Cerbos (latest)

Download OpenAPI specification:Download

CerbosService

Cerbos Policy Decision Point

Check Deprecated

[Deprecated: Use CheckResources API instead] Check whether a principal has permissions to perform the given actions on a set of resource instances.

Request Body schema: application/json
required

PDP Request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

actions
required
Array of strings non-empty unique

List of actions being performed on the set of resources.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
object (v1ResourceSet)

Set of resources to check

includeMeta
boolean

Opt to receive request processing metadata in the response.

object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

Responses

Request samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "actions": [
    ],
  • "principal": {
    },
  • "resource": {
    },
  • "includeMeta": true,
  • "auxData": {
    }
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "resourceInstances": {
    },
  • "meta": {
    }
}

Check resources

Check a principal's permissions to a batch of heterogeneous resources and actions.

Request Body schema: application/json
required

Check resources request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

includeMeta
boolean

Add request processing metadata to the response.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
Array of objects (CheckResourcesRequestResourceEntry) non-empty unique

List of resources and actions.

object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

Responses

Request samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "includeMeta": true,
  • "principal": {
    },
  • "resources": [
    ],
  • "auxData": {
    }
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "results": [
    ],
  • "cerbosCallId": "string"
}

Check resource batch Deprecated

[Deprecated: Use CheckResources API instead] Check a principal's permissions to a batch of heterogeneous resources and actions.

Request Body schema: application/json
required

PDP Request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
Array of objects (CheckResourceBatchRequestBatchEntry) non-empty unique

List of resources and actions.

object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

Responses

Request samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "principal": {
    },
  • "resources": [
    ],
  • "auxData": {
    }
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "results": [
    ]
}

Plan resources

Produce a query plan with conditions that must be satisfied for accessing a set of instances of a resource

Request Body schema: application/json
required

PDP Resources Query Plan Request

requestId
string

Optional application-specific ID useful for correlating logs for analysis.

action
required
string

Action to be applied to each resource in the list.

required
object (enginev1Principal)

A person or application attempting to perform the actions on the set of resources.

required
object (v1PlanResourcesInputResource)
object (cerbosrequestv1AuxData)

Structured auxiliary data useful for evaluating the request

includeMeta
boolean

Opt to receive request processing metadata in the response.

Responses

Request samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "action": "view:public",
  • "principal": {
    },
  • "resource": {
    },
  • "auxData": {
    },
  • "includeMeta": true
}

Response samples

Content type
application/json
{
  • "requestId": "c2db17b8-4f9f-4fb1-acfd-9162a02be42b",
  • "action": "view:public",
  • "resourceKind": "album:object",
  • "policyVersion": "default",
  • "filter": {
    },
  • "meta": {
    },
  • "validationErrors": [
    ],
  • "cerbosCallId": "string"
}

Get server information

Get information about the server e.g. server version

Responses

Response samples

Content type
application/json
{
  • "version": "string",
  • "commit": "string",
  • "buildDate": "string"
}

CerbosAdminService

Cerbos administration service

List audit log entries

Authorizations:
BasicAuth
path Parameters
kind
required
string
Enum: "KIND_UNSPECIFIED" "KIND_ACCESS" "KIND_DECISION"

Kind of log entry

query Parameters
tail
integer <int64>

Last N entries.

between.start
required
string <date-time>

Start date in ISO 8601 format.

between.end
required
string <date-time>

End date in ISO 8601 format.

since
string

Entries since N hours/minutes ago

lookup
string^[0123456789ABCDEFGHJKMNPQRSTVWXYZ]{26}$

By Call ID

Responses

Response samples

Content type
application/json
{
  • "result": {
    },
  • "error": {
    }
}

List policies

Authorizations:
BasicAuth
query Parameters
includeDisabled
boolean

Include disabled policies

nameRegexp
string

Filter policies by name with regexp

scopeRegexp
string

Filter policies by scope with regexp

versionRegexp
string

Filter policies by version with regexp

policyId
Array of strings

For blob, disk, git stores use file name (.yaml). For mysql, postgres, sqlite3 use id (..) of the policy

