[question] Are Cerbos better than OPA ? anyone ca...
# help
[question] Are Cerbos better than OPA ? anyone can give insight the pros/cons of cerbos over the OPA ? thanks
We'd like to think so 😉 Both OPA and Cerbos are typically deployed in a similar way - a policy decision point server that runs on your own infrastructure and can be deployed as a sidecar or centralised service. Cerbos can additionally be deployed as a serverless function (e.g. on AWS Lambda). Cerbos's policies are YAML with conditions written in CEL (Common Expression Language, a simple open-source language from Google, which is used in other projects including Kubernetes). OPA uses their own full-blown programming language, Rego. Our intent with the YAML format is that it is easier to learn and more opinionated, making it simpler to author policies. Rego is complex and allows you to return pretty much any value from a policy evaluation, whereas Cerbos explicitly requires the result to be either allow or deny (although you can add outputs if you need extra flexibility). Cerbos is stateless - you pass in all the data that is needed to evaluate the policy decision in the check request. OPA has multiple ways to load data and even allows you to fetch external data during policy evaluation (e.g. using their
built-in function). The stateless approach means that policy decision performance is much more predictable and means you retain control of important things like freshness of data. Both OPA and Cerbos allow you to write tests for your policies. Last time I used OPA, though, it was extremely difficult to debug failing tests - you could see what had failed, but not why (disclaimer: this was about a year ago so might have improved since then 🤷🏼‍♂️). Cerbos's
test output prints a full execution trace so that you can see which policies and rules were used to make the decision, which can help a lot when you're trying to understand an unexpected test failure. Cerbos has a couple of unique features that are really helpful for certain use cases: scoped policies (which are perfect for multi-tenant systems where different tenants have different authorization rules) and the query planner (which helps you to answer the question "which resources can this principal perform this action on?", as opposed to the usual check request "can this principal perform this action on this resource?"). Hope that helps 🙂
Sir, Thank you very much for your very clear answer. Now i have a reason to convince my dept team and select cerbos in our POC.
Super insightful 🙏 thanks