Resource definition
| This documentation is for a previous version of Cerbos. Choose 0.39.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version. |
| The policies for this section can be found on GitHub. |
Authentication roles
To begin with Cerbos needs to know about the basic roles which are provided by your authentication provider. In the case of Cerbforce, Auth0 provides a role of either ADMIN or USER for all profiles. This is important when starting to define access to resources below - for now just make a note of them.
Resources
The best place to start with defining policies is listing out all the resources and their actions that exist in the system. A resource is an entity type that users are authorized to access.
In the case of Cerbforce some of the resources and actions are as follows:
| Resource | Actions |
|---|---|
User |
|
Company |
|
Contact |
|
With this as a start, you can begin creating your first Cerbos policy - a resource policy.
Resource policies
Taking the user resource as an example, the most basic resource policy can be defined like below:
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
resource: "user"
rules:
- actions:
- create
- read
effect: EFFECT_ALLOW
roles:
- user
- actions:
- create
- read
- update
- delete
effect: EFFECT_ALLOW
roles:
- adminThe structure of a resource policy requires a name to be set on the resource key and then a list of rules is defined. A rule defines a list of actions on the resource, the effect of the rule (EFFECT_ALLOW or EFFECT_DENY) and then fields to state who this applies to - in this simple case a list of roles which is checked for in the roles of the user making the request.
In this case, a request made for a principal with a role of user is granted only create and read actions whilst an admin role can also perform update, delete actions.
The full documentation for resource policies can be found here.
Wildcard action
To simplify things further, admins might need to be able to do every action. We can use a special * wildcard action to specify this succinctly:
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
resource: "user"
rules:
- actions:
- create
- read
- update
effect: EFFECT_ALLOW
roles:
- user
- actions:
- "*"
effect: EFFECT_ALLOW
roles:
- adminThe contact and company resources have a similar structure at this stage and can be modeled as so:
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
resource: "contact"
rules:
- actions:
- create
- read
- update
effect: EFFECT_ALLOW
roles:
- user
- actions:
- "*"
effect: EFFECT_ALLOW
roles:
- admin---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
resource: "company"
rules:
- actions:
- create
- read
- update
effect: EFFECT_ALLOW
roles:
- user
- actions:
- "*"
effect: EFFECT_ALLOW
roles:
- adminValidating policies
Now with the initial policies in place, you can run Cerbos in compile mode which validates the content of the policy files to ensure they are correct.
If you are running Cerbos in a container then mount the folder containing your policies and run the compile command pointing to the folder of your policies.
# Using Container
docker run --rm --name cerbos -t \
-v /tutorial:/tutorial \
ghcr.io/cerbos/cerbos:latest compile /tutorial/policies
# Using Binary
./cerbos compile /tutorial/policiesIf the policies are valid then the process exits with no errors. If there is an issue, the error message points you to where you need to look and the specific problem to fix.