• Charith (Cerbos)

    Charith (Cerbos)

    1 year ago
    What is your opinion (benefits, drawbacks) about Zanzibar https://research.google/pubs/pub48190/? (Ory Keto/Ory Keto Cloud (https://www.ory.sh/keto/), authzed(http://authzed.com/) (Possible integration plans as policy repository for Cerbos?)
    Zanzibar is a very interesting paper with a lot of great ideas. One thing to keep in mind though is that it was designed for Google-scale workloads. There are lots of moving parts involved and the infrastructure required to make it work well is not trivial. There are very few applications that require that level of sophistication and investment. This is probably why all the current Zanzibar providers are offering it as a SaaS solution. Trying to run all of that by yourself is not practical and you need the economies of scale afforded by a SaaS to make it work. Our approach is different because we want to provide a simpler, self-hostable solution that works well for most applications that serve maybe thousands of users at most and not millions or billions. We also believe that access control is too critical to be handled by a SaaS because access control permeates through the entire application. Every single action a user makes with your application needs to be checked quickly and correctly. If the decision point is down, your application simply can't function at all because there's no fallback. With Cerbos you are in full control of that critical infrastructure. Your downtime is your downtime and not somebody else's.
    Same question about OSO (https://www.osohq.com/) and OPA (https://www.openpolicyagent.org/)? (Possible integrations plans as wrappers between Cerbos and other products?)
    Same question about Casbin (https://casbin.org/) and Keycloak (https://www.keycloak.org/, ex.: https://medium.com/@harsh.manvar111/keycloak-authorization-service-rbac-1c3204a33a50)
    These are all great projects and I am not going to compare all of them one by one and point out perceived flaws. What we think differntiates Cerbos from these offerings are the following:- Cerbos doesn't require you to learn a completely new policy programming language. - Cerbos is external to your application. You can share policies and effect change across many services at once without having to recompile and redeploy a bunch of applications. - Cerbos is simple to deploy. To get it up and running all you need to do is run the container and point it to a Git repository.
    What do you think about role activation feature? Somehow track this activation event and execute AWS Lambda or Google Cloud function or something like that…
    Intriguing idea. We would love to hear more about your use case.
    What do you think about multi-tenants feature? Is it possible to create several organizations using same service? It is useful for B2B SaaS’es (at least with freemium/trial/starter plans)…
    I am not sure I understand your question. Cerbos can support multi-tenant use cases. If there's something specific you have in mind, we can discuss that and see how we can help you there.
    What do you think about “roles/tags for resources” feature for creating groups of objects? What is preferred way to implement it?
    Cerbos does not make a lot of assumptions about the state of your objects. You can pass in whatever useful information you think is pertinent in the
    attributes
    and write a policy rule that makes use of that information.
    Is it possible to set object-level access? (add user1 with role2 to object3)?
    I think you are talking about ACLs. It is possible but perhaps not as easy as we'd like it to be. We are working on figuring out the best way to express such relationships.
    Is it possible to implement something like Google Cloud IAM (without service accounts) on top of Cerbos (https://cloud.google.com/iam/docs/concepts)?..
    Yes. There are lots of overlaps between IAM policies and Cerbos policies. If you have something specific in mind, we'd love to hear it and see how Cerbos can be used to implement that.
    Is Cerbos stable and good choice for beta/MVP production bootstrapped project (as alternative to django-guardian, for example)?
    Yes. Cerbos is quite stable at this point. We don't envision any major breaking changes in the near future.
    Can I somehow deploy it to Google Cloud Run and Google Cloud Storages or AWS Lambda and S3?..
    You can deploy the Cerbos container to Cloud Run or Lambda. We don't have support for loading policies directly from GCS or S3 yet though.
    Do you have plans to create Python SDK (async based, https://www.python-httpx.org/ may be… async is good for I/O bounded tasks)?
    Yes. Python is at the top of our list.
    Charith (Cerbos)
    m
    6 replies
    Copy to Clipboard
  • Ryan Frantz

