Python SDK

So in my test case i am checking for 3 actions in python sdk i have to check it thrice sequentially since action is a string not list. while in POST request i can check at once

Also in the python SDK many requests are failing as well towards the end

What are the best latencies i can achieve and how??

Hmm... these numbers don't look good at all. I think there must be some configuration issue here. We've tested Cerbos internally with much higher loads and the p95 latencies were under 50ms. Granted, it wasn't on Lambda. But, I can't imagine it adds so much overhead. 🧵

Hi! Could someone help me find a correct implementation for the following case? Let’s say we have the following hierarchy: Group A Group B Resource 1 Group C Resource 2 Groups and resources share the same permissions: * A group/resource can have one owner * A group/resource can have one or more editors * A group/resource can have one or more viewers Nesting can possibly be deeper. Users can create groups and resources dynamically. If a principal is an owner of

Group A

, it owns all lower groups/resources. So in the example, it also has an ownership role of

Group B

,

Group C

,

Resource 1

and

Resource 2

We currently use Authzed as a relational permission system. But we are investigating other solutions because we want attribute-based permissions in the near future and came across Cerbos! I’m aware of the hierarchy functions, but we’re struggling with the correct way to represent the above. Could someone point us in the right direction?

Hi all, I am seeking guidance on the optimal approach for my multi-organization service. Each organization needs the ability to assign permissions to resources based on their unique ID. For example, let’s say we have a resource named “Project A” with an ID of 123. When utilizing Cerbos, should I: • Define the permitted IDs in my policies and then include the ID as an attribute of the resource being accessed when checking if access is allowed? So if the user wants to access “Project A” with ID 123, i will send to Cerbos the resource with an an attribute ID = 123 Or • Store in my database the relationships between the resource “Project A” (with ID 123) and the users who are authorized to access it?

Hi all, while using docker image can the server configuration be managed by environment instead of passing configuration file, i am deploying an ecs cluster in which i am passing the image now i can set the environment of the container for server configuration but attaching config file is bit complex and approach feels a bit over engineered

Based on https://github.com/cerbos/cerbos/pull/1439, may I know where I can find documentation on the configuration field to set policy expiration? And what happens when it expires? Will cerbos evict the entry from cache and at the next cycle, sync from the policy repo again?

Hello everyone, Glad to be here. For the people who have been using cerbos in their applications - We know Cerbos requires Principal, Action and Resource to evaluate the policy. How are you fetching Resource info to pass on to Cerbos? Is each of your service making a call to external system to fetch the resource or are you making it as part of the token? In case of token when a user request passes through many services (in microservices world), it will try to access various resources e.g. BFF API POST action to Domain API POST which will be completely different service. In such cases if element of BFF is considered a resource and element of Domain API is considered another resource then there are multiple resources that need to stay in the token and it may cause the token bloat. I was wondering what are you using to handle end to end authorization for a user request without token bloat and additional performance overhead of fetching the resource info from external systems thus slowing the authorization process down?

I'm having issues with the

cerbos-setup

github action. I am defining my step as:

- name: Get Cerbos CLI
        uses: cerbos/cerbos-setup-action@v1
        with:
          version: latest
          github_token: ${{secrets.INTERNAL_TOKEN}}

Where

${{secrets.INTERNAL_TOKEN}}

is a valid github api token (used in other steps without issue). Occasionally with this action, I get the following error:

HttpError: API rate limit exceeded for 52.190.17.193. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
    at /home/runner/work/_actions/cerbos/cerbos-setup-action/v1/webpack:/cerbos-setup-action/node_modules/@octokit/request/dist-node/index.js:86:1
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

I went so far as recreated a new token and storing it in github secrets..the issue still happens a few times a day. Is the action using the provided github token?

by the way, is there a URL endpoint I can call in cerbos to see the currently running version?

Hello! We have just started looking into Cerbos for our Authorization needs. I had one initial question how would you enforce Cerbos policies in the FE. Let’s say that you want to hide a certain feature in the FE based on a policy?

Heads up, we were seeing a memory leak issue on v0.20. We’ve upgrade to v.0.25, so hoping something in there might solve the problem. It’s pretty minimal so we figure kicking the box every ~2 weeks is a good solution for now.

