Resource policies define rules for actions that can be performed on a given resource.
basicResource.yaml
defines a resource policy for the kind basicResource
, with create, read, update and delete actions. This policy expects a principal to have either the ADMIN
or USER
role.
A basicResource
is expected to have two attributes, ownerId
and isPublished
, which are used in the policy to make decisions about which actions should be permitted.
Attribute schemas are optional JSON schemas that are used by the Cerbos PDP at request time to validate the incoming request having all the required data to make a correct authorization decision. The server configuration can be set to either give a warning or reject the request if the input doesn't conform to these schemas.
\_schemas/principal.json
defines a schema for the principals, while \_schemas/basicResource.json
defines a schema for the basicResource
objects.
basicResource_test.yaml
defines a test suite and related test data that checks that the permissions are implemented as expected.
.cerbos.yaml
is used to configure a Cerbos PDP server container to load the policies from disk.
.cerbos-hub.yaml
is used to configure a Cerbos Hub workspace to compile policy bundles from commits matching the configured labels, to be deployed to connected Cerbos PDP instances.
A straightforward way to run Cerbos is via a container, an example of which is shown below. See the documentation for other ways to install and run Cerbos locally.
Verify that the policies are correct by using the compile command.
docker run --rm -it \
-v $(pwd):/basic-crud \
ghcr.io/cerbos/cerbos:latest \
compile --verbose /basic-crud
Launch a PDP server by running the server command.
docker run --rm --name cerbos \
-v $(pwd):/basic-crud \
-p 3592:3592 \
-p 3593:3593 \
ghcr.io/cerbos/cerbos:latest \
server --config=/basic-crud/.cerbos.yaml
The API documentation can then be found at http://localhost:3592.