A Developer's Take on Cerbos: The Smarter Way to Handle Authorization

Authentication combined with authorization forms the backbone of application security and secure access control, with authorization ensuring that users can only access what they are allowed to. For many developers, implementing authorization is complex and time-consuming.

Enter Cerbos: an open-source solution that takes the burden out of creating and managing authorization, so you can focus on implementing other features in your application.

Today, I'm going to share my Cerbos experience and why I believe it's a game changer for developers, whether you're a developer working on a side project, developing any kind of application, or managing a large business system.

What Is Authorization?

First, let’s start with the basics. Authorization is the process of determining what actions a user is allowed to perform and what resources they can access within an application.

Just look at it this way:

• Authentication is the “Who are you?” part (logging in, verifying identity).
• Authorization is the “What can you do?” part (access control).

In the real world, authorization might mean ensuring that:

• Users can only access their own data. For example, a customer can see their own invoices but not others'.
• Admins have the right level of control. For example, an admin can control user accounts but would not have access to their sensitive details.
• Guests and public users have restricted access. A guest can see a website's content but cannot make purchases without the necessary permissions.
• Roles and permissions align with duties within a team. For example, a project manager can change project details, but team members can only see the tasks assigned to them.

This sounds simple enough, but implementing it in your application or system is a different challenge, and here's why:

1. If you hardcode rules directly into your application, it will quickly become a complex web of if-else statements and conditions, which turns into having to do a lot of maintenance over time.

2. Businesses and their requirements evolve over time. New roles, permissions, and exceptions come up, and your system needs to keep up with these changes. Adapting to these changing requirements can introduce bugs or require you to rewrite the whole authorization code.

3. Building a custom authorization system from scratch takes months of effort, and that's before you even start testing and scaling it.

With these challenges in mind, you need a solution that makes the authorization process easy for your application, and in comes Cerbos.

What Is Cerbos, and How Does It Work?

Cerbos is a policy-based access control (PBAC) solution that simplifies the implementation and management of fine-grained application access control.

Compared to traditional role-based systems (RBAC), PBAC is more flexible. Cerbos, for example, doesn't restrict privileges to static roles but allows you to create rules that consider changing factors such as user attributes, resources, environment, etc.

Here’s how it works:

• Write and update policies: Cerbos policies are written in YAML, a clean, human-readable, and version-controllable format. You decide who can do what and under what conditions and update these policies anytime you want. For example:

resources:
  Orders:
    kind: Orders
    id: Orders:001
    attr:
      example: true

• Check permissions: Cerbos provides APIs for evaluating these policies. It is as easy as sending the user, resource, and action in a request:

if (await cerbos.isAllowed({ principal: user, resource, action: "edit" })) { // allowed }

• Make requests: The application makes a call to Cerbos' SDK, which returns information about the user and the resource requested.

• Get a response: Cerbos compares the request to current policies and returns an allow or deny response.

• Deploy anywhere: You can deploy Cerbos to fit your stack, whether you're running a monolithic architecture or a complex microservices setup. It supports multiple languages such as JavaScript, Python, Java, PHP, etc., which makes it versatile and developer-friendly.

• Real-time flexibility: Cerbos is not restricted to static policies. You can define dynamic conditions based on runtime data, such as allowing access only during certain hours or while a user's subscription is active.

What Makes Cerbos Stand Out?

Here’s what I love about Cerbos:

1. No more hardcoding rules

When you hardcode rules in your application, every small change means going back into your codebase, rewriting logic, and testing everything over again. With Cerbos, rules are externalized into policies. If you need to adjust permissions, just modify the YAML file; no need to redeploy.

2. Dynamic, context-aware policies

Defining roles like "system admin," "developer," etc. sometimes isn't enough; you'd want to grant personnel permission only when certain conditions, which evaluate the ownership of a resource, the time of access, or specific attributes of the user or resource, are met.