Hello All! I am having trouble with Audit logs and would appreciate the support 🙂 : I am Building and Pushing the following Cerbos Docker Image into ECR:

FROM <http://ghcr.io/cerbos/cerbos:0.24.0|ghcr.io/cerbos/cerbos:0.24.0>

#To access the kernel inside the container

COPY --from=public.ecr.aws/docker/library/busybox:uclibc /bin /bin

COPY policies /policies

ENV CERBOS_CONFIG="/config/config.yaml"

EXPOSE 3593 3592

The policies directory is in the same directory as the DockerFile and is mounted onto the container. Then deploying the following Kubernetes manifest Deployment.yaml in my AWS EKS Cluster, Fargate Node: Mounting the /config/config.yaml and audit-logs directory onto the container. And audit logs are enabled and specified a path for the file inside the audit-logs directory

apiVersion: v1

kind: ConfigMap

metadata:

name: cerbos-config

data:

config.yaml: |

server:

httpListenAddr: ":3592"

grpcListenAddr: ":3593"

storage:

driver: "disk"

disk:

directory: /policies

schema:

enforcement: reject

audit:

enabled: true

accessLogsEnabled: true

decisionLogsEnabled: true

backend: file

file:

path: /audit-logs/cerbos.log

---

apiVersion: apps/v1

kind: Deployment

metadata:

annotations:

<http://prometheus.io/path|prometheus.io/path>: /metrics

<http://prometheus.io/port|prometheus.io/port>: "3000"

<http://prometheus.io/scrape|prometheus.io/scrape>: "true"

labels:

app: yl-api-cerbos

namespace: "{{ .Values.ENVIRONMENT }}"

name: yl-api-cerbos-deployment

namespace: "{{ .Values.ENVIRONMENT }}"

spec:

minReadySeconds: 0

progressDeadlineSeconds: 600

replicas: 3

selector:

matchExpressions: []

matchLabels:

cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9

strategy:

rollingUpdate:

maxSurge: 25%

maxUnavailable: 25%

type: RollingUpdate

template:

metadata:

labels:

app: yl-api-cerbos

cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9

namespace: "{{ .Values.ENVIRONMENT }}"

spec:

automountServiceAccountToken: true

containers:

image: "{{ .Values.AWS_ACCOUNT }}.dkr.ecr.{{ .Values.AWS_REGION }}.<http://amazonaws.com/{{|amazonaws.com/{{> .Values.SERVICE_NAME }}:{{ .Values.APP_VERSION }}"

imagePullPolicy: Always

livenessProbe:

failureThreshold: 3

httpGet:

path: /

port: 3592

initialDelaySeconds: 30

timeoutSeconds: 10

name: yl-api-cerbos

ports:

- containerPort: 3593

readinessProbe:

failureThreshold: 3

httpGet:

path: /

port: 3592

initialDelaySeconds: 30

timeoutSeconds: 10

resources:

limits:

cpu: 500m

memory: 256Mi

requests:

cpu: 250m

memory: 128Mi

securityContext:

privileged: false

readOnlyRootFilesystem: false

runAsNonRoot: false

volumeMounts:

- name: cerbos-logs

mountPath: /audit-logs/

- name: cerbos-config

mountPath: /config/

volumes:

- name: cerbos-config

configMap:

name: cerbos-config

- name: cerbos-logs

emptyDir: {}

I deploy the deployment and the yl-api-cerbos container is running as expected. However when I exec inside the container and check the cerbos.log file. I see that the file is empty. When I run the command kubectl logs <POD_NAME> -c <CONTAINER_NAME> . i See the following logs:

{"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"maxprocs: Updating GOMAXPROCS=1: using minimum allowed GOMAXPROCS"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.235Z","log.logger":"cerbos.index","message":"Found 2 executable policies"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.236Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}

Why aren’t these logs captured in the cerbos.log file and How can I log these logs inside the file ? Please advise if there is anything wrong with My Configurations. 😊 Many Thanks

Hello everyone, I am using cerbos in my project and have created policy based on my need. But now I want to enforce a policy for all resources based on my principal attributes. How can I achieve that. For example my principal is:

principal: {
  id: "123",
  roles: ["Editor"],
  policyVersion: "default",
  attributes: {
    is_verified: user.is_verified,
  },
},

Here in my attributes I have

is_verified

flag so I want to check if the user is verified then only check any other policy for the user. Because if my user is not verified then I want to block all his access. It would be really helpful for me if anyone can provide me the solution.

