### Clone and Start Example Project Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/sqlalchemy.html Clone the example repository, navigate into the project directory, start the Cerbos service, install dependencies, and run the demo. ```bash git clone git@github.com:cerbos/python-sqlalchemy-cerbos.git cd python-sqlalchemy-cerbos cd cerbos && ./start.sh && cd .. pdm install pdm run demo ``` -------------------------------- ### Clone the Repository Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/auth0 Clone the example application repository to get started. ```bash git clone git@github.com:cerbos/express-auth0-cerbos.git ``` -------------------------------- ### Run REPL using Binary Source: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html Starts the Cerbos REPL utility directly from the command line using the installed binary. ```sh ./cerbos repl ``` -------------------------------- ### Install Prisma Adapter Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/prisma.html Install the Prisma adapter package using npm. ```bash npm install @cerbos/orm-prisma ``` -------------------------------- ### Clone the example repository Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/fusionauth Clone the repository containing the Express.js and FusionAuth integration example. ```bash git clone git@github.com:cerbos/express-fusionauth-cerbos.git ``` -------------------------------- ### Neovim LSP Configuration for YAML Language Server Source: https://docs.cerbos.dev/cerbos/latest/policies/authoring_tips.html Example configuration for Neovim using lazy.nvim and mason.nvim to install and set up the YAML language server for Cerbos policies. ```lua return { { "neovim/nvim-lspconfig", dependencies = { { "williamboman/mason.nvim", }, { "williamboman/mason-lspconfig.nvim", opts = { ensure_installed = { "yamlls" }, }, }, }, opts = { servers = { yamlls = { settings = { yaml = { schemas = { "https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json": "/cerbos/*", "https://api.cerbos.dev/latest/cerbos/policy/v1/TestSuite.schema.json": "/cerbos/**/*_test.yaml", "https://api.cerbos.dev/latest/cerbos/policy/v1/TestFixture/Resources.schema.json": "/cerbos/**/testdata/resources.yaml", "https://api.cerbos.dev/latest/cerbos/policy/v1/TestFixture/Principals.schema.json": "/cerbos/**/testdata/principals.yaml", "https://api.cerbos.dev/latest/cerbos/policy/v1/TestFixture/AuxData.schema.json": "/cerbos/**/testdata/auxdata.yaml" }, }, }, }, }, }, } } ``` -------------------------------- ### Cerbos Server Startup Log Source: https://docs.cerbos.dev/cerbos/latest/tutorial/03_calling-cerbos.html This is an example of the log output you should see when the Cerbos server starts successfully, indicating policies are loaded and services are running. ```sh 2024-12-28T13:55:57.043+0600 INFO cerbos.server maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined 2024-12-28T13:55:57.044+0600 INFO cerbos.server Loading configuration from .cerbos.yaml 2024-12-28T13:55:57.045+0600 WARN cerbos.otel Disabling OTLP traces because neither OTEL_EXPORTER_OTLP_ENDPOINT nor OTEL_EXPORTER_OTLP_TRACES_ENDPOINT is defined 2024-12-28T13:55:57.046+0600 INFO cerbos.disk.store Initializing disk store from /Users/username/tutorial/policies 2024-12-28T13:55:57.048+0600 INFO cerbos.index Found 3 executable policies 2024-12-28T13:55:57.048+0600 INFO cerbos.telemetry Telemetry disabled 2024-12-28T13:55:57.048+0600 INFO cerbos.grpc Starting gRPC server at :3593 2024-12-28T13:55:57.050+0600 INFO cerbos.http Starting HTTP server at :3592 ``` -------------------------------- ### Start Cerbos Server with Configuration Source: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html Starts the Cerbos server using a specified configuration file. ```bash cerbos server --config=/path/to/.cerbos.yaml ``` -------------------------------- ### Start Cerbos Server with Dagger (SQLite) Source: https://docs.cerbos.dev/cerbos/latest/policies/compile.html Start a Cerbos server using Dagger, configured to use an in-memory SQLite policy repository. This setup enables the admin API. ```bash dagger -m github.com/cerbos/dagger-cerbos call server --config=storage.driver=sqlite3,storage.sqlite3.dsn=:memory:,server.adminAPI.enabled=true up ``` -------------------------------- ### Start FastAPI dev server Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/aws-cognito Start the FastAPI development server using the provided script. ```bash ./pw demo ``` -------------------------------- ### Get Cerbos Go SDK Source: https://docs.cerbos.dev/cerbos/latest/api Install the Cerbos Go SDK, which uses the gRPC API, by fetching the generated protobuf code. ```sh go get github.com/cerbos/cerbos/api/genpb ``` -------------------------------- ### Install Mongoose Adapter Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/mongoose.html Install the Mongoose adapter package using npm. ```bash npm install @cerbos/orm-mongoose ``` -------------------------------- ### Start Express Server Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/auth0 Start the Express.js server to run the application. ```bash node index.js ``` -------------------------------- ### Install Dependencies Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/prisma.html Installs necessary packages for Express, Cerbos gRPC, Prisma Client, and the Cerbos ORM for Prisma. ```bash npm i express @cerbos/grpc @prisma/client @cerbos/orm-prisma && npm i --save-dev @types/express ts-node ``` -------------------------------- ### Install Dagger Cerbos Module Source: https://docs.cerbos.dev/cerbos/latest/policies/compile.html Install the Dagger Cerbos module to leverage its functionalities for policy compilation and server management. This is a one-time setup. ```bash dagger install github.com/cerbos/dagger-cerbos ``` -------------------------------- ### Install Cerbos with Homebrew Source: https://docs.cerbos.dev/cerbos/latest/installation/binary.html Install Cerbos binaries using the Homebrew package manager by tapping the official Cerbos repository and installing the package. ```bash brew tap cerbos/tap brew install cerbos ``` -------------------------------- ### Full Cerbos Configuration Example Source: https://docs.cerbos.dev/cerbos/latest/configuration A comprehensive example of a Cerbos configuration file, demonstrating settings for temporary directories, remote bundle sources, and various storage drivers. ```yaml tempDir: ${TEMP} # TempDir is the directory to use for temporary files. remote: # Remote holds configuration for remote bundle source. Takes precedence over local if both are defined. bundleLabel: latest # Required. BundleLabel to fetch from the server. cacheDir: ${XDG_CACHE_DIR} # CacheDir is the directory to use for caching downloaded bundles. disableAutoUpdate: false # DisableAutoUpdate sets whether new bundles should be automatically downloaded and applied. tempDir: ${TEMP} # TempDir is the directory to use for temporary files. mysql: # This section is required only if storage.driver is mysql. connPool: maxLifeTime: 60m maxIdleTime: 45s maxOpen: 4 maxIdle: 1 connRetry: maxAttempts: 3 initialInterval: 0.5s maxInterval: 60s dsn: "user:password@tcp(localhost:3306)/db?interpolateParams=true" # Required. DSN is the data source connection string. serverPubKey: mykey: testdata/server_public_key.pem skipSchemaCheck: false # SkipSchemaCheck skips checking for required database tables on startup. tls: mytls: cert: /path/to/certificate key: /path/to/private_key caCert: /path/to/CA_certificate overlay: # This section is required only if storage.driver is overlay. baseDriver: blob # Required. BaseDriver is the default storage driver fallbackDriver: disk # Required. FallbackDriver is the secondary or fallback storage driver fallbackErrorThreshold: 5 # FallbackErrorThreshold is the max number of errors we allow within the fallbackErrorWindow period fallbackErrorWindow: 5m # FallbackErrorWindow is the cyclic period within which we aggregate failures postgres: # This section is required only if storage.driver is postgres. connPool: maxLifeTime: 60m maxIdleTime: 45s maxOpen: 4 maxIdle: 1 connRetry: maxAttempts: 3 initialInterval: 0.5s maxInterval: 60s skipSchemaCheck: false # SkipSchemaCheck skips checking for required database tables on startup. url: "postgres://user:password@localhost:port/db" # Required. URL is the Postgres connection URL. See https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING sqlite3: # This section is required only if storage.driver is sqlite3. dsn: ":memory:?