Configuration
If no configuration is provided via the --conf.path flag, Synapse starts on port 3594 and attempts to load Cerbos policies from a directory named policies in the current path. While the --conf.set flag can be used to override configuration values from the command line, it is recommended to use a configuration file for better readability.
Example configuration
The following snippet illustrates a typical configuration for Synapse.
server:
listenAddress: ":3594"
tls:
cert: /certs/tls.crt
key: /certs/tls.key
pdp:
inProcess:
storage:
driver: "disk"
disk:
directory: /policies
schema:
enforcement: warn
audit:
enabled: true
backend: file
file:
path: stderr
extensions:
dataDir: /tmp/data
cacheDir: /tmp/cache
dataSources:
litestreamds:
extension:
extensionURL: system://sqldb
configuration:
litestream:
replicationURL: s3://bucket/mydb.db
envoyExternalAuthz:
enabled: true
extension:
extensionURL: /extensions/envoy.wasm
proxyExtensions:
importantExtension:
extensionURL: /extensions/important.wasm?checksum=sha256:dcbbdeaf3d6ddd64ca8ec1026e7addb877a420fbc1be9a73d246839df8935b4a
priority: 1
required: true
configuration:
environment: staging
dataMount: /data
routeExtensions:
caddy:
extension:
extensionURL: /extensions/caddy.wasm
routes:
"/caddy/auth": ["POST"]Reference
The following section enumerates all possible configuration options for Synapse. Please note that some configuration sections are mutually exclusive with each other.
---
audit:
instanceAnnotations: {"instance": "eu-west-002"} # InstanceAnnotations are key-value pairs of static information about this instance that should be added to the Cerbos requests for audit purposes.
cache:
backend: "inmem" # Backend sets the cache implementation to use. Valid values are "inmem" or "redis".
inmem: # InMem configures the in-memory cache.
maxSize: 1024
redis: # Redis configures a Redis-backed cache.
connectionURL: redis://localhost:6379/0?dial_timeout=3&read_timeout=6s&max_retries=2
extensions:
cacheDir: ${XDG_CACHE_DIR} # CacheDir sets the directory to use for caching downloaded extensions and other artifacts.
dataDir: ${XDG_DATA_DIR} # DataDir sets the global directory under which the extensions can store their custom data.
dataSources:
example:
extension:
extensionURL: system://sqldb # DataSources are common functions usable by other extensions.
envoyExternalAuthz: # EnvoyExternalAuthz configures the Envoy external authorization endpoint.
enabled: false # Enabled sets whether the Envoy endpoint is enabled or not.
extension: # Extension defines a pluggable extension to use for handling Envoy requests. Mutually exclusive with mapping.
configuration: {} # Configuration holds any custom configuration values needed by the extension.
dataMount: /data # DataMount defines the virtual file system root for the extension.
disabled: false # Disabled prevents the extension from being loaded.
extensionURL: ${PWD}/extensions/ext.wasm?checksum=sha256:dcbbdeaf3d6ddd64ca8ec1026e7addb877a420fbc1be9a73d246839df8935b4a # Required. ExtensionURL defines the URL to obtain the extension from.
mapping: # Mapping uses declarative configuration to handle Envoy requests. Mutually exclusive with extension.
request: # Required. Request configures handling of requests sent to the adapter.
action: "request.method.lowerAscii()" # Required. Action is a CEL expression to extract the action from the incoming request.
auxData: # AuxData configures how to extract the auxiliary data from the incoming request.
jwt: # JWT configures how to extract the JWT from the incoming request.
keySetID: "'gateway'" # KeySetID is a CEL expression to extract the ID of the keyset to be used to verify the JWT from the incoming request.
token: "request.header['Authorization'].replace('Bearer ', '', 1)" # Required. Token is a CEL expression to extract the JWT from the incoming request.
principal: # Required. Principal configures how to extract the principal from the incoming request.
attr: "{'ip': request.header['X-Forwarded-For'].split(', ', 2)[0]}" # Attr is a CEL expression or map of CEL expressions to extract the principal's attributes from the incoming request.
id: "request.header['X-User-Id']" # Required. ID is a CEL expression to extract the principal's ID from the incoming request.