Looking for some guidance around modeling policies for nested resources! There was an excellent answer here some time ago, but it looks like it was swallowed by Slack history. Imagine a resource named

config

. Config is made up of several different properties, with granularly permissions. Imagine someone might have permission to

view

or

edit

all of the config, or may only have the ability to view or edit

config.branding

, or

config.someOtherResource

. Currently our principal permissions are attribute-based, eg

["config:branding:*", "config:view"]

What would be an ideal way to author resource policies without a ton of repetition? Many actions on a single resource

config

? Separate resource policies for nested parts? Using scopes? Any guidance is appreciated, happy to provide more context and examples.

Has anyone been able to get tests integrated with AWS CodeBuild? Codebuild requires that the output format be in Cucumber-json or a few different xml formats. Is this possible to do? To be clear, I can run the tests just fine. It's just that the json output isn't useable by CodeBuild Reports.

So I've use CASL.js before and they have this thing where you can query if X can do Y to any Z. Does Cerbos have such a thing?

Is it possible to compose policies in the same way that I'd be able to compose AWS IAM policies? Let's say that I've got a policy that allows creating invoices and a policy that allows sending a payment request. And I want to create a policy for the financial admin that is simply referring to these 2 policies?

G’day Cerbos team! I have one simple question, we are evaluating using Cerbos for a multi tenant use case where eventually we would allow each tenant to have its own set of policies that build upon our default base policies, this could be upwards of 1000+ tenants at this point in time, and grow from there. My question being:

Has Cerbos been load tested with a great number of Scoped Policies, but only say two levels deep, say

organization.member

?

If not, we’ll try to run load testing, but also it would be good to have your opinion on managing performance, is it running more pods in K8S, adding more shared memory etc. Thank you

Hello! We are experimenting with Cerbos and wondering how one would go about enforcing specific permissions for an instance of a record rather than on the resource level. I.E: User1 has access to Document1 but not Document2

We are struggling a little bit with understanding how roles and permissions works in Cerbos. I come from an Auth0 world where you basically define a set of permissions (usually looking something like this

document:read

) and then bundle these up into dynamic roles. You would then be able to validate the permissions rather than the actual role of a user allowing new roles to be added more easily. Is this something that could be accomplished with Cerbos or is this even something we would want to do with Cerbos?

Probably a simple question, but: Is there any way to use wildcards in a resource policy when specifying the resource? Or does that additional data need to come in as an attribute?

Is there a way for SDK clients to specify which (git)branch of the cerbos policies we want to evaluate? #cicd #dev

Is there a recommended Resource policy condition for determining that a valid JWT was provided? I need to make a policy that doesn't have any Role conditions and only looks at the JWT since the Principals won't have any Roles defined

Hi, am trying to use in clause in condition, as shown below

resource: products
  rules:
  - actions: ["customExperiences"]
    roles:
      -  USER
    condition:
      match:
        all:
          of:
            - expr: "2021_START" in request.principal.attr.package

am getting error saying "Failed to read: failed to convert YAML to JSON: yaml: line 17: did not find expected key" can you help me on this

Hey, is it possible (or idiomatic) to define what a role has access to, using principal policies, as opposed as to specifying this for each resources? Eg instead of creating a

pots.yml, pans.yml, knives.yml

and then define what the roles can do in each of the resource policies. you would create

cook.yml

and define what the role

cook

can do inside that single file for all resources

pots, pans, knives

? I guess you could have resource policies named

cook_pans.yml

,

cook_knives.yml

, but just want to ask if there’s a good pattern. Thanks

I'm having some issues with the Java Client. We have followed the deployment setup outlined here to deploy Cerbos as a k8s sidecar. Instead of the ghostunnel application we have a spring-boot API that is using the Java client. We use the following code to iniatlize the client:

final CerbosBlockingClient cerbosClient = new CerbosClientBuilder("unix:/sock/cerbos.sock").withPlaintext().buildBlockingClient();

The client is created without error, but once we try to issue an API call, we get the following error in our logs:

nested exception is dev.cerbos.sdk.CerbosException: RPC exception [Status{code=UNAVAILABLE, description=io exception, cause=io.grpc.netty.shaded.io.netty.channel.AbstractChannel$AnnotatedConnectException: connect(..) failed: Address family not supported by protocol: /sock/cerbos.soc

Not sure if we are specifying the unix socket correctly in this example and struggling to find examples online that do this.

Is there a way to pass in a resource, action, effect and determine all of the principles or roles that would match?