I have what might be a silly question I have a bunch of thin Cerbos Community #help

I have what might be a silly question. I have a b...

Peter McClonski

02/01/2025, 5:51 PM

I have what might be a silly question. I have a bunch of things beyond AuthZ which would make sense to externalize to a policy engine. Things like policy-based data validation, where I’d be asking questions like, “Given this set of constraints, is this data element valid?“. It feels to me like the Cerbos PDP, while not specifically meant for this use case, has a policy engine that would serve the use case well. Has anyone ever tried anything like this?

Sam Lock (Cerbos)

02/01/2025, 6:27 PM

It certainly sounds reasonable! What might the constraints and the data element look like? The PDP is just a decision engine at its core, so providing you can pass the context in the expected form, it should be able to make decisions for you.

Peter McClonski

02/01/2025, 6:45 PM

Let’s say I have some datatype that, semantically, I call a Social Security Number. Under the hood, maybe it’s a String, whatever, but I treat it as its own Thing. I know that it follows exactly one of the following formats: XXX-XX-XXXX XXXXXXXXX Where each X must be a digit 0-9. The following would fail validation: • A12-34-5678 • 12-34-5678 • 1234567 • 123-456789 The following would pass validation: • 123-45-6789 • 123456789 Even better, I have a queryable / filterable entity (Pandas DF, Spark DF, whatever) that contains 0..* records which should align to the above format. I would like Cerbos to hand me back a query plan (another beautiful feature I love about you guys) which I can interpret to write a query which extracts only those records which are “valid”

Sam Lock (Cerbos)

02/01/2025, 8:35 PM

Hmm, OK. Focusing on this particular example, I think it could be achieved with regex rules within a resource policy that looked vaguely like:

Copy code

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: social_security_no
  version: default
  rules:
    - actions:
        - validate
      roles: ["*"]
      effect: EFFECT_ALLOW
      condition:
        match:
          expr: R.id.matches("^[0-9]{3}-[0-9]{2}-[0-9]{4}$")

The query plan aspect I'm less sure about as I'm not sure what it would currently output, but I can have a tinker next week! I'd expect it to require mapping to some database specific

match

query or the like.

Sam Lock (Cerbos)

02/03/2025, 7:58 AM

Had a quick look, the query planner outputs the same

match

clause (for the simple case); here's the response:

Copy code

{
  "requestId": "test",
  "action": "validate",
  "resourceKind": "social_security_no",
  "policyVersion": "default",
  "filter": {
    "kind": "KIND_CONDITIONAL",
    "condition": {
      "expression": {
        "operator": "matches",
        "operands": [
          {
            "variable": "request.resource.id"
          },
          {
            "value": "^[0-9]{3}-[0-9]{2}-[0-9]{4}$"
          }
        ]
      }
    }
  },
  "cerbosCallId": "01JK5CYRDBAT29HVAKB86QKN4Z"
}

So, as originally thought, it's a matter of translating the

match

operator to the query language of your choice.

Peter McClonski

02/03/2025, 2:28 PM

Beautiful, I’ll probably experiment with this a little bit this week and report back!

👍 1

6 Views

Open in Slack

Previous Next