policyVersion: "'default'" # PolicyVersion is a CEL expression to extract the principal's policy version from the incoming request.
roles: "['anonymous']" # Required. Roles is a CEL expression or list of CEL expressions to extract the principal's roles from the incoming request.
scope: "request.header['X-Tenant-Id']" # Scope is a CEL expression to extract the principal's scope from the incoming request.
requestID: "request.header['X-Request-Id']" # RequestID is a CEL expression to extract the request ID from the incoming request.
resource: # Required. Resource configures how to extract the resource from the incoming request.
attr: "request.body.json" # Attr is a CEL expression or map of CEL expressions to extract the resource's attributes from the incoming request.
id: "request.body.json.id" # Required. ID is a CEL expression to extract the resource's ID from the incoming request.
kind: "'route'" # Required. Kind is a CEL expression to extract the resource's kind from the incoming request.
policyVersion: "'default'" # PolicyVersion is a CEL expression to extract the resource's policy version from the incoming request.
scope: "request.header['X-Tenant-Id']" # Scope is a CEL expression to extract the resource's scope from the incoming request.
response: "{'status': {'code': check.allow ? google.rpc.Code.OK : google.rpc.Code.PERMISSION_DENIED}}" # Response is a CEL expression returning a envoy.service.auth.v3.CheckResponse
proxyExtensions:
example:
extensionURL: /extensions/foo.wasm # ProxyExtensions configure interceptor chains for Cerbos Check/Plan requests.
routeExtensions:
example:
extensionURL: /extensions/foo.wasm # RouteExtensions configure arbitrary HTTP handlers for providing external authorization capabilities via Cerbos policies.
workDir: ${TMPDIR} # WorkDir sets the directory for creating sockets and other temporary files.
pdp:
external: # External configures the server to connect to PDP(s) running elsewhere.
grpcAddress: cerbos:3593
httpAddress: cerbos:3592
tls:
authority: cerbos.example.com # Authority overrides the TLS authority for the connection.
caCert: /path/to/ca.crt # CACert sets the path to a CA certificate file to use for validating the certificates.
disabled: false # Disabled switches off TLS and attempts to connect to the PDP using a plaintext connection. Not recommended for production use.
insecure: false # Insecure switches off verification of issuer and host of TLS certificates. Not recommended for production use.
timeout: 5s
inProcess:
storage:
driver: disk # InProcess configures a Cerbos PDP that runs on the same process as this server.
workDir: /tmp/tainaron # WorkDir is the directory to use for creating sockets and other files required to run the PDP.
server:
cors:
allowedHeaders: ['content-type'] # AllowedHeaders is the contents of the allowed-headers header.
allowedOrigins: ['*'] # AllowedOrigins is the contents of the allowed-origins header.
disabled: false # Disabled sets whether CORS is disabled.
maxAge: 10s # MaxAge is the max age of the CORS preflight check.
debugAddress: 127.0.0.1:6666
disableDocs: false
listenAddress: :3594
tls:
caCert: /path/to/ca.crt # CACert is the path to the optional CA certificate for verifying client requests.
cert: /path/to/tls.crt # Cert is the path to the TLS certificate file.
key: /path/to/tls.key # Key is the path to the TLS private key file.
tailscale:
authKey: ${TS_AUTHKEY} # AuthKey to use to register the service. Defaults to environment variable TS_AUTHKEY.
disabled: false # Disabled prevents the Tailscale service from being launched even if TS_AUTHKEY is defined in the environment.
hostName: cerbos-001 # HostName overrides the host name of this instance on the tailnet. Defaults to system host name.
serviceName: svc:cerbos-synapse # ServiceName sets the name of the Tailscale service. Defaults to cerbos-synapse.
servicePort: 443 # ServicePort sets the port of the Tailscale service. Defaults to 443.
timeouts:
idle: 300s # Idle sets the server idle timeout.
read: 60s # Read sets server read timeout.
readHeader: 30s # ReadHeader sets server read header timeout.
shutdown: 30s # Shutdown sets the time to wait for the server to gracefully shutdown.
write: 30s # Write sets server write timeout.
udsFileMode: 0o766