• Jesum Yip

    Jesum Yip

    10 months ago
    so i have istio installed my kubernetes cluster. cerbos is up and running. i have also tested from an ubuntu pod in the same cluster that i can telnet to cerbos.cerbos.svc.local.cluster on tcp 3592. however, when i visit the site from the internet, it's not connecting. i'm getting a ERR_CONNECTION_RESET in chrome. what's the best way to troubleshoot this?
    Jesum Yip
    Charith (Cerbos)
    33 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    What's approach should I use to implement a policy that checks if a jwt has a specific claim with a specific value then allow full access to all data and services? Assuming I have a claim in a oidc idtoken called is_internal_user set to TRUE (it could also be blank for non-employees), assume further I don't need to verify the jwt against the well-known jwks endpoint of the token issuer (because this is already done by my api gateway for every REST api call to request for data), then should I write a derived role policy?
    Jesum Yip
    Dennis (Cerbos)
    +1
    28 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    Where can I find documentation on the cerbos python package?
    Jesum Yip
    Charith (Cerbos)
    4 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    Assuming I have the following resource policy and derived role defined:
    ---
    apiVersion: "api.cerbos.dev/v1"
    description: "Dynamic role to determine if this is a HM employee."
    derivedRoles:
      name: hm_employee
      definitions:
        - name: internal_user
          parentRoles: ["valid_user"]
          condition: 
            match:
    			expr: request.aux_data.jwt.is_hm_employee == "TRUE"
    ---
    apiVersion: api.cerbos.dev/v1
    resourcePolicy:
      version: "1"
      importDerivedRoles:
        - hm_employee
      resource: "businessassets"
      rules:
        - actions: ['read']
          effect: EFFECT_ALLOW
          derivedRoles:
            - internal_user
    Jesum Yip
    Dennis (Cerbos)
    94 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    in the expression that is used to match JWT claims, such as
    expr: request.aux_data.jwt.myclaim == "5"
    how do i reference claims in the JWT that are arrays? for example, the "scope" claim is a list of comma separated values
    Jesum Yip
    Dennis (Cerbos)
    13 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    in the example above, it would start with actions: ['*'], then actions['view'], etc. and cerbos stops evaluation the moment a rule match is encountered.
    Jesum Yip
    Dennis (Cerbos)
    +2
    186 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    Is there a URL I can query to find out what version of cerbos is running?
    Jesum Yip
    1 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    if i have a derivedrole policy that looks like this. ....will the user end up getting an array of roles with 2 entries in it for "explore" ?
    Jesum Yip
    Dennis (Cerbos)
    62 replies
    Copy to Clipboard
  • Jesum Yip

    Jesum Yip

    9 months ago
    Question: If i have 10 users, and 15 databases, and I want to control in a very granular way which database each user can view, what's the best way to set this up as policies? I define 15 resource policies? And each of the 10 users have their own roles?
    Jesum Yip
    Dennis (Cerbos)
    6 replies
    Copy to Clipboard
  • Chandu P

    Chandu P

    9 months ago
    Hi I am new to Cerbos. And also to Ory.sh . I am evaluating both platforms to use with our ML based open-source tool we are developing. I have few questions, please help. Which product of Ory's open-source tools can I compare with Cerbos? https://www.ory.sh/open-source/ Ory Kratos is a fully customizable, API-only platform for login, two-factor authentication, social sign in, passwordless flows, registration, account recovery, email / phone verification, identity and user management. Ory Hydra is an API-only OAuth 2.0 and OpenID Connect provider that can interface with any identity and user management system (e.g. Ory Kratos, Firebase, your PHP app, LDAP, SAML ...). Ory Oathkeeper is a zero trust networking proxy and sidecar for popular ingress services and API gateways. It checks if incoming network request are authenticated and allowed to perform the requested action. Ory Keto is the world's first implementation of Google's Zanzibar research paper, an infinitely scalable and blazing fast authorization and permission service. Think RBAC on globally distributed steroids. Among the Ory's tools, which one I can use along with Cerbos? Or, Does Cerbos have full set of tools for all the access control purposes like Ory has?
    Chandu P
    Charith (Cerbos)
    2 replies
    Copy to Clipboard