https://cerbos.dev logo
Join SlackCommunities
Powered by
Hi, I would highly appreciate any assistance with ...
# help
t
Hi, I would highly appreciate any assistance with the Cerbos integration. I’m not receiving a success response even when the user is authorized. I’ve encountered issues with this sample repository, which resulted in failed E2E tests, and attempts to test with Postman also didn't work. It’s possible I’ve overlooked something, and I’ve spent considerable time debugging without resolution. Your help would be greatly appreciated.
a
Hey - when you run the tests how are you running Cerbos?
In on terminal I'm running 
npm run cerbos:start
then in another 
npm run test:e2e
And getting
Copy code
  ~/projects/cerbos/repos/nestjs-cerbos   main ❯ npm run test:e2e

> project@0.0.1 test:e2e
> jest --config ./test/jest-e2e.json

 PASS  test/app.e2e-spec.ts
  AppController (e2e)
    / (GET)
      ✓ Succesfully return content (57 ms)
    /document/1 - Admin
      ✓ Return 403 (forbitten), when accessed with incorrect header (23 ms)
      ✓ Return 403 (forbitten), when accessed with role of "user". (5 ms)
      ✓ Return 200 (success), when accessed with role of "admin". (5 ms)

Test Suites: 1 passed, 1 total
Tests:       4 passed, 4 total
Snapshots:   0 total
Time:        0.952 s, estimated 2 s
Ran all test suites.
t
Sorry for the confusion earlier I had an incorrect Docker configuration. Thank you for your help. I’m currently cloning another repository and am encountering issues with the tests. Could you assist me with this?
a
Hey thanks for flagging that has been fixed now (chai issue with cjs/ems)
t
Thanks!
Hey sorry to interrupt again. 
import { HTTP } from '@cerbos/http';
Currently i use this library to check authorization in FE Do you have any idea with this error? 
Uncaught (in promise) _NotOK: gRPC error 2 (UNKNOWN): Request failed: NetworkError when attempting to fetch resource.
a
Hey could you share the code which setups the HTTP SDK?
t
I ran this react demo repo in my local and tuned this cerbos setup file however i had problem with contact page
the PDP docker instance is running well in my docker..
obraz.png
a
Hey do you see any outbound requests in the network panel trying to call http://localhost:3592?
I can't replicate that error on my machine
t
obraz.png
a
Ah CORS. Is your application running on localhost also? What command are you using to start Cerbos?
t
Copy code
cerbos:
        image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
        container_name: cerbos
        ports:
        - "3592:3592"
        - "3593:3593"
        volumes:
        - ./../../cerbos:/policies
        restart: unless-stopped
i use docker to run cerbos and yes I run my application on localhost
a
I've created a quick docker-compose for that sample project as per below:
Copy code
services:
  app:
    build: .
    container_name: app
    ports:
      - "3000:3000"
  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
    container_name: cerbos
    ports:
      - "3592:3592"
      - "3593:3593"
    volumes:
      - ./cerbos:/policies
    restart: unless-stopped
I'm not getting any errors which would suggest there is something else happening in the request pipeline in the enviroment you are running. Is there anything like a loadbalancer or such in between which could be modifying the headers?
t
Thanks for the investigation. I will try to debug in my local environment
a
Could you check which version of Cerbos you are running by going to http://localhost:3592/api/server_info
t
0.38.1
i used this command to run the cerbos
Copy code
docker run --rm --name cerbos -v $(pwd)/cerbos/policies:/policies -p 3592:3592 -p 3593:3593 <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
and i still get the same error I suspect it depends on browser(currently I am using mozilla)
it has strict-origin-when-cross-origin, that's why it failed..
owh.. you also have the same referrer policy
a
yes
t
Copy code
docker run --rm --name cerbos -d -v $(pwd)/cerbos:/policies -p 1592:1592 -p 1593:1593 <http://ghcr.io/cerbos/cerbos:0.19.0|ghcr.io/cerbos/cerbos:0.19.0>
I still get the same error with this version 0.19.0
Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0 this is my user agent
i also get the error with chrome..
a
docker run --rm --name cerbos -d -v $(pwd)/cerbos:/policies -p 1592:1592 -p 1593:1593 ghcr.io/cerbos/cerbos:0.19.0 this command has the wrong port number and also stick with 0.38.1
t
yes you are right now I dont have error in chrome anymore..
but in mozilla, i still have the error because there is no access-control-allow-origin header
is it possible to control the header with http/cerbos library?
a
not with the library, but in the Cerbos server configuration
t
Thanks for the info!
Copy code
docker run --rm --name cerbos -d -v $(pwd):/cerbos-dev -p 3592:3592 <http://ghcr.io/cerbos/cerbos:0.38.1|ghcr.io/cerbos/cerbos:0.38.1> server --config=/cerbos-dev/cerbos/.cerbos.yaml
Hey my mozilla browser still gets this error after I setup the cerbos server config and run this docker command
could you help to check if my server config is correct?
Copy code
server:
  httpListenAddr: ":3592"

