https://cerbos.dev logo
Join SlackCommunities
Powered by
Hi, I'm trying to configure cerbos and I'm getting...
# help
m
Hi, I'm trying to configure cerbos and I'm getting the following error when trying to add a policy: Configured store is not mutable This is my configuration file:
Copy code
server:
  grpcListenAddr: "unix:/opt/cerbos.grpc"
  httpListenAddr: "unix:/opt/cerbos.http"
  udsFileMode: 0o766
  adminAPI:
    enabled: true
    adminCredentials:
      username: cerbos
      passwordHash: {password}

engine:
  defaultPolicyVersion: "default"

auxData:
  jwt:
    keySets:
      - id: cognito_IDP
        remote:
          url: <https://cognito-idp>.${AWS_DEFAULT_REGION}.<http://amazonaws.com/#${COGNITO_USER_POOL_ID}/.well-known/jwks.json|amazonaws.com/#${COGNITO_USER_POOL_ID}/.well-known/jwks.json>
storage:
  driver: "blob"
  blob:
    bucket: s3://${BUCKET_S3}?region=${AWS_DEFAULT_REGION}
    prefix: policies
    workDir: ${HOME}/tmp/cerbos/work
    updatePollInterval: 15s
    downloadTimeout: 30s
    requestTimeout: 10s
Does anyone have any idea what the problem could be? The user used in the test is an administrator on AWS
o
Hi @Matheus Cabral, Only mutable stores (such as database stores) support adding policies by Admin API or cerbosctl. If you’d like to add new policies to your immutable store, you need to do it manually.
m
Are all blobs considered immutable storage?
o
Yes
m
Is it possible for this to be developed in Cerbos PDP? It doesn't seem like a very complicated feature and I could try to collaborate on it. After all, it seems that CERBOS would only need to write/overwrite to S3 or would it be more complicated?
I wouldn't like to have to deal with a logic of folder paths (scope) and have to construct all the files this would be a responsibility of cerbos pdp in the structure I thought of
o
There are a couple of basic rules but other than that you can put the policies and schemas as you like. Directory structure doesn’t affect the policy `scope`s, or anything really. See policy repository layout section in the best practises for more details.
m
Thank you very much I'll make the change to use the database while I look into a change to be able to save to S3 directly
c
Hey. All stores that have a file system structure are immutable in Cerbos and we expect the users to manage those themselves (ideally using a CI pipeline). There are a bunch of implementation details that make it quite complicated to support writable disk stores, hence why we don't do it. As Oguzhan mentioned above, we recommend using a database store if you want to be able to use the Admin API to add policies. Cerbos supports SQLite if you prefer something lightweight and you can use tools like Litestream to keep the database backed up to S3 as well.
m
Hmm, I see I hadn't thought about using this solution with backup and I understood what you said about CI My challenge is that I need to make this run in any environment in the simplest way possible to be instantiated I have already configured all the main policy logic, derived function, resource policy etc using a middleware in front of cerbos and I still need to configure this storage part and I think I will go with sqlite
3 Views
Open in Slack
PreviousNext
Powered by