_fk=true" # Required. Data source name telemetry: disabled: false # Disabled sets whether telemetry collection is disabled or not. reportInterval: 1h # ReportInterval is the interval between telemetry pings. stateDir: ${HOME}/.config/cerbos # StateDir is used to persist state to avoid repeatedly sending the data over and over again. ``` -------------------------------- ### PlanResources Request Example Source: https://docs.cerbos.dev/cerbos/latest/recipes/filtering-resources.html This is an example of a PlanResources request. It specifies the principal, resource kind, and action for which to generate a query plan. ```json { "requestId": "filter-example", "action": "view", "principal": { "id": "alice", "roles": ["user"], "attr": { "department": "engineering" } }, "resource": { "kind": "document", "policyVersion": "default" } } ``` -------------------------------- ### Install Python dependencies Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/aws-cognito Install the necessary Python dependencies for the application from the project root directory. ```bash # from project root ./pw install ``` -------------------------------- ### Full Cerbos Configuration Example Source: https://docs.cerbos.dev/cerbos/latest/configuration An example of a comprehensive Cerbos configuration file, showcasing various options for audit logging, masking, and Kafka integration. ```yaml --- audit: accessLogsEnabled: false # AccessLogsEnabled defines whether access logging is enabled. backend: local # Backend states which backend to use for Audits. decisionLogFilters: # DecisionLogFilters define the filters to apply while producing decision logs. checkResources: # CheckResources defines the filters that apply to CheckResources calls. ignoreAllowAll: false # IgnoreAllowAll ignores responses that don't contain an EFFECT_DENY. planResources: # PlanResources defines the filters that apply to PlanResources calls. ignoreAll: false # IgnoreAll prevents any plan responses from being logged. Takes precedence over other filters. ignoreAlwaysAllow: false # IgnoreAlwaysAllow ignores ALWAYS_ALLOWED plans. decisionLogsEnabled: false # DecisionLogsEnabled defines whether logging of policy decisions is enabled. enabled: false # Enabled defines whether audit logging is enabled. excludeMetadataKeys: ['authorization'] # ExcludeMetadataKeys defines which gRPC request metadata keys should be excluded from the audit logs. Takes precedence over includeMetadataKeys. includeMetadataKeys: ['content-type'] # IncludeMetadataKeys defines which gRPC request metadata keys should be included in the audit logs. file: additionalPaths: [stdout] # AdditionalPaths to mirror the log output. Has performance implications. Use with caution. logRotation: # LogRotation settings (optional). maxFileAgeDays: 10 # MaxFileAgeDays sets the maximum age in days of old log files before they are deleted. maxFileCount: 10 # MaxFileCount sets the maximum number of files to retain. maxFileSizeMB: 100 # MaxFileSizeMB sets the maximum size of individual log files in megabytes. path: /path/to/file.log # Required. Path to the log file to use as output. The special values stdout and stderr can be used to write to stdout or stderr respectively. hub: advanced: bufferSize: 256 flushInterval: 1s gcInterval: 60s maxBatchSize: 32 mask: checkResources: - inputs[*].principal.attr.foo - inputs[*].auxData - outputs metadata: ['authorization'] peer: - address - forwarded_for planResources: ['input.principal.attr.nestedMap.foo'] pipeOutput: backend: file enabled: false retentionPeriod: 168h # How long to keep records for storagePath: /path/to/dir # Path to store the data kafka: ack: all # Ack mode for producing messages. Valid values are "none", "leader" or "all" (default). Idempotency is disabled when mode is not "all". authentication: # Authentication tls: caPath: /path/to/ca.crt # Required. CAPath is the path to the CA certificate. certPath: /path/to/tls.cert # CertPath is the path to the client certificate. insecureSkipVerify: true # InsecureSkipVerify