README
¶
Painless access control for your software
Cerbos helps you super-charge your authorization implementation by writing context-aware access control policies for your application resources. Author access rules using an intuitive YAML configuration language, use your Git-ops infrastructure to test and deploy them and, make simple API requests to the Cerbos PDP to evaluate the policies and make dynamic access decisions.
- Try online with the Cerbos playground
- Explore demo repositories
- Read the documentation
- Subscribe to the newsletter
- Join the community on Slack
- Install Cerbos
- Get the client SDKs
- Contribute
Used by
Cerbos is popular among large and small organizations:
|
|
|
|
|
|
|
|
Using Cerbos? Open a PR to add your company.
How it works
Example
Derived roles: Dynamically assign new roles to users based on contextual data.
---
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
name: common_roles
definitions:
- name: owner
parentRoles: ["user"]
condition:
match:
expr: request.resource.attr.owner == request.principal.id
- name: abuse_moderator
parentRoles: ["moderator"]
condition:
match:
expr: request.resource.attr.flagged == true
Resource policy: Write access rules for a resource.
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
importDerivedRoles:
- common_roles
resource: "album:object"
version: "default"
rules:
- actions: ['*']
effect: EFFECT_ALLOW
derivedRoles:
- owner
- actions: ['view', 'flag']
effect: EFFECT_ALLOW
roles:
- user
condition:
match:
expr: request.resource.attr.public == true
- actions: ['view', 'delete']
effect: EFFECT_ALLOW
derivedRoles:
- abuse_moderator
API request
cat <<EOF | curl --silent "http://localhost:3592/api/check/resources?pretty" -d @-
{
"requestId": "test01",
"includeMeta": true,
"principal": {
"id": "alicia",
"roles": [
"user"
]
},
"resources": [
{
"actions": [
"view"
],
"resource": {
"id": "XX125",
"kind": "album:object",
"attr": {
"owner": "alicia",
"public": false,
"flagged": false
}
}
}
]
}
EOF
API response
{
"requestId": "test01",
"results": [
{
"resource": {
"id": "XX125",
"kind": "album:object",
"policyVersion": "default"
},
"actions": {
"view": "EFFECT_ALLOW"
},
"meta": {
"actions": {
"view": {
"matchedPolicy": "resource.album_object.vdefault"
}
},
"effectiveDerivedRoles": [
"owner"
]
}
}
]
}
Telemetry
We collect anonymous usage data to help us improve the product. You can opt out by setting the CERBOS_NO_TELEMETRY=1 environment variable. For more information about what data we collect and other ways to opt out, see the telemetry documentation.
Stargazers
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
genpb/cerbos/svc/v1
Package svcv1 is a reverse proxy.
|
Package svcv1 is a reverse proxy. |
|
genpb
Module
|
|
|
Package client provides a client implementation to interact with a Cerbos instance and check access policies.
|
Package client provides a client implementation to interact with a Cerbos instance and check access policies. |
|
testutil
Package testutil provides testing utilities such as functions to start a Cerbos server and tear it down.
|
Package testutil provides testing utilities such as functions to start a Cerbos server and tear it down. |
|
cmd
|
|
|
docs
|
|
|
hack
|
|
|
tools/generate-npm-packages
Module
|
|
|
tools/protoc-gen-jsonschema
Module
|
|
|
tools/testsplit
Module
|
|
|
internal
|
|
|
private
|
|