Resource policies define rules for actions that can be performed on a given resource.
basicResource.yaml defines a resource policy for the kind basicResource, with create, read, update and delete actions. This policy expects a principal to have either the ADMIN or USER role.
A basicResource is expected to have two attributes, ownerId and isPublished, which are used in the policy to make decisions about which actions should be permitted.
Attribute schemas are optional JSON schemas that are used by the Cerbos PDP at request time to validate the incoming request having all the required data to make a correct authorization decision. The server configuration can be set to either give a warning or reject the request if the input doesn't conform to these schemas.
\_schemas/principal.json defines a schema for the principals, while \_schemas/basicResource.json defines a schema for the basicResource objects.
basicResource_test.yaml defines a test suite and related test data that checks that the permissions are implemented as expected.
.cerbos.yaml is used to configure a Cerbos PDP server container to load the policies from disk.
.cerbos-hub.yaml is used to configure a Cerbos Hub workspace to compile policy bundles from commits matching the configured labels, to be deployed to connected Cerbos PDP instances.
A straightforward way to run Cerbos is via a container, an example of which is shown below. See the documentation for other ways to install and run Cerbos locally.
Verify that the policies are correct by using the compile command.
docker run --rm -it \
-v $(pwd):/basic-crud \
ghcr.io/cerbos/cerbos:latest \
compile --verbose /basic-crud
Launch a PDP server by running the server command.
docker run --rm --name cerbos \
-v $(pwd):/basic-crud \
-p 3592:3592 \
-p 3593:3593 \
ghcr.io/cerbos/cerbos:latest \
server --config=/basic-crud/.cerbos.yaml
The API documentation can then be found at http://localhost:3592.