jimmy mc
07/13/2023, 4:55 AMAndrew Haines (Cerbos)
http.send
built-in function). The stateless approach means that policy decision performance is much more predictable and means you retain control of important things like freshness of data.
Both OPA and Cerbos allow you to write tests for your policies. Last time I used OPA, though, it was extremely difficult to debug failing tests - you could see what had failed, but not why (disclaimer: this was about a year ago so might have improved since then 🤷🏼♂️). Cerbos's --verbose
test output prints a full execution trace so that you can see which policies and rules were used to make the decision, which can help a lot when you're trying to understand an unexpected test failure.
Cerbos has a couple of unique features that are really helpful for certain use cases: scoped policies (which are perfect for multi-tenant systems where different tenants have different authorization rules) and the query planner (which helps you to answer the question "which resources can this principal perform this action on?", as opposed to the usual check request "can this principal perform this action on this resource?").
Hope that helps 🙂jimmy mc
07/14/2023, 1:53 AMFrancois Le Pape
08/03/2023, 1:10 PM