Responses

Response samples

Content type
application/json
{
  • "policyIds": [
    ]
}

Inspect policies

Authorizations:
BasicAuth
query Parameters
includeDisabled
boolean

Include disabled policies

nameRegexp
string

Filter policies by name with regexp

scopeRegexp
string

Filter policies by scope with regexp

versionRegexp
string

Filter policies by version with regexp

policyId
Array of strings

For blob, disk, git stores use file name (.yaml). For mysql, postgres, sqlite3 use id (..) of the policy

Responses

Response samples

Content type
application/json
{
  • "results": {
    }
}

Get policy

Authorizations:
BasicAuth
query Parameters
id
required
Array of strings

For blob, disk, git stores use file name (.yaml). For mysql, postgres, sqlite3 use id (..) of the policy

Responses

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

Disable policy

Authorizations:
BasicAuth
query Parameters
id
required
Array of strings

Unique identifier for the policy

Responses

Response samples

Content type
application/json
{
  • "disabledPolicies": 0
}

Add or update policies

Authorizations:
BasicAuth
Request Body schema: application/json
required

Add/update policy request

required
Array of objects (v1Policy) [ 1 .. 100 ] items

List of policies.

Responses

Request samples

Content type
application/json
{
  • "policies": [
    ]
}

Response samples

Content type
application/json
{
  • "success": { }
}

Add or update policies

Authorizations:
BasicAuth
Request Body schema: application/json
required

Add/update policy request

required
Array of objects (v1Policy) [ 1 .. 100 ] items

List of policies.

Responses

Request samples

Content type
application/json
{
  • "policies": [
    ]
}

Response samples

Content type
application/json
{
  • "success": { }
}

Disable policy

Authorizations:
BasicAuth
query Parameters
id
required
Array of strings

Unique identifier for the policy

Responses

Response samples

Content type
application/json
{
  • "disabledPolicies": 0
}

Disable policy

Authorizations:
BasicAuth
Request Body schema: application/json
required

Disable policy request

id
required
Array of strings

Unique identifier for the policy

Responses

Request samples

Content type
application/json
{
  • "id": "principal.sarah.vdefault"
}

Response samples

Content type
application/json
{
  • "disabledPolicies": 0
}

Enable policy

Authorizations:
BasicAuth
query Parameters
id
required
Array of strings

Unique identifier for the policy

Responses

Response samples

Content type
application/json
{
  • "enabledPolicies": 0
}

Enable policy

Authorizations:
BasicAuth
Request Body schema: application/json
required

Enable policy request

id
required
Array of strings

Unique identifier for the policy

Responses

Request samples

Content type
application/json
{
  • "id": "principal.sarah.vdefault"
}

Response samples

Content type
application/json
{
  • "enabledPolicies": 0
}

Get schema

Authorizations:
BasicAuth
query Parameters
id
required
Array of strings

Unique identifier for the schema

Responses

Response samples

Content type
application/json
{
  • "schemas": [
    ]
}

Delete schema

Authorizations:
BasicAuth
query Parameters
id
required
Array of strings

Unique identifier for the schema

Responses

Response samples

Content type
application/json
{
  • "deletedSchemas": 0
}

Add or update schema

Authorizations:
BasicAuth
Request Body schema: application/json
required

Add/update schema request

required
Array of objects (schemav1Schema) [ 1 .. 100 ] items

List of schemas.

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ]
}

Response samples

Content type
application/json
{ }

Add or update schema

Authorizations:
BasicAuth
Request Body schema: application/json
required

Add/update schema request

required
Array of objects (schemav1Schema) [ 1 .. 100 ] items

List of schemas.

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ]
}

Response samples

Content type
application/json
{ }

List schemas

Authorizations:
BasicAuth

Responses

Response samples

Content type
application/json
{
  • "schemaIds": [
    ]
}

Reload store

Authorizations:
BasicAuth
query Parameters
wait
boolean

Wait until the reloading process finishes

Responses

Response samples

Content type
application/json
{ }