API reference

Cerbos (latest)

Download OpenAPI specification:Download

CerbosService

Cerbos Policy Decision Point

Check Deprecated

[Deprecated: Use CheckResources API instead] Check whether a principal has permissions to perform the given actions on a set of resource instances.

Request Body schema: application/json
required

PDP Request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

actions
required
Array of strings non-empty unique

List of actions being performed on the set of resources.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
object (v1ResourceSet)

Set of resources to check

includeMeta
boolean

Opt to receive request processing metadata in the response.

object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

Responses

Response Schema: application/json
requestId
string

Request ID provided in the request.

object

Results for each resource instance, keyed by the ID supplied in the request

object (v1CheckResourceSetResponseMeta)

Metadata about request evaluation.

Request samples

Content type
application/json
{
  • "actions": [
    ],
  • "principal": {
    },
  • "resource": {
    }
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "resourceInstances": {
    },
  • "meta": {
    }
}

Check resources

Check a principal's permissions to a batch of heterogeneous resources and actions.

Request Body schema: application/json
required

Check resources request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

includeMeta
boolean

Add request processing metadata to the response.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
Array of objects (CheckResourcesRequestResourceEntry) non-empty unique

List of resources and actions.

object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

Responses

Response Schema: application/json
requestId
string

Request ID provided in the request.

Array of objects (CheckResourcesResponseResultEntry)

Result for each resource

cerbosCallId
string

Audit log call ID associated with this request

Request samples

Content type
application/json
{
  • "principal": {
    },
  • "resources": [
    ]
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "results": [
    ],
  • "cerbosCallId": "string"
}

Check resource batch Deprecated

[Deprecated: Use CheckResources API instead] Check a principal's permissions to a batch of heterogeneous resources and actions.

Request Body schema: application/json
required

PDP Request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
Array of objects (CheckResourceBatchRequestBatchEntry) non-empty unique

List of resources and actions.

object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

Responses

Response Schema: application/json
requestId
string

Request ID provided in the request.

Array of objects (v1CheckResourceBatchResponseActionEffectMap)

Result for each resource

Request samples

Content type
application/json
{
  • "principal": {
    },
  • "resources": [
    ]
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "results": [
    ]
}

Plan resources

Produce a query plan with conditions that must be satisfied for accessing a set of instances of a resource

Request Body schema: application/json
required

PDP Resources Query Plan Request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

action
string

Action to be applied to each resource in the list.

actions
Array of strings unique

List of actions to generate the query plan for. Mutually exclusive with the singular action field. Must contain at least one action and all actions must be unique.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
object (v1PlanResourcesInputResource)
object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

includeMeta
boolean

Opt to receive request processing metadata in the response.

Responses

Response Schema: application/json
requestId
string

Request ID provided in the request.

action
string
actions
Array of strings

Actions

resourceKind
string

Resource kind.

policyVersion
string

The policy version.

object (v1PlanResourcesFilter)
object (v1PlanResourcesResponseMeta)

Metadata about request evaluation.

Array of objects (v1ValidationError)

List of validation errors (if schema validation is enabled)

cerbosCallId
string

Audit log call ID associated with this request

Request samples

Content type
application/json
{
  • "principal": {
    },
  • "resource": {
    }
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "action": "string",
  • "actions": [
    ],
  • "resourceKind": "album:object",
  • "policyVersion": "default",
  • "filter": {
    },
  • "meta": {
    },
  • "validationErrors": [
    ],
  • "cerbosCallId": "string"
}

Get server information

Get information about the server e.g. server version

Responses

Response Schema: application/json
version
string
commit
string
buildDate
string

Response samples

Content type
application/json
{
  • "version": "string",
  • "commit": "string",
  • "buildDate": "string"
}

CerbosAdminService

Cerbos administration service

List audit log entries

path Parameters
kind
required
string
Enum: "KIND_UNSPECIFIED" "KIND_ACCESS" "KIND_DECISION"

Kind of log entry

query Parameters
tail
integer <int64>

Last N entries.

between.start
required
string <date-time>

Start date in ISO 8601 format.

between.end
required
string <date-time>

End date in ISO 8601 format.

since
string

Entries since N hours/minutes ago

lookup
string^[0123456789ABCDEFGHJKMNPQRSTVWXYZ]{26}$

By Call ID

Responses

Response Schema: application/json
object (v1ListAuditLogEntriesResponse)

Audit log stream.

object (googlerpcStatus)

Response samples

Content type
application/json
{
  • "result": {
    },
  • "error": {
    }
}

List policies

query Parameters
includeDisabled
boolean

Include disabled policies

nameRegexp
string

Filter policies by name with regexp

scopeRegexp
string

Filter policies by scope with regexp

versionRegexp
string

Filter policies by version with regexp

policyId
Array of strings

For blob, disk, git stores use file name (.yaml). For mysql, postgres, sqlite3 use id (..) of the policy

