Is there any documentation describing exactly what JWT verification Cerbos is capable of? Just signature verification? Which algorithms? Or does it do other claim verification like

iat

and

exp

timestamp based checks?

Hey hey, is there any documentation describing how to add policies to a database using an ORM instead of yml files?

Does anyone know best practices to add cerbos to a docker-compose file? I’m having issues getting the config.yml file added in 🙂

services:
  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
    container_name: cerbos
    volumes:
      - ./illiquid_assets_api/api/cerbos/policies:/policies
    ports:
      - "3592:3592"
      - "3593:3593"
    command: server --config=/
    restart: unless-stopped

• illiquid_assets_api / api / cerbos / config.yml • illiquid_assets_api / api / cerbos / policies / policy.yml

consider the following: if i have a user with these attributes: 1. Name = John 2. Age = 35 3. Location = Moon I then model these derived roles: 1. Derived Role = "middle-class-user" if Age = 35 2. Derived Role = "super-user" if Name = John AND Age > 30 In this case, when cerbos evaluates a derived role, it will arbitrarily decide whether the user is "middle-class-user" or "super-user" correct? This is due to the ambiguity of the derived role policy?

Hello everyone, I am trying to create a cerbos docker image and I get the error as

{"log.level":"error","@timestamp":"2023-03-23T07:50:37.865Z","log.logger":"cerbos.index","message":"Index build failed","load_failures":[{"file":"config.yaml","error":"failed to unmarshal JSON: proto: (line 1:2): unknown field \"server\""}]}
cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=0, load failures=1

My docker compose config is as below:

version: "3.8"

services:
  app:
    restart: always
    container_name: dashboard
    image: dashboard
    build:
      context: .
      target: development
    volumes:
      - ./src:/app/src
    ports:
      - 3000:3000
    command: npm run dev

  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:0.25.0|ghcr.io/cerbos/cerbos:0.25.0>
    container_name: cerbos
    volumes:
      - ./cerbos:/config
      - ./cerbos:/policies
    ports:
      - "3592:3592"
      - "3593:3593"
    restart: unless-stopped
    command: server --config /config/config.yaml

And my cerbos config file is as below:

server:
  playgroundEnabled: true
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"

storage:
  driver: "disk"
  disk:
    directory: /policies
    watchForChanges: true

Hey everyone, I have setup cerbos in my local machine using docker-compose as mentioned in above message and while trying to connect to cerbos using the js sdk I am getting cors error as

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <http://localhost:3592/api/check/resources>. (Reason: CORS request did not succeed). Status code: (null).

And my updated config file is as below:

---
storage:
  driver: "disk"
  disk:
    directory: /policies
    watchForChanges: true

server:
  playgroundEnabled: true
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"
  cors:
    allowedHeaders: ['content-type'] 
    allowedOrigins: ['*']
    disabled: false
    maxAge: 10s

set the channel topic: Browse through the whole history of previously asked questions @ https://community.cerbos.dev

How can Cerbos be made aware of it running behind a frontend proxy running tls/https offload? So cerbos is running on http, but the clients use https schema to access the api

Hi. Is there a way to get more detailed error message. I am getting

failed to load test suite: failed to unmarshal JSON: proto: syntax error (line 1:183): unexpected token {

and I am sure I made some mistake in yaml file (I have validated it and it is valid yaml) and I am sure it is not going to be last time, so I am looking for a way to get a sense of what is wrong. I am running

docker run -it -v (pwd)/policies:/policies -v (pwd)/tests:/tests <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest> compile /policies --tests /tests --verbose

. Thanks.

Hi. Is AuxData only related to JWT? I have some additional data that I would like to provide for policy evaluation and AuxData seems like it is the place, but all I can find is JWT related info. Of course, I can add additional info in resource or principal attributes, but it does not logically belong to them, so I am wondering if there is recommended way to do this? Thanks.

Hi, i'm currently working on some permissions on Cerbos Playground but tests results doesn't match with conditions i set for each role in my resource and i dont understand why. Thanks

I enable the admin Api, and I want to test in the browser ui, but it throw authentication error, how to fix it ?

Hey! i have a list as attr for request.ressource. So i tried to check whether all elements in a list match the principal id so i have this condition :

condition:
        match:
          expr: R.attr.all(content, content.author.user.employerId == V.user_employer_id)

# where user_employer_id = P.attr.user.employerId

but i got this error on cerbos console :

{
  "log.level": "error",
  "@timestamp": "2023-04-03T12:00:11.755Z",
  "log.logger": "cerbos.grpc",
  "message": "Policy check failed",
  "grpc.start_time": "2023-04-03T12:00:11Z",
  "system": "grpc",
  "span.kind": "server",
  "grpc.service": "cerbos.svc.v1.CerbosService",
  "grpc.method": "CheckResources",
  "peer.address": "172.17.0.1:36048",
  "cerbos": {
    "call_id": "01GX3FTCXCDAS2SXWCKCQX1P8V"
  },
  "error": "failed to get check for [article.default]: policy compilation error: 1 compilation errors:\npolicies/articles.yaml: Invalid expression in resource rule 'rule-005' (failed to compile `R.attr.all(article, article.author.user.employerId == V.user_employer_id)` [type 'primitive:STRING' does not support field selection])"
}

how can i check if user and author id are the same for every items of the list ?

