The Cerbos Admin API

The Admin API is an optional component of the Cerbos PDP that must be enabled by setting the server.adminAPI.enabled to true in the configuration. (See Admin API configuration for details).

Authentication is mandatory for the Admin API. Currently only basic authentication with a single admin user is supported. If no credentials are configured using the configuration, the default username and password is cerbos and cerbosAdmin.

Always change the default credentials and enable TLS for the endpoint when enabling the Admin API. See Server configuration for more information.

Add/update policies [/admin/policy]

This endpoint requires a mutable storage driver such as sqlite3 to be configured.
Request
{
  "policies": [ (1)
    {
      "apiVersion": "api.cerbos.dev/v1",
      "principalPolicy": {
        "principal": "donald_duck",
        "version": "20210210",
        "rules": [
          {
            "resource": "leave_request",
            "actions": [
              {
                "action": "*",
                "condition": {
                  "match": {
                    "expr": "request.resource.attr.dev_record == true"
                  }
                },
                "effect": "EFFECT_ALLOW"
              }
            ]
          },
          {
            "resource": "salary_record",
            "actions": [
              {
                "action": "*",
                "effect": "EFFECT_DENY"
              }
            ]
          }
        ]
      }
    }
  ]
}
1 List of policy definitions
Response
{"success":{}}

List Policies [/admin/policy/list]

This endpoint is still under development and should be considered unstable.

Issue a GET request to the endpoint to list the policies available in the store.

curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/policy/list?pretty'

If you want to filter the list by specific fields in the policies, use the POST method. Filters can do exact or wildcard matches on policy fields. Policy fields are defined using the JSONPath syntax.

Show resource policies for resources containing the word "album"
curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/policy/list?pretty'\
    -d '{"filters": [{"type": "MATCH_TYPE_WILDCARD", "fieldPath": "$.resourcePolicy.resource", "value":"album"}]}'
Show any policies with the version field set to "staging"
curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/policy/list?pretty'\
    -d '{"filters": [{"type": "MATCH_TYPE_EXACT", "fieldPath": "$.*.version", "value":"staging"}]}'

List Audit Log Entries [/admin/auditlog/list]

When audit logging is enabled you can view the audit log entries using this API endpoint.

There are two kinds of audit logs:

KIND_ACCESS

Captured Cerbos API access logs. These records are only available if accessLogsEnabled is set to true in the configuration.

KIND_DECISION

Decision logs captured by the engine. These records are only available if decisionLogsEnabled is set to true in the configuration.

Supported filters are:

tail

View the last N entries

between

View entries captured between two timestamps. The time range is specified by providing two ISO-8601 timestamps using the between.start and between.end query parameters.

since

View entries captured since N hours/minutes/seconds ago

lookup

View a specific entry by call ID

View last 5 decision log entries
curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/auditlog/list/KIND_DECISION?tail=5'
View decision logs from 2 hours ago up to now
curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/auditlog/list/KIND_DECISION?since=2h'
View access log entries between midnight 2021-07-01 and midnight 2021-07-02
curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/auditlog/list/KIND_ACCESS?between.start=2021-07-01T00:00:00Z&between.end=2021-07-02T00:00:00Z'
View specific access log entry
curl -k -u cerbos:cerbosAdmin \
    'https://localhost:3592/admin/auditlog/list/KIND_ACCESS?lookup=01F9VS1N77S83MTSBBX44GYSJ6'