Photo by Markus Spiske on Unsplash
Cerbos:- Authorization-as-a-Service
“Cerbos is an authorization solution, which helps developers easily implement and manage fine-grained access control.”
Introduction
Software development is more about thinking of unique solutions for solving greater problems in this modern era. Times were gone, when one has to think about the syntax or the implementation of code in any one programming language. This shift is in the business due to the likes of different higher-end technologies providing abstract functions by making the libraries and easing up the developer’s work to re-write certain logic that is already being written by someone else. We need to tweak something into it, to make it useful for our purposes.
But this isn’t true about writing the role-based authorization logic for our needs. When you talk about the authorization module and that too which has a role-based implementation, it generally requires a very good amount of time to be invested into building roles, setting up the permissions for that specific role and writing the whole logic around these to restrict someone who doesn’t have the specific permission around the application.
These again restrict developers from quickly wrapping up the authorization module, which almost 90% of the time will be the first of its modules to be developed in the project ( Of course it’s not the case in every project though ).
Cebros has picked up this above problem statement and has built a product that will be a game-changing one when it comes to building a role-based authorization system for your project.
What is Cerbos?
Cerbos makes fine-grained access controls easy to implement and manage, making authorization more secure and more adaptable to changing requirements, while saving months of developer time.
Cerbos works as an independent authorization system, which kind of works as another service that solely handles your authorization system.
The main idea for using Cerbos as an authorization service is its implementation of roles and responsibilities in the form of a policy. Policy defining is nothing but defining your rules for a particular role and giving access to a particular module for that role by writing a simple YAML configuration file.
Imagine writing a code with multiple nested if-else statements to manage the roles and their corresponding permissions for each module. It will be a tiring work for a developer.
Why use Cerbos?
We have already discussed the main reason for using Cerbos, which is to get rid of writing a whole lot of conditional code for managing the roles and their corresponding permissions, but it is not the only thing about using an externalized policy-based authorization system.
Let’s discuss some other advantages that developers can take by using Cerbos.
As we have separated the policies for all the roles that are there in our system, it will be very easy and efficient to manage and make changes in the permissions of the roles, if necessary.
Irrespective of any authorization technique, such as JWT tokens, or Auth0, Cerbos authorization service can read data from any of the authentication techniques.
Cerbos authorization services can be deployed on any system, such as Cloud Providers, Serverless Architectures, Deployment using Kubernetes environment etc.
Cerbos’s authorization services can be integrated via SDKs with any of the programming stack/languages, such as .NET, JavaScript, Python, Java, Ruby, Rust and many others.
Cerbos PDP
Cerbos PDP is the authorization as a service module developed by Cerbos.
Cerbos PDP can be integrated into our existing codebase either with API or by spinning up the docker image of Cerbos PDP and connecting it with our codebase.
As you can see in the diagram, your policy repository is the place where you will define all your policies YAML configuration files. It can either be a Git Repo or any Database where you have seeded your YAML files.
Identity providers are basically your authentication techniques, such as JWT, OKTA or Auth0, Cerbos system can communicate with any of these external systems and bring the necessary data from them to initiate the authorization process further.
Policy updations will instantly take effect without re-deploying or restarting the server or re-compiling the application. This will ensure a faster solution to the unauthorized events happening due to providing the wrong access to a particular role.
You can learn more about Cerbos PDP and its implementation in different technologies here
Cerbos Hub
Cerbos Hub is a cloud-hosted solution for large-scale applications, which have loads of roles and permissions present in the system.
Cerbos Hub is just like a large-scale project, which has its own pipelines to test or deploy newer policies or to listen to updations in policies. These are generally initialized by changing some policies or adding newer policies to the authorization service.
These will encapsulate Cebros PDP services and add some more functionality before deploying newer policies into ongoing PDPs.
As per the diagram, you can clearly see that before updating the policies into PDPs, Cerbos Hub will actually validate the policy, run some tests around it and also combine those policies into Embedded Policy Bundles as CDN, so that these can be used in other similar systems as well.
Everything remains the same as Cerbos PDP except that Cerbos instances now receive optimized policy bundles from Cerbos Hub instead of polling a policy repository and compiling new policies locally as they change.
Cerbos Hub handles the validation, testing, compilation and deployment of policy updates to all connected Cerbos policy decision points. Embedded bundles are published as part of the CI process as well and clients are able to retrieve the latest builds via a special URL.
Learn more about Cerbos Hub and its implementation here.
Cerbos Playground
If you are feeling odd using this newer system for authorization as a service, the Cerbos team has also developed a playground, through which you can play around with making roles, defining the policy for those roles and accessing particular resources for each role.
This playground will help you learn more about Cerbos and its implementation without worrying about “How to set it into my local machine”
With Cerbos Playground, you will do multiple things such as
Making users of specific roles
Writing policies for the role ( Very Important and Core Feature )
Testing your policies against the roles and the authorized resources.
Giving access to the resources to a particular role.
You can access the Cerbos Playground from here.
All these will make you more familiar with the Cerbos system so that you can be able to write your own policies and give specific access to specific roles.
You can also learn about how to write policies in Cerbos from here.
Conclusion
So, folks, we have come to the end of this article.
We have discussed an awesome externalized system of authorization named Cerbos
Here are all the necessary links that you need to get started using this awesome product.
Cerbos PDP → 🔗 https://docs.cerbos.dev/cerbos/latest/
Cerbos Hub → 🔗 https://docs.cerbos.dev/cerbos-hub/
Cerbos Playground → 🔗 https://play.cerbos.dev/new
If you have any queries or comments about this article then please reach me out on dharmjoshi01@gmail.com.