Does the cerbos ruby SDK support HTTP requests (or grpc only)?

i'm looking for implementing Traffic light protocol for content visibility with Cerbos . what could be the best way to implement it? (TLP Visibility & Usage)

is it possible to call cerbos with a list of actions and get back all resources with corresponding EFFECT_ALLOW for each action in the list?

is it possible to integrate cerbos with asp.net

This message was deleted.

Hey, sometimes I have a problem with the response time of cerbos requests. IDK why sometimes it can even take 20-25 seconds, but usually it's only 0.005 seconds. No errors in the logs of cerbos container. What can be the cause? This is the request that I am trying:

CERBOS_CLIENT = CerbosClient(host="<http://192.168.1.192:3593>", request_retries=10)    
sessionList=crud.session.get_active_by_owner_sub(db=db, owner_id=user_id)
    if sessionList:
        principal = Principal(
            user_id,
            roles=roles,  # type: ignore
            policy_version="20210210",
        )  
        
        resource = Resource(
            sessionList[0].id.__str__(),  # type: ignore
            sessionList[0].__tablename__,
            attr=jsonable_encoder(sessionList[0]),
            )

        action = "read"
        allowed = CERBOS_CLIENT.is_allowed(action, principal, resource)
        if not allowed:
            raise HTTPException(
            status_code=403, detail="Unauthorized"
        )

And these are the logs of last two requests, last one took around 16 seconds:

{"log.level":"info","@timestamp":"2023-04-19T14:08:32.043Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2023-04-19T14:08:32Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"127.0.0.1:44744","http":{"x_forwarded_for":["172.23.0.1"],"x_forwarded_host":["192.168.1.192:3593"]},"cerbos":{"call_id":"01GYCXGWSBJR2P1WZ4HMZTG58W"},"grpc.code":"OK","grpc.time_ms":0.182}

{"log.level":"info","@timestamp":"2023-04-19T14:08:48.494Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2023-04-19T14:08:48Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","http":{"x_forwarded_for":["172.23.0.1"],"x_forwarded_host":["192.168.1.192:3593"]},"cerbos":{"call_id":"01GYCXHCVEJM0PE5Z3SB002T7B"},"peer.address":"127.0.0.1:44744","grpc.code":"OK","grpc.time_ms":0.291}

Is it possible to load policies from a Git repo into the playground?

I have a Kubernetes cluster running on AWS, and I exposes it using an ingress. If I run

helm install cerbos cerbos/cerbos --version=0.26.0

, the installation goes through and I'm able to access the API documentation on the endpoint in the browser. To be able to test policy requests, I want to serve policies from a public S3 bucket, and added a config file as described here https://docs.cerbos.dev/cerbos/latest/installation/helm.html, but with the following configuration:

cerbos:
  config:
    server:
      httpListenAddr: :3592
      grpcListenAddr: :3593
      adminAPI: 
        adminCredentials: 
          passwordHash: <password-hash>
          username: cerbos
        enabled: true
      log:
        level: info

    storage:
      driver: s3
      blob:
        bucket: s3://<bucket-name>?region=eu-west-1
        updatePollInterval: 10s
        downloadTimeout: 30s

I tried the following: •

helm upgrade cerbos cerbos/cerbos --version=0.26.0 --values=config.yaml

-> This does nothing. It states the upgrade is successful, but nothing changes and Cerbos does not seem to read the policy. The API documentation is still available. •

helm uninstall cerbos

helm install cerbos cerbos/cerbos --version=0.26.0 --values=config.yaml

-> This breaks the system, and the ingress returns 503 when trying to access the API documentation. • Rerunning

helm uninstall cerbos

helm install cerbos cerbos/cerbos --version=0.26.0

restores the API access. A couple of things: • How / can I upgrade an existing cerbos service using helm in the cluster, and if so, what is the process for this? • How can I read / access the deployment logs, if something does not goes well? • What could be the issue here? Am I missing some required configurations?

Hi! Is there any way I can check for both a derived role and an expression in a policy (or if not, at least to check that two derived roles are met simultaneously)? Thanks!

Are there any examples of deploying Cerbos in a Kubernetes cluster with a configured LoadBalancer? I have an ingress setup, and it allows for http-access. But to get grpc working, I need to proxy the port 3593. Using AWS EKS, I have setup a very basic LoadBalancer that should proxy this. But it never reaches the Cerbos deployment, and in the AWS, it states that the LoadBalancer is out of service because of failing health checks. Do I need to setup and handle the health checks myself, or does Cerbos come with this support? And if so, how do I configure this?

Hi, I am going through our software approval process at our company to do a PoC with cerbos, I am being asked from my legal team for the Legal Agreement (MSA or Terms or Subscription Agreement) that would apply to the POC

Hi! Is there any way I can debug a policy while running? The tests that I wrote for it pass but it does not while running live and I can't quite figure out what the difference is between the requests. (moved from community, posted there by mistake)

Is there any way of setting a principal policy to everybody with a role (eg: deny any request if a JWT property is false)?

Is it possible to define config as environment variables (f.ex. for google cloud run)? How to format them? like this server.httpListenAddr or server_httpListenAddr?

Google Cloud Run also requires a private image in gcr or an image within dockerhub. Is there a possibility to publish images in one of these platform after each release automatic? At dockerhub the current cerbos/cerbos image is 2 years old

How can I check if an array is empty using cerbos conditions

I am also wondering where the source to

@cerbos/orm-prisma

can be found?