action (str): action being performed
            principal (Principal): principal who is performing the action
            resource (Resource): resource on which the action is being performed
            request_id (None|str): request ID for the request (default None)
            aux_data (None|AuxData): auxiliary data for the request
        """
        resp = self.check_resources(
            principal=principal,
            resources=ResourceList().add(resource, {action}),
            request_id=request_id,
            aux_data=aux_data,
        )
    
>       return resp.get_resource(resource.id).is_allowed(action)
E       AttributeError: 'NoneType' object has no attribute 'is_allowed'

I've been looking at the client code and I found that

get_resource

returns

None

when the request fails, but I don't know what is failing.

Hi, me again. Is it possible to have Cerbos running on a CircleCI Job and load the policies?

I haven't specifically tried it on CircleCI. But I imagine they support running containers or binaries as services. You can either use the Test containers integration in the SDK (take a look at the SDK tests) or use

cerbos run

command to launch Cerbos, execute your tests and then shutdown Cerbos. There's an example with test containers here: https://github.com/cerbos/cerbos-sdk-python Here's the documentation for `cerbos run`: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html#run

Hi, I'm trying to deploy cerbos server to a cluster following your example but I'm getting this error. I just changed the repo URL, branch (it exists in remote), and subDir. I created a personal access token with repo scope

Hello again! I'm having a weird behavior with the Python SDK, let me try to explain it here. I'm getting the following error, but only in a specific scenario:

RuntimeError("Cannot send a request, as the client has been closed.")

This only happens when I make two or more requests to Cerbos with the SDK

Hi, me again! I'm getting a strange behavior with Cerbos. Every now and then, a request to Cerbos get's "lost". I make a call to the API with the Python SDK and get the following error:

The read operation timed out

. I thought that increasing the

timeout_secs

param in the client could fix this issue, but id didn't. I enabled audit logs on my Cerbos container to see if there is any error in that side, but I discovered that whenever I get the error

The read operation timed out

, I don't get any logs, not even the one about

Handled Request

Hello 👋 . I am currently evaluating Cerbos against our authz requirements and Im trying to understand how I would write a request/policy to filter a potentially large amount of resources that are hierarchically organized. As an example: a directory structure of fixed depth (2 levels) where each depth of folder can have its own permissions and also the file nodes can have their own permissions. The system would require a way to filter the list of files to just those “viewable” or “editable” by the user. I see some examples in the playground, but they appear to deal with small quantities of resources, and also the documentation indicates that up to 50 (a default) resources can be included in a request. Are there any other examples? Or maybe a policy pattern for handling this scenario? Thanks !

Hello There I'm doing some bare metal dev and am running cerbos as a standalone (installed via homebrew). I was able to work through some of the TLS issues, but now when I make calls, I am getting this:

"request failed: rpc error: code = Unimplemented desc = unknown method CheckResources for service cerbos.svc.v1.CerbosService

I installed the standalone a few days ago, and it looks like it's the latest version. Homebrew thinks I am on

v0.19.0

. WHen I run

cerbos -v

, it returns

0.7.0

. Just wanna make sure this is a goreleaser hiccup, or if i am actually on an old version. I'll try building from source and see if there's a difference

Is there an equivalent to

c, err := client.New(*cerbosAddr, client.WithTLSInsecure())

for the Javascript GRPC client? i.e. use TLS, but allow insecure.

can you please add bash to the docker image? it's virtually important to support it without being able to shell in to debug

Hello there(…) 🙂 We are considering creating an authorization mechanism in our application using Cerbos. part of the policy we characterized defines that a user has a permission for a certain resource (A), if he has said permission to a resource (B) that contains it (A) i.e. its parent, grand-parent and so on. As far as i understood from the documentation, there is a way for defining such hierarchy for principals (derived roles), but the question is if there is a proper way of doing that for resources as well? for example: a user has “write” access to a file if he has “write” access to the folder containing the file? thanks very much in advanced 🙂

The request can contain multiple resources, so the response will contain multiple decisions. The resource ID helps to identify the decision for the given resource.