controls whether the server's certificate chain and host name are verified. Default is false. keyPath: /path/to/tls.key # KeyPath is the path to the client key. reloadInterval: 5m # ReloadInterval is the interval at which the TLS certificates are reloaded. The default is 0 (no reload). brokers: ['localhost:9092'] # Required. Brokers list to seed the Kafka client. ``` -------------------------------- ### Start Cerbos Server with Dagger (Disk Driver) Source: https://docs.cerbos.dev/cerbos/latest/policies/compile.html Start a Cerbos server instance using Dagger, configured with the default disk driver for policies. The `--policy-dir` flag specifies the policy location. ```bash dagger -m github.com/cerbos/dagger-cerbos call server --policy-dir=./cerbos up ``` -------------------------------- ### Install cerbos-sqlalchemy Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/sqlalchemy.html Install the package using pip. Ensure you have Cerbos and SQLAlchemy installed. ```bash pip install cerbos-sqlalchemy ``` -------------------------------- ### Install Node.js Dependencies Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/auth0 Install the necessary Node.js dependencies for the Express application. ```bash npm install ``` -------------------------------- ### Start Cerbos Server with Docker Source: https://docs.cerbos.dev/cerbos/latest/quickstart.html Starts the Cerbos server using a Docker container, mounting a local directory for policies and exposing necessary ports. ```bash docker run --rm --name cerbos -d -v $(pwd)/cerbos-quickstart/policies:/policies -p 3592:3592 -p 3593:3593 ghcr.io/cerbos/cerbos:0.53.0 ``` -------------------------------- ### Install Cerbos with Post-Renderer Source: https://docs.cerbos.dev/cerbos/latest/installation/helm.html Install Cerbos using the Helm chart and applying custom patches defined by a post-renderer script. ```bash helm install cerbos cerbos/cerbos --version=0.53.0 --post-renderer=./kustomize.sh ``` -------------------------------- ### Install cerbosctl CLI Source: https://docs.cerbos.dev/cerbos-hub/policy-stores-cli-npx.html Installs the cerbosctl CLI tool globally using npm. ```bash npm install -g cerbosctl ``` -------------------------------- ### Install @cerbos/langchain-chromadb Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/langchain-chromadb.html Install the package using npm. Ensure Cerbos and ChromaDB requirements are met. ```bash npm install @cerbos/langchain-chromadb ``` -------------------------------- ### cerbosctl Usage Example (Plaintext) Source: https://docs.cerbos.dev/cerbos/latest/cli/cerbosctl.html This example shows how to connect to a non-TLS server and launch the decisions viewer. The Admin API must be enabled on the Cerbos server, and credentials can be supplied via environment variables or command-line arguments. ```bash cerbosctl --server=localhost:3593 --username=user --password=password --plaintext decisions ``` -------------------------------- ### Install Cerbos using Helm Chart with PV Values Source: https://docs.cerbos.dev/cerbos/latest/installation/helm.html Command to install the Cerbos Helm chart with a specified version and a custom values file for mounted volume storage configuration. ```bash helm install cerbos cerbos/cerbos --version=0.53.0 --values=pv-values.yaml ``` -------------------------------- ### Install Cerbos from OCI Registry Source: https://docs.cerbos.dev/cerbos/latest/installation/helm.html Install the Cerbos Helm chart from an OCI registry, useful for environments where direct Helm repository access is restricted. ```bash HELM_EXPERIMENTAL_OCI=1 helm install cerbos oci://ghcr.io/cerbos/helm-charts/cerbos --version=0.53.0 ``` -------------------------------- ### Install Cerbos using Helm Chart with Git Values Source: https://docs.cerbos.dev/cerbos/latest/installation/helm.html Command to install the Cerbos Helm chart with a specified version and a custom values file for Git storage configuration. ```bash helm install cerbos cerbos/cerbos --version=0.53.0 --values=git-values.yaml ``` -------------------------------- ### Start Cerbos Server with Admin API and SQLite Source: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html