Do I need to marry cerbos and my db like this in the general Cerbos Community #help

Join Slack

Do I need to marry cerbos and my db like this in t...

# help

Hrishikesh Barman

04/26/2025, 10:59 AM

Do I need to marry cerbos and my db like this in the general use of cerbos?

Dennis (Cerbos)

04/26/2025, 11:00 AM

Hi Hrishikesh, No, you don’t. We mention ORMs only as an example for a relatively advanced use case of the Plan API.

Hrishikesh Barman

04/26/2025, 11:02 AM

Thanks for the quick response!

If I request a single resource, of course this can work if I ask a second API on whether the request is allowed or not. But if I query a database for a list of items, to add access control I need to modify the database query. I can't just filter after the fact, it's too easy to cause pathological performance issues there e.g. if the user has only access to a very small subset of a large list of results. How does this work with a separate access control API that can't directly modify the database query?

https://news.ycombinator.com/item?id=30362395 (okay I understood the database usecase now) but I want to understand if this really is my usecase(having to filter at db query layer), what are my options now?

Hrishikesh Barman

04/26/2025, 11:03 AM

and here I could be using "anything" to access my DB really

Dennis (Cerbos)

04/26/2025, 11:04 AM

The Query Plan API is used in a relatively advanced use case. The API returns an abstract syntax tree (AST) of the relevant policy. Cerbos partially evaluates the policy because the principal is known, but the resource(s) are not, then returns the AST in the result. The AST looks like this:

Copy code

{
  "expression": {
    "operator": "eq",
    "operands": [
      {
        "variable": "request.resource.attr.status"
      },
      {
        "value": "PENDING_APPROVAL"
      }
    ]
  }
}

It’s straightforward to translate this particular AST to SQL. Unless you’re using an ORM for which we have an adapter, you must write a translation layer yourself.

Dennis (Cerbos)

04/26/2025, 11:06 AM

It is common (for Cerbos users) to write a custom adapter for a particular application and database.

Hrishikesh Barman

04/26/2025, 11:14 AM

Oh nice, I don't plan to use any ORM, but I do plan to use Kysely(pure query builder) and https://github.com/porsager/postgres. I'll try to write the translation layer, if it seems coherent enough would try to submit as an adapter for that. I was also wondering if we could put this into some common format and something like https://github.com/tobymao/sqlglot can do the conversion. Thanks a lot for clarifying!

Dennis (Cerbos)

04/26/2025, 11:19 AM

We will look into sqlglot. Looks great. Thanks for the suggestion!

I’ll try to write the translation layer, if it seems coherent enough would try to submit as an adapter for that.

Thank you!

2 Views

Open in Slack

Previous Next