What is Cerbos?

Cerbos set early in 2021, not to reinvent the wheel, but to make authorization a clearer and simpler part of your application. Generally, there is a lot of complicated logic that goes into creating authorization permissions in an application. We sat down with our own Alex Olivier to go over what Cerbos is, and why it should be the go to for authorization.

There is typically a team of engineers that has to come up with a lot of if/else switch statements to handle what users can do after being authenticated. This takes them off to certain parts of an application, and it involves spending a lot of time, sometimes up to three months or more. Cerbos steps in to make all of this simple by allowing a stream of configuration that simply asks an API, “Can this user do this action on this resource? Yes or no.” This is defined in your policies, and allows you to run, update, or change those policies independent of your code base.

Cerbos is an open source access control system that can handle all of your complicated business logic through simple configuration. It allows you to plug it into your existing stack as a decoupled service.

Why you should use Cerbos

Cerbos is completely open-source, and is easy to get up and running. You are also able to self host it, and while this may seem as though it creates something else you have to run, there is a reason for this.

Authentication is generally only checked once, and also has the capability to be cached for a session. Authorization is constantly having to make callbacks and requests, and it continues to update as users move around within an application.

Allowing Cerbos to be self hosted allows you to operate more efficiently without having to wait on a third party service to be up and running in order for your application to make these checks on the go. The response times are within milliseconds, and Cerbos does this for performance reasons.

Cerbos is also a decoupled authorization platform, and able to be defined in human readable policies. With Cerbos, you don’t have to learn a new language. You can write the policies in very easy to understand YAML files. This allows for other members of a team to be able to read it like product managers or members of a security team.

Cerbos works in tandem with authentication

There are usually three main parts to building out authentication to authorization. It starts with your user login. Tied to that login is some sort of profile stating who this user is and what type of group, team, organization they are in. Finally, you are able to authorize what they can do based on the previous information that has been provided.

Cerbos at its base is a primary use case for basic application permissions. It allows you to easily set what users are allowed to do in certain situations. However, authorization uses can vary as well, and Cerbos also has this ability.

It allows you to set the process of asking and permitting if users have access to a certain product feature, are they in the right package to do x,y,z, or even allowing for usage limits. These conditions are set in Cerbos policies.

It is completely stateless and works with cloud services and multiple languages

Cerbos is completely stateless and distributed in binaries and containers that allows it to run in the cloud. You can run it straight on a VM with a binary, in a Kubernetes cluster, you can even run it in ECS. It can run wherever you can execute containers in a server state.

There are also a plethora of SDKs built to work with different languages as well. This includes all the common languages, and these can run on either the server side or client side. It can also be used as a simple API.

Migrating to using Cerbos for authorization

Cerbos allows you to change the existing complicated logic of a current application in increments at a time. There is no need to do a massive migration all at once. The way this is best implemented is resource by resource.

Let’s take a look at how that may look with an HR system. You have things like vacation requests, you have employees, and a payroll. All you have to do is just map through each task one policy at a time by slowly replacing your if/else statements with the policies created through Cerbos.

Creating policies for roles is also as simple as adding what users can do and access with those policies. As the application changes you can simply go in and add or update policies, instead of having to write all new logic everytime something needs to change.

Cerbos is open source

Since Cerbos is open source, they are always looking for feedback and suggestions for keeping everything up to date and fresh. Everything is on GitHub, and they are open to users creating PRs or even contributing, as some users have already created some PRs around telemetry. There is always a need to create clear documentation as well.

There is also a Slack community that anyone can join from the website. You can expect some type of coverage from the Cerbos team because there is usually someone around 24/7 because they are completely remote and worldwide.

Try the playground

Cerbos wants users to experiment and play around with everything they have to offer that’s why they created a playground early on. You can find it at play.cerbos.dev.

It is an environment where you can define all your policies, and you can define example principles and resources while giving you live feedback. It does this by giving a real Cerbos instance.

It allows you to see real world results based on the information that you give it. It also gives feedback allowing you to see if your policies are in the right format or missing any attributes you may need. You can also write tests for all of this in the playground as well.

Cerbos has added some example starter demos for you to familiarize yourself with everything in order for you to get started. With this, it creates the code snippets for you to see exactly how everything is working.

Conclusion

When they set out to build this authorization platform, they tried to make everything straight forward and as simple to use as possible. They are open source and have an active Slack community that anyone can join. Try using them for building out the logic in your next application.