Skip to content

A template repo for storing Cerbos policies

Notifications You must be signed in to change notification settings

cerbos/example-cerbos-policy-repository

Repository files navigation

Getting started with basic CRUD policies

What's in this repository?

Policies

Resource policies define rules for actions that can be performed on a given resource.

basicResource.yaml defines a resource policy for the kind basicResource, with create, read, update and delete actions. This policy expects a principal to have either the ADMIN or USER role.

A basicResource is expected to have two attributes, ownerId and isPublished, which are used in the policy to make decisions about which actions should be permitted.

Attribute schemas

Attribute schemas are optional JSON schemas that are used by the Cerbos PDP at request time to validate the incoming request having all the required data to make a correct authorization decision. The server configuration can be set to either give a warning or reject the request if the input doesn't conform to these schemas.

\_schemas/principal.json defines a schema for the principals, while \_schemas/basicResource.json defines a schema for the basicResource objects.

Tests

basicResource_test.yaml defines a test suite and related test data that checks that the permissions are implemented as expected.

Cerbos Policy Decision Point (PDP) configuration

.cerbos.yaml is used to configure a Cerbos PDP server container to load the policies from disk.

Cerbos Hub configuration

.cerbos-hub.yaml is used to configure a Cerbos Hub workspace to compile policy bundles from commits matching the configured labels, to be deployed to connected Cerbos PDP instances.

Running locally

A straightforward way to run Cerbos is via a container, an example of which is shown below. See the documentation for other ways to install and run Cerbos locally.

Compile and test

Verify that the policies are correct by using the compile command.

docker run --rm -it \
  -v $(pwd):/basic-crud \
  ghcr.io/cerbos/cerbos:latest \
  compile --verbose /basic-crud

PDP server

Launch a PDP server by running the server command.

docker run --rm --name cerbos \
 -v $(pwd):/basic-crud \
 -p 3592:3592 \
 -p 3593:3593 \
 ghcr.io/cerbos/cerbos:latest \
 server --config=/basic-crud/.cerbos.yaml

The API documentation can then be found at http://localhost:3592.