https://cerbos.dev logo
Title
j

Jesum Yip

01/16/2023, 5:11 AM
i have the following in my cerbos config map. this means JWT verification is disabled.
doesn't seem to work because when i call the cerbos api, i get this
{"code":3, "message":"failed to extract auxData"}
in the pod's logs i can see:
cannot determine keyset to use for validating the JWT
i don't need jwt validation because that's already handled by my API gateway
btw i'm on cerbos
v0.24
d

Dennis (Cerbos)

01/16/2023, 5:16 AM
If verification is disabled, the signature isn’t cryptographically verified, but Cerbos always checks if the token is not expired.
j

Jesum Yip

01/16/2023, 5:17 AM
image.png
the token is definitely not expired
d

Dennis (Cerbos)

01/16/2023, 5:19 AM
Sorry, I missed the error message “cannot determine keyset to use for validating the JWT”
j

Jesum Yip

01/16/2023, 5:20 AM
i expect cerbos to completely ignore verification, which means the issue of keysets do not even come up.
exp
claim validation is fine - i can live with that
is my
configMap
wrongly written?
like this instead
d

Dennis (Cerbos)

01/16/2023, 5:24 AM
Looks good to me. Let me think for a minute.
j

Jesum Yip

01/16/2023, 5:25 AM
also, changing configmap doesn't cause cerbos deployment to restart. i have to restart it manually.
yes that did the trick @Dennis (Cerbos). my
configMap
was wrongly written
one last thing
how do i disable the generation of this?
d

Dennis (Cerbos)

01/16/2023, 5:32 AM
Do you mean the schema? I think it is embedded in the Cerbos binary.
j

Jesum Yip

01/16/2023, 5:32 AM
yes the schema web page
does it redirect to some url path ? i have istio in place and i can block that
d

Dennis (Cerbos)

01/16/2023, 5:36 AM
I don’t think we have a setting to turn this off. Let me look for a way to work around this. May I ask why do you want to disable this page?
j

Jesum Yip

01/16/2023, 5:36 AM
for security purposes
cerbos is exposed on the internet
i do not want people guessing and knowing that it's cerbos running behind that IP address
it's a minor issue, really, but would be nice if i could disable it.
not a very high priority ask.
d

Dennis (Cerbos)

01/16/2023, 5:39 AM
I see. Thanks for taking the time to explain it.
j

Jesum Yip

01/16/2023, 5:42 AM
i know how to block it with istio.
that schema page is generated when you visit cerbos at the
/
folder. i wrote an istio rule to block access to it and it works