Quickstart
Create a directory to store the policies.
mkdir -p cerbos-quickstart/policiesNow start the Cerbos server. We are using the container image in this guide but you can follow along using the binary as well. See installation instructions for more information.
docker run --rm --name cerbos -d -v $(pwd)/cerbos-quickstart/policies:/policies -p 3592:3592 ghcr.io/cerbos/cerbos:0.18.0Time to try out a simple request.
| If you prefer to use Postman, Insomnia or any other software that supports OpenAPI, you can follow this guide along on those tools by downloading the OpenAPI definitions from http://localhost:3592/schema/swagger.json. You can also use the built-in API browser by pointing your browser to http://localhost:3592. |
cat <<EOF | curl --silent "http://localhost:3592/api/check/resources?pretty" -d @-
{
"requestId": "quickstart",
"principal": {
"id": "bugs_bunny",
"roles": [
"user"
],
"attr": {
"beta_tester": true
}
},
"resources": [
{
"actions": [
"view:public",
"comment"
],
"resource": {
"kind": "album:object",
"id": "BUGS001",
"attr": {
"owner": "bugs_bunny",
"public": false,
"flagged": false
}
}
},
{
"actions": [
"view:public",
"comment"
],
"resource": {
"kind": "album:object",
"id": "DAFFY002",
"attr": {
"owner": "daffy_duck",
"public": true,
"flagged": false
}
}
}
]
}
EOFIn this example, the bugs_bunny principal is trying to perform two actions (view:public and comment) on two album:object resources. The resource instance with the ID BUGS001 belongs to bugs_bunny and is private (public attribute is false). The other resource instance with the ID DAFFY002 belongs to daffy_duck and is public.
This is the response from the server:
{
"requestId": "quickstart",
"results": [
{
"resource": {
"id": "BUGS001",
"kind": "album:object"
},
"actions": {
"comment": "EFFECT_DENY",
"view:public": "EFFECT_DENY"
}
},
{
"resource": {
"id": "DAFFY002",
"kind": "album:object"
},
"actions": {
"comment": "EFFECT_DENY",
"view:public": "EFFECT_DENY"
}
}
]
}Bugs Bunny is not allowed to view or comment on any of the album resources — even the ones that belong to him. This is because currently there are no policies defined for the album:object resource.
Now create a derived roles definition that assigns the owner dynamic role to a user if the owner attribute of the resource they’re trying to access is equal to their ID.
cat > cerbos-quickstart/policies/derived_roles_common.yaml <<EOF
---
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
name: common_roles
definitions:
- name: owner
parentRoles: ["user"]
condition:
match:
expr: request.resource.attr.owner == request.principal.id
EOFAlso create a resource policy that gives owners full access to their own albums.
cat > cerbos-quickstart/policies/resource_album.yaml <<EOF
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
importDerivedRoles:
- common_roles
resource: "album:object"
rules:
- actions: ['*']
effect: EFFECT_ALLOW
derivedRoles:
- owner
EOFTry the request again. This time bugs_bunny should be allowed access to his own album but denied access to the album owned by daffy_duck.
Request
cat <<EOF | curl --silent "http://localhost:3592/api/check/resources?pretty" -d @-
{
"requestId": "quickstart",
"principal": {
"id": "bugs_bunny",
"roles": [
"user"
],
"attr": {
"beta_tester": true
}
},
"resources": [
{
"actions": [
"view:public",
"comment"
],
"resource": {
"kind": "album:object",
"id": "BUGS001",
"attr": {
"owner": "bugs_bunny",
"public": false,
"flagged": false
}
}
},
{
"actions": [
"view:public",
"comment"
],
"resource": {
"kind": "album:object",
"id": "DAFFY002",
"attr": {
"owner": "daffy_duck",
"public": true,
"flagged": false
}
}
}
]
}
EOF{
"requestId": "quickstart",
"results": [
{
"resource": {
"id": "BUGS001",
"kind": "album:object"
},
"actions": {
"comment": "EFFECT_ALLOW",
"view:public": "EFFECT_ALLOW"
}
},
{
"resource": {
"id": "DAFFY002",
"kind": "album:object"
},
"actions": {
"comment": "EFFECT_DENY",
"view:public": "EFFECT_DENY"
}
}
]
}Now add a rule to the policy to allow users to view public albums.
cat > cerbos-quickstart/policies/resource_album.yaml <<EOF
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
importDerivedRoles:
- common_roles
resource: "album:object"
rules:
- actions: ['*']
effect: EFFECT_ALLOW
derivedRoles:
- owner
- actions: ['view:public']
effect: EFFECT_ALLOW
roles:
- user
condition:
match:
expr: request.resource.attr.public == true
EOFIf you try the request again, bugs_bunny now has view:public access to the album owned by daffy_duck but not comment access. Can you figure out how to update the policy to give him comment access as well?
Request and response
cat <<EOF | curl --silent "http://localhost:3592/api/check/resources?pretty" -d @-
{
"requestId": "quickstart",
"principal": {
"id": "bugs_bunny",
"roles": [
"user"
],
"attr": {
"beta_tester": true
}
},
"resources": [
{
"actions": [
"view:public",
"comment"
],
"resource": {
"kind": "album:object",
"id": "BUGS001",
"attr": {
"owner": "bugs_bunny",
"public": false,
"flagged": false
}
}
},
{
"actions": [
"view:public",
"comment"
],
"resource": {
"kind": "album:object",
"id": "DAFFY002",
"attr": {
"owner": "daffy_duck",
"public": true,
"flagged": false
}
}
}
]
}
EOF{
"requestId": "quickstart",
"results": [
{
"resource": {
"id": "BUGS001",
"kind": "album:object"
},
"actions": {
"comment": "EFFECT_ALLOW",
"view:public": "EFFECT_ALLOW"
}
},
{
"resource": {
"id": "DAFFY002",
"kind": "album:object"
},
"actions": {
"comment": "EFFECT_DENY",
"view:public": "EFFECT_ALLOW"
}
}
]
}Once you are done experimenting, the Cerbos server can be stopped with the following command:
docker kill cerbos