cerboscommunity #help

Channels

announcements

help

community

Jesum Yip

01/16/2023, 5:11 AM

i have the following in my cerbos config map. this means JWT verification is disabled.

Jesum Yip

01/16/2023, 5:46 AM

why is it not allowed to have multiple policies (i tested with resource policies) inside a single yaml file, separated by

---

like a standard yaml?

Jesum Yip

01/17/2023, 8:12 AM

In the page for best practices (https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html) I don't see a recommendation to design Resource-led policies. May I know why? I use JWT tokens extensively in the company, and we are a data-driven company. I find the resource-led approach works better. Are there some pitfalls I am not seeing?

ANILA SOMAN

01/19/2023, 9:31 AM

Hi I have done a small POC in Cerebos using Rest Api and I used MySQL database. Now I changed all my rest API calls (addPolicy and checkPolicy) to grpc call after that I tried to run the docker compose but I got the below error.Do we need to do any changes in Dockerfile/Dockercomposefile/config.yaml file while changing from Rest API to grpc?

ANILA SOMAN

01/19/2023, 9:33 AM

Screenshot_2023-01-19_15-02-11.png

Maggie Walker

01/19/2023, 9:58 PM

Is there a concept of shared variables among policy files?

Hari Krishna Sunkari

01/24/2023, 3:58 AM

Im new to Cerbos and trying to solve the below use-case • User has an attribute

locations

• User has Roles like admin, viewer, etc.. • Resource Project has attribute

location

• both users and resources are dynamic, even the value of locations is bound to change. How to create Policies in Cerbos in such a way that • User can only access the resource if User

locations

has the resource location • User's level of access is controlled by the role of the User Can Cerbos also help Hierarchical access , like a manager/parent of a User can access all the data that a User can manage Thanks 🙏

Vignesh Sankaran

01/24/2023, 8:28 AM

We are trying to setup cerbos in Lambda. We were able to set that up but unable to find documentation on how to invoke the APIs. If we try the normal way, <API-gateway-IP-endpoint>:3592/ it is failing to start Cerbos as per the cloudwatch logs. Any assistance or support on this would be really helpful.

Vignesh Sankaran

01/24/2023, 1:15 PM

I am struggling to get cerbos to work on AWS Lambda as a serverless service. Any help is appreciated.

Vijey Deepan

01/26/2023, 6:19 AM

Hi all, I have added resource policy using go sdk. As well as for checking also am using go sdk. While audit I want to know who made the check request. For that I want to send some attribute along with check call to cerbos. Is that possible . TIA

Vijey Deepan

01/27/2023, 8:24 AM

cerbos: error: failed to create audit log: failed to create backend: failed to create logger: open sink "/auditlogs/audit.log": open /auditlogs/audit.log: no such file or directory

Mohan Prasath

01/28/2023, 6:07 AM

Hello all, Getting an incorrect response from

/api/check/resources

API. In the policy, we defined the

role CDO

can access resource

dealership_referral_api

with the action

read and edit

. But when we validate the request using

/api/check/resources

API, sometimes we get "EFFECT_ALLOW" and sometimes we get "EFFECT_DENY". I've given the setup, configuration, and screenshot below. Kindly help me to resolve this issue. Deployed cerbos on lambda - API Gateway URL cerbos-config:

Copy code

auxData:
  jwt:
    disableVerification: true
server:
  adminAPI:
    enabled: true
    adminCredentials:
      username: <USER_NAME>
      passwordHash: <PASSWORD>
  playgroundEnabled: true
storage:
  driver: "mysql"
  mysql:
    dsn: "user:password@tcp(host:3306)/db_name"

Jesum Yip

01/30/2023, 2:20 AM

cerbos' CEL runtime doesn't support macros? i'm trying to search for a value in this array. i'm looking for a condition where "org_id" = "abc123" in that array.

Copy code

"orgs": [	
		{
			"org_id" : "xxxxxxxxxxxxxxxxxx",
			"org_name" : "xxxxxxxxxxxxxxxxx"
		},
		{
			"org_id" : "xxxxxxxxxxxxxxxxxx",
			"org_name" : "xxxxxxxxxxxxxxxxx"
		}
	]

Slackbot

01/30/2023, 4:42 AM

This message was deleted.

