New tools for effortless policy creation and testing in Cerbos Hub

Published by Heidi Hokanson on October 08, 2024
New tools for effortless policy creation and testing in Cerbos Hub

We are introducing new features in the Cerbos Hub Playground that aim to simplify how developers write, test, and iterate on authorization policies. These updates are designed to enhance the policy experimentation and testing experience, for longtime users and for those just getting started with Cerbos.

This release includes three additions:

  1. The RBAC policy generator
  2. The API request simulator
  3. Connect a local PDP

These new features were introduced to reduce the time and effort involved in writing and testing policies, addressing common frustrations developers face in their workflow. The goal is to streamline the entire process, allowing for more efficient and realistic policy testing without the need for repetitive manual tasks.

With these enhancements, developers can spend less time on setup and more time on meaningful experimentation and testing, leading to a more productive workflow.

Let’s explore each new feature individually.

1. RBAC policy generator

The RBAC policy generator, (or the RPG if you enjoy playing with acronyms) which was released to the public playground last year, is now part of Cerbos Hub. This feature allows users to create role-based access control (RBAC) policies using a simple, no-code wizard. Once you’re done defining your roles and permissions in the RPG it will populate your playground with the YAML code corresponding to your defined RBAC policies, and a test dataset you can use for troubleshooting and further experimentation.

This feature makes setting up and testing RBAC policies faster and more straightforward and frees developers from the curse of the blank page.

To use the R(BAC)PG, click New Playground in the Hub Playground’s main page and then click the RBAC Policy Generator option when prompted to choose a set up method.

Use the RBAC policy generator in the Cerbos Hub Playground

You’ll then be prompted to define your users, resource types, and actions, which will populate a checkbox grid you can use to assign permissions to roles.

RBAC policy generator – MULTIPLE ROLES added.png

Then click Generate Policy and you’ll see that the Playground automatically populates with policies written in YAML that reflect your selections in the wizard. It also comes ready with test data. You can then continue to manipulate and test your policies in the playground using the normal interface.

2. API request simulator

The API request simulator, (APIRS? ARSim? This one’s not as fun, unfortunately) also previously released in the public playground, is now integrated into Cerbos Hub. This feature allows users to simulate API requests without running a local policy decision point (PDP) and view the output of the Check Resources and Query Plan Resources APIs for any combination of user and resource.

This feature bridges the gap between written documentation and practical use by showing actual responses from the PDP, helping developers understand and verify how their policies behave in different scenarios. You can see the details of how the PDP evaluates policies, including the structure and data in the response. It’s useful for both understanding how Cerbos works and debugging policies based on real API outputs.

To use the API simulator, find the **Implement ** tab in the Hub Playground's right sidebar. Select from test fixtures already defined in your playground, (principal, resource, actions, etc.). You’ll be able to see exactly how the request and response are structured and observe the expected allow/deny response based on your policies.

check-resources.png

3. Connect a PDP to your Playground

The Playground PDP (PG PDP?) feature allows developers to establish a live connection between their development environment and the Hub Playground, eliminating the need to download files and reconfigure a Policy Decision Point (PDP) for each change. This setup lets developers test authorization policies in real-time, significantly reducing the manual steps previously required for policy testing and iteration.

Any changes you make in the playground are immediately reflected in your local PDP, providing a real-time feedback loop for integration testing.

To connect a PDP to your playground, go to the Implement tab in your right hand sidebar, and click Connect a PDP. You will be guided with detailed instructions within the UI. And you can view our demo to see how it’s done.

Step 2.png

Important note:

The live-connected PDP is intended for development and testing purposes only. For production environments, you should use Cerbos Hub's managed CI/CD pipeline by setting up a workspace connected to your policy repository. In production, you can also leverage Cerbos Hub's audit logs feature to store and analyze all authorization decisions made by your PDPs, offering greater visibility and control over policy enforcement.


We invite you to explore these new features and share your feedback with us on Slack!

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team