Responses

Response Schema: application/json
policyIds
Array of strings

Response samples

Content type
application/json
{
  • "policyIds": [
    ]
}

Inspect policies

query Parameters
includeDisabled
boolean

Include disabled policies

nameRegexp
string

Filter policies by name with regexp

scopeRegexp
string

Filter policies by scope with regexp

versionRegexp
string

Filter policies by version with regexp

policyId
Array of strings

For blob, disk, git stores use file name (.yaml). For mysql, postgres, sqlite3 use id (..) of the policy

Responses

Response Schema: application/json
object

Response samples

Content type
application/json
{
  • "results": {
    }
}

Get policy

query Parameters
id
required
Array of strings

For blob, disk, git stores use file name (.yaml). For mysql, postgres, sqlite3 use id (..) of the policy

Responses

Response Schema: application/json
Array of objects (v1Policy)

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

Disable policy

query Parameters
id
required
Array of strings

Unique identifier for the policy

Responses

Response Schema: application/json
disabledPolicies
integer <int64>

Response samples

Content type
application/json
{
  • "disabledPolicies": 0
}

Add or update policies

Request Body schema: application/json
required

Add/update policy request

required
Array of objects (v1Policy) [ 1 .. 100 ] items

List of policies.

Responses

Response Schema: application/json
success
object

Request samples

Content type
application/json
{
  • "policies": [
    ]
}

Response samples

Content type
application/json
{
  • "success": { }
}

Add or update policies

Request Body schema: application/json
required

Add/update policy request

required
Array of objects (v1Policy) [ 1 .. 100 ] items

List of policies.

Responses

Response Schema: application/json
success
object

Request samples

Content type
application/json
{
  • "policies": [
    ]
}

Response samples

Content type
application/json
{
  • "success": { }
}

Disable policy

query Parameters
id
required
Array of strings

Unique identifier for the policy

Responses

Response Schema: application/json
disabledPolicies
integer <int64>

Response samples

Content type
application/json
{
  • "disabledPolicies": 0
}

Disable policy

Request Body schema: application/json
required

Disable policy request

id
required
Array of strings

Unique identifier for the policy

Responses

Response Schema: application/json
disabledPolicies
integer <int64>

Request samples

Content type
application/json
{
  • "id": "principal.sarah.vdefault"
}

Response samples

Content type
application/json
{
  • "disabledPolicies": 0
}

Enable policy

query Parameters
id
required
Array of strings

Unique identifier for the policy

Responses

Response Schema: application/json
enabledPolicies
integer <int64>

Response samples

Content type
application/json
{
  • "enabledPolicies": 0
}

Enable policy

Request Body schema: application/json
required

Enable policy request

id
required
Array of strings

Unique identifier for the policy

Responses

Response Schema: application/json
enabledPolicies
integer <int64>

Request samples

Content type
application/json
{
  • "id": "principal.sarah.vdefault"
}

Response samples

Content type
application/json
{
  • "enabledPolicies": 0
}

Get schema

query Parameters
id
required
Array of strings

Unique identifier for the schema

Responses

Response Schema: application/json
Array of objects (schemav1Schema)

Response samples

Content type
application/json
{
  • "schemas": [
    ]
}

Delete schema

query Parameters
id
required
Array of strings

Unique identifier for the schema

Responses

Response Schema: application/json
deletedSchemas
integer <int64>

Response samples

Content type
application/json
{
  • "deletedSchemas": 0
}

Add or update schema

Request Body schema: application/json
required

Add/update schema request

required
Array of objects (schemav1Schema) [ 1 .. 100 ] items

List of schemas.

Responses

Response Schema: application/json
object (v1AddOrUpdateSchemaResponse)

Add/update schema response

Request samples

Content type
application/json
{
  • "schemas": [
    ]
}

Response samples

Content type
application/json
{ }

Add or update schema

Request Body schema: application/json
required

Add/update schema request

required
Array of objects (schemav1Schema) [ 1 .. 100 ] items

List of schemas.

Responses

Response Schema: application/json
object (v1AddOrUpdateSchemaResponse)

Add/update schema response

Request samples

Content type
application/json
{
  • "schemas": [
    ]
}

Response samples

Content type
application/json
{ }

List schemas

Responses

Response Schema: application/json
schemaIds
Array of strings

Response samples

Content type
application/json
{
  • "schemaIds": [
    ]
}

Reload store

query Parameters
wait
boolean

Wait until the reloading process finishes

Responses

Response Schema: application/json
object (v1ReloadStoreResponse)

Reload store response

Response samples

Content type
application/json
{ }