Jesum Yip

01/30/2023, 8:15 AM

test suites don't support

version

for resource policies?

Jesum Yip

01/31/2023, 1:37 AM

how does everyone handle promoting cerbos policies to production? let's say we are using gitlab (or github / doesn't really matter) 1. have a set of test suites and policies checked into your git repo together 2. triggers a cd/ci pipeline job to run in git which basically runs

cerbos compile

with the

--tests

parameter. 3. #2 completes with exit code 0 - great, everything checks out. 4. then what do you do next? in your git actions / ci, do you

git clone

git add

git commit

git push

to another repo / folder that the production version of cerbos is watching so that it will get the set of policies from #1?

ANILA SOMAN

01/31/2023, 4:46 AM

Hi, What are the ways of creating policies?

Jan Kühnlein

01/31/2023, 9:08 AM

Hi, is it currently possible to pass a (parent) span id for jaeger to get complete traces?

Vijey Deepan

02/01/2023, 5:32 AM

hello guys, is it possible to send the audit logs to a timeseries database from cerbos. and which one will be recommended to use

Kushagra Indurkhya

02/01/2023, 5:44 AM

As mentioned in the documentation , git is the recommended policy store to store yml policies , what are the views around using s3 bucket , also how to add credentials for accessing s3 bucket in my config

Maggie Walker

02/02/2023, 7:14 PM

Just want to confirm that Resources need to be uniquely named, yes? And if there is a case where, let's say two different business realms have a concept of a

contract

, would the best thing be to just specify

accounting_contract

as one resource and

label_contract

as another?

Steve High (NTWRK)

02/03/2023, 6:33 PM

Hey there. I have a service that normally runs cerbos as a sidecar (socket) in k8s. When I'm developing locally I just run cerbos on my machine and connect via the gRPC port. I need to do this in CI (github actions), but not sure how to do it. I see there is a

Setup Cerbos

github action. Should I be using that? If so, how do I connect my service to it? This is probably more of a GHA question than a cerbos one 🙏

Jesum Yip

02/06/2023, 1:30 AM

FYI https://github.com/cerbos/cerbos-sdk-python/issues/20 @Charith (Cerbos) there's a small oversight in the Python SDK, which causes it to crash when an invalid request is submitted to Cerbos.

Slackbot

02/06/2023, 7:34 AM

This message was deleted.

Jesum Yip

02/06/2023, 7:50 AM

similar to how resource policies have versions, can i do the same with derived roles?

Jesum Yip

02/06/2023, 9:02 AM

is there some kind of caching in cerbos? i changed my resource policy versions from "abc" to "def" and i find that when i call Cerbos check_resources, i can still get EFFECT.ALLOW for policy version "abc"

Horia Constantin

02/06/2023, 7:09 PM

I've got a question regarding using complex ABAC policies (for example resource ownership, but it can be even more complex than that). The architecture problem that I'm struggling with is: how to properly populate the request context with the needed attributes. As I understand it, resource ownership does not belong to the identity service, so it can't be populated there. Instead, it would be populated in the service that owns the resource, before making the call to cerbos. The problem that I'm having is that I need to get a bunch of attributes in the request context (that are owned by 2-3 services). The solution that we're having in mind is to have some sort of attribute cache system that stores all the attributes needed in policy evaluation. The doubt that I'm having is that this isn't really scalable and it will introduce a weird dependency in the AuthZ system. Does anyone have any thoughts on this?

Jesum Yip

02/07/2023, 2:02 AM

btw is it intentional that derived roles cannot have a

version

tag attached to it?

Sitruk

02/07/2023, 11:56 AM

Hello, I try to use Cerbos, my playground work but I got this error on development

{"log.level":"info","@timestamp":"2023-02-07T11:48:27.978Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2023-02-07T11:48:27Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","cerbos":{"call_id":"01GRNV9CPA3NP1GW..."},"peer.address":"172.25...","grpc.code":"OK","grpc.time_ms":0.125}

How can I display more explicits logs

Kushagra Indurkhya

02/08/2023, 6:38 AM

Hi, I have deployed cerbos on aws lambda , i have added policies in s3 bucket, but the latencies i am getting are a bit high as its a authorization layer the latency will be added to my every endpoint , I did a basic loadtest while checking for results via POST request and python sdk, Here are the results Simple API POST Request