Cerbos Hub

Cerbos Hub simplifies the process of authoring authorization policies, testing changes, rolling out updates to production, and aggregating audit logs about authorization decisions. It is a scalable solution for developers who want to save time, streamline their workflows, and confidently roll out authorization updates, freeing you to focus on delivering great products to your customers.

Features

Collaborative policy editing

Cerbos Hub playgrounds provide private, collaborative, IDE-like development environments to help author and test policies with ease.

Managed build and release pipeline

Cerbos Hub automatically validates, tests, signs, and distributes every policy change, giving you a turnkey CI/CD pipeline without extra infrastructure.

Source agnostic policy stores

Populate policy stores from any source using any of the many integration methods available.

Coordinated rollout of policy changes

Cerbos Hub pushes new policy bundles to every connected PDP instance, ensuring fleet-wide consistency and eliminating manual polling or reload logic.

PDP monitoring

Cerbos Hub shows which policies each PDP is serving, the exact bundle version, and when the instance was last seen.

Audit log aggregation

With one line of configuration you can stream PDP decision logs to Cerbos Hub, filter sensitive fields locally, and retain searchable history without running a separate log stack.

How it works

Cerbos Hub is a cloud-hosted management control plane, while Cerbos instances and the data they process remain strictly inside your network perimeter. Switching to Cerbos Hub requires only a minor configuration change to your existing Cerbos deployment. After the switch, PDPs receive optimized policy bundles from Cerbos Hub instead of compiling policies locally.

How Cerbos Hub works

  1. Make a change to policies and submit it to a policy store through Git, a CI pipeline, an API call, a CLI upload, or a direct drag and drop in the browser.

  2. Cerbos Hub detects the update and starts a new build.

  3. Validate and compile the policies.

  4. Run all policy tests found in the store.

  5. Generate a compact encrypted policy bundle.

  6. Increment the deployment version and notify every PDP that is assigned to this deployment that a new bundle is available.

  7. PDP instances download the new bundle and start serving it immediately.

Optionally, configure Cerbos Hub as an audit backend for the PDPs. Logs are streamed securely, with sensitive data removed locally before leaving your network perimeter.