Starts the Cerbos server with the Admin API enabled and configured to use the SQLite storage driver with an in-memory data source. ```bash cerbos server --config=/path/to/.cerbos.yaml --set=server.adminAPI.enabled=true --set=storage.driver=sqlite3 --set=storage.sqlite3.dsn=':memory:' ``` -------------------------------- ### Create Project Structure and Initialize Go Module Source: https://docs.cerbos.dev/synapse/latest/extensions/wasm-go-tutorial.html Set up the project directory, initialize a Go module, and fetch necessary dependencies for the Synapse extension. ```bash $ mkdir -p wasm-go-tutorial/policies wasm-go-tutorial/extensions wasm-go-tutorial/src $ cd wasm-go-tutorial/src $ go mod init example.com/synapse-extension $ go get github.com/extism/go-pdk@latest $ go get github.com/tidwall/sjson@latest $ cd .. ``` -------------------------------- ### Example Repository Structure for Subdirectory Sync Source: https://docs.cerbos.dev/cerbos-hub/policy-stores-git-github.html Illustrates a typical repository structure where policies are located in a subdirectory, demonstrating how to configure the sync path. ```text my-repo/ ├── src/ ├── docs/ └── policies/ └── cerbos/ ├── resource_policies/ └── derived_roles/ ``` -------------------------------- ### GitHub Actions Workflow for Cerbos Policy Check Source: https://docs.cerbos.dev/cerbos/latest/policies/compile.html An example GitHub Actions workflow that uses `cerbos-setup-action` to install Cerbos and `cerbos-compile-action` to compile and test policies. ```yaml --- name: PR Check on: pull_request: branches: - main jobs: cerbosCheck: name: Check Cerbos policies runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - name: Setup Cerbos uses: cerbos/cerbos-setup-action@v1 with: version: latest - name: Compile and test policies uses: cerbos/cerbos-compile-action@v1 with: policyDir: policies ``` -------------------------------- ### Run Cerbos Binary with Configuration Source: https://docs.cerbos.dev/cerbos/latest/tutorial/01_running-locally.html Starts the Cerbos server using the release binary, referencing a specified configuration file. ```bash ./cerbos server --config=.cerbos.yaml ``` -------------------------------- ### Get Contact Request Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/jwt Example curl request to retrieve a specific contact by ID. Requires 'Authorization' header with a valid JWT token. Allowed for 'user' and 'admin' roles. ```bash curl -X GET 'http://localhost:3000/contacts/abc123' \ --header 'Authorization: Bearer ' ``` -------------------------------- ### Manage Cerbos with Nix flake Source: https://docs.cerbos.dev/cerbos/latest/installation/binary.html Commands to run Cerbos server, REPL, or cerbosctl using a Nix flake. Also includes how to start a Nix shell session with both binaries installed. ```bash # Launch a Cerbos server nix run github:cerbos/cerbos-flake#cerbos -- server --set=storage.disk.directory=/path/to/policy_directory ``` ```bash # Launch a REPL nix run github:cerbos/cerbos-flake#cerbos -- repl ``` ```bash # Launch cerbosctl nix run github:cerbos/cerbos-flake#cerbosctl ``` ```bash # Start a Nix shell session with cerbos and cerbosctl installed nix shell github:cerbos/cerbos-flake ``` -------------------------------- ### Compile Policies and Run Tests with Cerbos Source: https://docs.cerbos.dev/cerbos/latest/tutorial/04_testing-policies.html Use the Cerbos compile command to validate your policies and run associated test suites. This example shows commands for both Docker and binary installations. ```bash # Using Container docker run --rm --name cerbos -t \ -v /tutorial:/tutorial \ -p 3592:3592 \ ghcr.io/cerbos/cerbos:latest compile /tutorial/policies # Using Binary ./cerbos compile /tutorial/policies ``` -------------------------------- ### Download and Install cerbosctl CLI Source: https://docs.cerbos.dev/cerbos-hub/policy-stores-cli-binary.html Download the appropriate cerbosctl binary for your OS and architecture, extract it, make it executable, and move it to your PATH. ```bash curl -L -o cerbosctl.tar.gz "https://github.com/cerbos/cerbos/releases/download/v0.45.1/" tar xvf cerbosctl.tar.gz chmod +x cerbosctl mv cerbosctl /usr/local/bin/ # or somewhere on your PATH ``` -------------------------------- ### Run Synapse with Docker Source: https://docs.cerbos.dev/synapse/latest/extensions/wasm-go-tutorial.html Starts a Synapse instance using Docker, mounting configuration, policies, and extensions. Exposes the server port and sets log level to debug. ```bash $ docker run --rm --name synapse-wasm-go -p 3594:3594 \ -v $(pwd)/config.yaml:/config/config.yaml:ro \ -v $(pwd)/policies:/policies:ro \ -v $(pwd)/extensions:/extensions:ro \ CERBOS_DISTRIBUTION_REPO/synapse/synapse:latest \ server --conf.path=/config/config.yaml --log.level=debug ``` -------------------------------- ### Install Cerbos with npm Source: https://docs.cerbos.dev/cerbos/latest/installation/binary.html Install Cerbos and cerbosctl as development dependencies in your JavaScript project using npm. Ensure optional dependencies are not omitted during installation. ```bash npm install --save-dev cerbos cerbosctl ``` -------------------------------- ### Install @cerbos/orm-convex Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/convex.html Install the Convex ORM adapter package using npm. ```bash npm install @cerbos/orm-convex ``` -------------------------------- ### Convex Query Plan Adapter Usage Example Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/convex.html Demonstrates how to use `queryPlanToConvex` to generate Convex filters and apply them to a database query. Includes handling for different plan kinds and optional post-filters. ```typescript import { queryPlanToConvex, PlanKind } from "@cerbos/orm-convex"; const queryPlan = await cerbos.planResources({ principal: { id: "user1", roles: ["USER"] }, resource: { kind: "document" }, action: "view", }); const { kind, filter, postFilter } = queryPlanToConvex({ queryPlan, mapper, allowPostFilter: true, }); if (kind === PlanKind.ALWAYS_DENIED) return []; if (kind === PlanKind.ALWAYS_ALLOWED && !postFilter) { return await ctx.db.query("documents").collect(); } let query = ctx.db.query("documents"); if (filter) query = query.filter(filter); let results = await query.collect(); if (postFilter) results = results.filter(postFilter); return results; ``` -------------------------------- ### Load Synapse Configuration from File Source: https://docs.cerbos.dev/synapse/latest/extensions/testing.html Instructs the test runner to start a Synapse instance using a configuration from a specified YAML file. Ensure the file is a valid Synapse configuration. ```starlark test_suite = struct( synapse_config = testing.load_synapse_config("synapse.yaml"), ) ``` -------------------------------- ### cerbosctl Usage Example Source: https://docs.cerbos.dev/cerbos/latest/cli/cerbosctl.html This example demonstrates connecting to a TLS-enabled server while skipping certificate verification and launching the decisions viewer. Ensure the Admin API is enabled on your Cerbos server and provide credentials via environment variables or command-line arguments. ```bash cerbosctl --server=localhost:3593 --username=user --password=password --insecure decisions ``` -------------------------------- ### Docker Healthcheck Example Source: https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html Demonstrates how to run a Cerbos PDP container with a mounted configuration file for health checks. ```docker docker run -i -t -p 3592:3592 -p 3593:3593 \ -v /path/to/conf/dir:/config \ -e CERBOS_CONFIG=/config/.cerbos.yaml \ ghcr.io/cerbos/cerbos:0.53.0 ``` -------------------------------- ### Substring Extraction Source: https://docs.cerbos.dev/cerbos/latest/policies/conditions.html Extract a portion of a string, either from a starting index to the end, or between a start and end index. ```cerbos R.attr.department.substring(4) == "eting" && R.attr.department.substring(4, 6) == "et" ``` -------------------------------- ### Start Cerbos Server Source: https://docs.cerbos.dev/cerbos/latest/tutorial/03_calling-cerbos.html Use these commands to launch the Cerbos server, either via Docker or directly using the binary. Ensure the configuration file is accessible. ```sh # Using Container docker run --rm --name cerbos -t \ -v /tutorial:/tutorial \ -p 3592:3592 ghcr.io/cerbos/cerbos:latest server --config=/tutorial/.cerbos.yaml # Using Binary ./cerbos server --config=/tutorial/.cerbos.yaml ``` -------------------------------- ### Initialize Prisma Database Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/prisma.html Initializes the database schema based on the Prisma schema definition. ```bash npx prisma migrate dev --name init ``` -------------------------------- ### Role-Led Policy Example Source: https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html Focuses on a role and lists all actions that role can perform. Useful for systems with distinct roles and many actions. ```yaml # These three actions can be performed by principals in the `JR_MANAGER` role - actions: - "run" - "view" - "share" effect: EFFECT_ALLOW roles: - JR_MANAGER ``` -------------------------------- ### Cerbos Response Example Source: https://docs.cerbos.dev/cerbos/latest/quickstart.html This is an example of a Cerbos server response for a `check_resources` request, detailing the decision for each action on each resource. ```json { "requestId": "quickstart", "results": [ { "resource": { "id": "BUGS001", "kind": "album:object" }, "actions": { "comment": "EFFECT_DENY", "view:public": "EFFECT_DENY" } }, { "resource": { "id": "DAFFY002", "kind": "album:object" }, "actions": { "comment": "EFFECT_DENY", "view:public": "EFFECT_DENY" } } ] } ``` -------------------------------- ### Start Cerbos PDP Source: https://docs.cerbos.dev/cerbos/latest/recipes/query-plan-adapters/prisma.html Starts the Cerbos Policy Decision Point (PDP) server with policies mounted from the local directory. ```bash docker run -i -t -p 3592:3592 \ -v $(pwd)/cerbos/policies:/policies \ ghcr.io/cerbos/cerbos:0.53.0 \ server ``` -------------------------------- ### Create Fly.io App Source: https://docs.cerbos.dev/cerbos/latest/deployment/cloud-platforms.html Use the flyctl CLI to create a new application on Fly.io. ```bash flyctl apps create ``` -------------------------------- ### JWT Payload Structure Example Source: https://docs.cerbos.dev/cerbos/latest/recipes/authentication/jwt The expected structure of a JWT payload for this example, including user ID, name, timestamp, and roles. ```json { sub: string, name: string, iat: number, roles: string[] // "user" and "admin" supported in this demo } ``` -------------------------------- ### Get Current Server Time Source: https://docs.cerbos.dev/cerbos/latest/policies/conditions.html Uses the 'now()' function to get the current server time for comparisons. This is a Cerbos extension to CEL. ```cel now() > timestamp(R.attr.lastAccessed) ``` -------------------------------- ### Get Schema(s) using cURL Source: https://docs.cerbos.dev/cerbos/latest/api/admin_api.html Issue a GET request to retrieve schema definitions. Specify schema IDs in the query parameters. ```shell curl -k -u cerbos:cerbosAdmin \ 'https://localhost:3592/admin/schema?id=principal.json&id=leave_request.json' ``` -------------------------------- ### Test Expectation with Multiple Principals and Resources Source: https://docs.cerbos.dev/cerbos/latest/releases/v0.40.0 This example demonstrates how to specify multiple principals and resources in a single test expectation, reducing verbosity compared to individual expectations for each combination. ```yaml - name: Multiple principals and resources input: principals: - bev - barb resources: - leave_request - cancelled_leave_request actions: - edit - view auxData: myJWT expected: - principal: bev resource: leave_request actions: edit: EFFECT_ALLOW view: EFFECT_ALLOW - principal: bev resource: cancelled_leave_request actions: edit: EFFECT_ALLOW view: EFFECT_ALLOW - principal: barb resource: leave_request actions: edit: EFFECT_ALLOW view: EFFECT_ALLOW - principal: barb resource: cancelled_leave_request actions: edit: EFFECT_ALLOW view: EFFECT_ALLOW ``` ```yaml - name: Multiple principals and resources input: principals: - bev - barb resources: - leave_request - cancelled_leave_request actions: - edit - view expected: - principals: - bev - barb resources: - leave_request - cancelled_leave_request actions: edit: EFFECT_ALLOW view: EFFECT_ALLOW ```