• Rasmus Dencker

    Rasmus Dencker

    4 months ago
    Should I just pop all the 'scopes' into
    attr
    and do configure with expr instead?
    Rasmus Dencker
    Alex Olivier (Cerbos)
    +1
    31 replies
    Copy to Clipboard
  • Rasmus Dencker

    Rasmus Dencker

    3 months ago
    Does anyone have experience with Cerbos x Bazel?
    Rasmus Dencker
    Charith (Cerbos)
    12 replies
    Copy to Clipboard
  • Rasmus Dencker

    Rasmus Dencker

    3 months ago
    I'm writing a Go script which generates Cerbos yaml manifests. Instead of having to rewrite ResourcePolicy etc structs, can I hook in and use some struct from the Cerbos repo? I tried using
    <http://github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1|github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1>
    which aaaalmost works; it just yields a bunch of extra
    op
    nodes in the yaml:
  • Rasmus Dencker

    Rasmus Dencker

    3 months ago
    Rasmus Dencker
    Dennis (Cerbos)
    3 replies
    Copy to Clipboard
  • h

    Harry Zinoviou

    3 months ago
    hi, I'm new to Cerbos, looking into using it as a sidecar container. I'm trying to understand what this log output means:
    {"log.level":"info","@timestamp":"2022-05-30T17:47:05.452Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined"}
    {"log.level":"info","@timestamp":"2022-05-30T17:47:05.452Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"}
    {"log.level":"debug","@timestamp":"2022-05-30T17:47:05.454Z","log.logger":"cerbos.index","message":"Index build failed","missing":null,"missing_scopes":null,"load_failures":null,"duplicates":[{"file":"account_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/account_resource.yaml"},{"file":"quant_roles.yaml","otherFile":"..2022_05_30_17_45_35.387152270/quant_roles.yaml"},{"file":"team_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/team_resource.yaml"},{"file":"user_resource.yaml","otherFile":"..2022_05_30_17_45_35.387152270/user_resource.yaml"}],"disabled":[]}
    {"log.level":"info","@timestamp":"2022-05-30T17:47:05.454Z","log.logger":"cerbos.server","message":"maxprocs: No GOMAXPROCS change to reset"}
    cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=4, load failures=0
    Does that mean there is an issue with the content in the policy files? The files are defined in a configmap and then mounted to the container. I've also ran a local compile with no errors.
    h
    oguzhan
    +1
    6 replies
    Copy to Clipboard
  • Rasmus Dencker

    Rasmus Dencker

    3 months ago
    After enabling tracing I'm getting this error:
    {"log.level":"warn","@timestamp":"2022-06-02T16:23:26.596Z","log.logger":"cerbos.otel","message":"OpenTelemetry error","error":"starting span \"ExportMetrics\": unsupported sampler: 0x7df690"}
    - any clue?
    Rasmus Dencker
    Emre (Cerbos)
    +1
    10 replies
    Copy to Clipboard
  • Rasmus Dencker

    Rasmus Dencker

    3 months ago
    The OpenTelemetry spec accepts a list of propagators (
    OTEL_PROPAGATORS
    ). AFAIK, it chooses the first valid propagator for incoming requests. Would that be feasible to implement in Cerbos? Right now I have to choose between tracecontext and b3. I prefer tracecontext, but some of the 3rd party services we use only support b3, so it'd be super cool if Cerbos had an
    auto
    option to detect the propagation headers from an incoming request
    Rasmus Dencker
    Charith (Cerbos)
    9 replies
    Copy to Clipboard
  • Topi Hernández Mares

    Topi Hernández Mares

    3 months ago
    Hi! I'm trying to add tests to my python backend using the python sdk, but I'm getting the following error:
    def is_allowed(
            self,
            action: str,
            principal: Principal,
            resource: Resource,
            request_id: Optional[str] = None,
            aux_data: Optional[AuxData] = None,
        ) -> bool:
            """Check permission for a single action
        
            Args:
                action (str): action being performed
                principal (Principal): principal who is performing the action
                resource (Resource): resource on which the action is being performed
                request_id (None|str): request ID for the request (default None)
                aux_data (None|AuxData): auxiliary data for the request
            """
            resp = self.check_resources(
                principal=principal,
                resources=ResourceList().add(resource, {action}),
                request_id=request_id,
                aux_data=aux_data,
            )
        
    >       return resp.get_resource(resource.id).is_allowed(action)
    E       AttributeError: 'NoneType' object has no attribute 'is_allowed'
    I've been looking at the client code and I found that
    get_resource
    returns
    None
    when the request fails, but I don't know what is failing.
    Topi Hernández Mares
    Charith (Cerbos)
    12 replies
    Copy to Clipboard
  • Topi Hernández Mares

    Topi Hernández Mares

    3 months ago
    Hi, me again. Is it possible to have Cerbos running on a CircleCI Job and load the policies?
    Topi Hernández Mares
    Charith (Cerbos)
    2 replies
    Copy to Clipboard
  • Charith (Cerbos)

    Charith (Cerbos)

    3 months ago
    I haven't specifically tried it on CircleCI. But I imagine they support running containers or binaries as services. You can either use the Test containers integration in the SDK (take a look at the SDK tests) or use
    cerbos run
    command to launch Cerbos, execute your tests and then shutdown Cerbos. There's an example with test containers here: https://github.com/cerbos/cerbos-sdk-python Here's the documentation for cerbos run: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html#run