An example could be allowing personnel to access certain information only when they're in a secure location, like within the organization, or restricting access when their logged in with a public WiFi.

For example, this policy allows customers to only view orders where customerId matches their userId.

For example:

match:
  expr: request.resource.attributes.customerId ==  request.principal.attributes.userId

This allows you to manage situations when permissions are based on the user's relationship with the resource rather than just their job.

For more details on context-aware policies in Cerbos, read this Understanding Context-Aware Permissions blog.

3. Centralized and transparent

Having a single place for all of your authorization rules makes it easier to manage, audit, and troubleshoot them. Plus, Cerbos is open-source, which means you can inspect and understand how decisions are made.

4. Built for developers by developers

Cerbos speaks our language, literally. It’s quick and easy to get started thanks to the available SDKs for various programming languages and integrations.

A Day in the Life of Using Cerbos

I’ll demonstrate all I’ve been saying about Cerbos with a practical example.

Let's say I’m building an online store application. My users include regular customers, managers, and administrators. Each of these roles has different permissions:

• Customers are end users who browse the store, place orders, and manage their accounts.
• Managers are the staff responsible for managing inventory and tracking order statuses.
• Admins are superusers with full control over the system, including user and inventory management.

Here’s how I’d handle this with Cerbos:

1. Define Policies

First, I’ll write policies that clearly outline who can do what. These policies will be stored in a YAML file, which I can version-control alongside my code. This allows me to easily track changes and collaborate with my team.

The principals.yaml file:

principals:
  admin:
    id: admin@yourapp.example.com
    roles:
      - admin
    attr:
      example: true

  customer:
    id: customer@yourapp.example.com
    roles:
      - customer
    attr:
      example: true

  manager:
    id: manager@yourapp.example.com
    roles:
      - manager
    attr:
      example: true

The resources.yaml file:

resources:
  Orders:
    kind: Orders
    id: Orders:001
    attr:
      example: true

  Products:
    kind: Products
    id: Products:001
    attr:
      example: true

  Users:
    kind: Users
    id: Users:001
    attr:
      example: true

Here’s how it looks on my Cerbos playground:

2. Integrate with My App

I'll then integrate Cerbos into my application by adding a few lines of code, configure it with this policy, and use the Cerbos API to check permissions.

For example, to check if a user can delete a product:

const { isAllowed } = await cerbos.check({
  resource: "products",
  action: "delete",
  principal: { role: "manager" },
});

if (isAllowed) {
  // Perform the delete action
} else {
  // Deny access
}

3. Version Control My Policies

Next, I’ll store the policy YAML file in my repository to track changes and ensure it is consistent across environments.

4. Adapt Over Time

As my platform grows and new roles and features are added, I will simply update the policies. There is no need to touch my application logic, which reduces the risk of breaking existing functionality.

Seamless right? I thought so too.

Cerbos Hub for Enterprises

I previously mentioned that Cerbos is an open-source solution; however, while the open-source version of Cerbos is enough for most use cases, business enterprises often require more.

This is when Cerbos Hub comes into play, and here are some of its features:

• Its centralized management allows you to manage policies for multiple apps, teams, and projects through a single interface.

• It allows you to find which policies are being used the most, identify potential bottlenecks, and receive insights into your access control system.

• In businesses where compliance is very important, the "audit trails" feature allows you to prove that your access controls are strong and reliable.

Final Thoughts

Cerbos helps simplify a difficult aspect of software development-authorization as it allows you to focus on what you do best. So even if you're building a simple app or a complex system, Cerbos makes authorization feel simple.

But don't just take my word for it. If you're not familiar with it, try Cerbos for yourself, and perhaps after experiencing its simplicity, you'll wonder why you haven't used it before.

To get started, run Cerbos from one of the many options available. But before that, you can try out the Cerbos’ playground—an interactive environment for creating and testing authorization policies in real-time—to see what it can actually do.

What do you think about Cerbos? If you’ve used it or have questions, drop a comment below.