storage:
  driver: "disk"
  disk:
    directory: /cerbos-dev/policies
    watchForChanges: true
cors:
  allowedOrigins:
    - <http://localhost:3000>
    - <http://localhost:3001>
    - <http://localhost:3002>
a
this is what you need
Copy code
server:
  httpListenAddr: ":3592"
  cors:
    allowedOrigins:
      - "*"
    allowedHeaders:
      - "*"

storage:
  driver: "disk"
  disk:
    directory: /cerbos-dev/policies
    watchForChanges: true
If you are planning to call the PDP from the frontend in production, you should consider using Cerbos Hub's Embedded PDPs https://docs.cerbos.dev/cerbos-hub/decision-points-embedded
t
Thanks for the correct setup, finally i have no error with firefox May I know why it is recommended to use Cerbos Hub's Embedded PDP?
🎉 1
and if i only want to have localhost in allowedOrigins how should I setup?
a
Copy code
server:
  httpListenAddr: ":3592"
  cors:
    allowedOrigins:
      - localhost:3000
    allowedHeaders:
      - "*"

storage:
  driver: "disk"
  disk:
    directory: /policies
    watchForChanges: true
May I know why it is recommended to use Cerbos Hub's Embedded PDP?
In the current setup you have to expose your PDP service to the internet and then do extract API calls to check permisions. With the embedded PDP the policies are evaluated directly in the browser.
t
if i use embedded PDP, then i need to setup an account in cerbos hub and add the polices files into cerbos hub right?
Copy code
server:
  httpListenAddr: ":3592"
  cors:
    allowedOrigins:
      - localhost:3000
    allowedHeaders:
      - "*"

storage:
  driver: "disk"
  disk:
    directory: /cerbos-dev/policies
    watchForChanges: true
i changed the allowedOrigins as suggested, then I get the CORS error again with firefox👀
a
Sorry I missed the 
http
off
Copy code
server:
  httpListenAddr: ":3592"
  cors:
    allowedOrigins:
      - "<http://localhost:3000>"
    allowedHeaders:
      - "*"

storage:
  driver: "disk"
  disk:
    directory: /policies
    watchForChanges: true
t
hi @Alex Olivier (Cerbos) may I know what is the best way to run cerbos server in term of response time? I used docker to run cerbos server and the checking took around 800ms.
o
Hi @test-cerbos-nestjs, I’ve tried this locally with a dummy project. I think the problem is you are also timing the gRPC client creation which takes some time. Could you try to wrap 
const cerbosCheck = await cerbos.checkResource(cerbosRequest)
with time functions instead. Ex:
Copy code
console.time('cerbos.checkResource');
const cerbosCheck = await cerbos.checkResource(cerbosRequest);
console.timeEnd('cerbos.checkResource');
t
yea you are right but i think i should put the console.timeEnd after cerbosCheck.isAllowed
o
it depends on what you are measuring. in your case, the only time the sdk communicates with the 
cerbos
server is when you call the 
cerbos.checkResources()
function. All 
cerbosCheck.isAllowed(action)
does is iterate over the response to find what is the result for the given action. (I wouldn’t expect it to be taking time at all, but still)
t
noted thanks!
4 Views
Open in Slack
PreviousNext
Powered by