    Ryan Frantz

    1 year ago
    I’ve been reviewing the docs at docs.cerbos.dev and have a question or two. Is this the right channel for that? or another?
    Ryan Frantz
    Serdar
    +1
    50 replies
    Copy to Clipboard
  • f

    Fatih Kaya

    11 months ago
    Hi, is it possible to enable more verbose logging for the
    /check
    endpoint? I set log level to
    DEBUG
    but I want to see which the derived role user got while the authorization check process.
    f
    Alex Olivier (Cerbos)
    +1
    17 replies
    Copy to Clipboard
  • Jack Archer

    Jack Archer

    10 months ago
    I'm experimenting deploying cerbos via minikube using the following configmap:
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cerbos-config
      labels:
        app: {{ .Values.name }}
    data:
      "config.yaml": |-
        server:
          httpListenAddr: ":{{ .Values.port }}"
          grpcListenAddr: ":{{ .Values.grpcPort }}"
          metricsEnabled: true
          logRequestPayloads: true
          playgroundEnabled: false
          adminAPI:
            enabled: true
            adminCredentials:
              username: {{ .Values.adminCredentials.username }}
              passwordHash: {{ .Values.adminCredentials.passwordHash }}
        storage:
          driver: "disk"
          disk:
            directory: /work
    I'm getting this error:
    {
      "log.level": "error",
      "@timestamp": "2021-10-28T17:26:15.813Z",
      "log.logger": "cerbos.server",
      "message": "Failed to load configuration",
      "error": "failed to create config provider: couldn't expand environment: default is empty for \"RFeXyZ\" (use \"\" for empty string)"
    }
    It seems to be from the uber config tool here:
    <https://github.com/uber-go/config/blob/7eebe84240ad56046741394bf03b34129c07be12/expand.go#L75>
    Jack Archer
    oguzhan
    +1
    49 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    10 months ago
    Hi. Besides Github, will Cerbos work with Gitlab? I'm referring to this https://docs.cerbos.dev/cerbos/latest/installation/helm.html
    Jesum Yip
    Dennis (Cerbos)
    32 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    10 months ago
    Another question - if i disable JWT verification, all this does is cause Cerbos to not verify the JWT signature using the kid claim right? i.e. against the well-known JWKS endpoint of the service that mints the JWT.
    Jesum Yip
    Dennis (Cerbos)
    3 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    10 months ago
    I'm looking at https://docs.cerbos.dev/cerbos/latest/configuration/storage.html and I notice for the blob driver I don't see any examples where you can specify credentials for connecting to the blob storage service. Is it assumed that the blob storage service provides unrestricted access to cerbos?
    Jesum Yip
    Dennis (Cerbos)
    13 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    10 months ago
    hi. i have some confusion regarding the documentation. https://docs.cerbos.dev/cerbos/latest/configuration/index.html here i see that there are various blocks that define what configuration options i can set for cerbos such as "server", "auxdata", "engine" etc. i understand that i can put these config blocks inside a YAML file and apply them using the binary called "cerbos". question is, when i run "helm show values cerbos/cerbos --version=0.9.1", i see a default YAML that I can use to install cerbos. i can customize this YAML and then do "helm install cerbos cerbos/cerbos --version=0.9.1 --values=myvalues.yaml", correct? now when i look at https://docs.cerbos.dev/cerbos/latest/configuration/index.html, i also see some configuration blocks. how do i specify this in "myvalues.yaml" ?
    Jesum Yip
    Dennis (Cerbos)
    +1
    49 replies
    Copy to Clipboard
  • Jack Archer

    Jack Archer

    10 months ago
    @Charith (Cerbos) @Dennis (Cerbos) - random question... why are you not storing the policy definition as JSON in DB?
    Jack Archer
    Charith (Cerbos)
    7 replies
    Copy to Clipboard
  • s

    Slackbot

    10 months ago
    This message was deleted.
    s
    Jesum Yip
    +2
    104 replies
    Copy to Clipboard