Create a client for interacting with an embedded Cerbos policy decision point (PDP), using a specified Loader to load the embedded PDP bundle.
Bundle download URLs are available in the "Embedded" section of the "Decision points" page of your Cerbos Hub workspace.
Fetch an embedded PDP bundle via HTTP in a supported browser or Node.js, and automatically update the bundle when newer versions become available:
const loader = new AutoUpdatingLoader("https://lite.cerbos.cloud/bundle?workspace=...&label=...");
const cerbos = new Embedded(loader);
Create a client for interacting with an embedded Cerbos policy decision point (PDP), using the default Loader to load the embedded PDP bundle.
This is equivalent to new Embedded(new Loader(source, options)).
Bundle download URLs are available in the "Embedded" section of the "Decision points" page of your Cerbos Hub workspace.
Fetch an embedded PDP bundle via HTTP in a supported browser or Node.js:
const cerbos = new Embedded("https://lite.cerbos.cloud/bundle?workspace=...&label=...");
ReadonlyloaderThe Loader used to load the embedded policy decision point bundle.
Add policies, or update existing policies.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be configured with the admin API enabled, and
a dynamic storage backend.
Create a policy in code:
await cerbos.addOrUpdatePolicies({
policies: [{
resourcePolicy: {
resource: "document",
version: "1",
rules: [{
actions: ["*"],
effect: Effect.ALLOW,
roles: ["ADMIN"],
}],
},
}],
});
Load a policy from a YAML or JSON file with readPolicy:
import { readPolicy } from "@cerbos/files";
await cerbos.addOrUpdatePolicies({
policies: [await readPolicy("path/to/policy.yaml")],
});
Load policies and schemas from a directory with readDirectory:
import { readDirectory } from "@cerbos/files";
const { policies, schemas } = await readDirectory("path/to/directory");
await cerbos.addOrUpdateSchemas({ schemas });
await cerbos.addOrUpdatePolicies({ policies });
Add schemas to be used for validating principal or resource attributes, or update existing schemas.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be configured with the admin API enabled, and
a dynamic storage backend.
Create a schema in code:
await cerbos.addOrUpdateSchemas({
schemas: [{
id: "document.json",
definition: {
type: "object",
properties: {
owner: { type: "string" }
}
},
}],
});
Load a schema from a JSON file with readSchema:
import { readSchema } from "@cerbos/files";
await cerbos.addOrUpdateSchemas({
schemas: [await readSchema("_schemas/path/to/schema.json")],
});
Load policies and schemas from a directory with readDirectory:
import { readDirectory } from "@cerbos/files";
const { policies, schemas } = await readDirectory("path/to/directory");
await cerbos.addOrUpdateSchemas({ schemas });
await cerbos.addOrUpdatePolicies({ policies });
Checks the health of services provided by the policy decision point server.
Optionalrequest: HealthCheckRequestOptionaloptions: RequestOptionsCheck a principal's permissions on a resource.
Optionaloptions: RequestOptionsCheck a principal's permissions on a set of resources.
Optionaloptions: RequestOptionsconst decision = await cerbos.checkResources({
principal: {
id: "user@example.com",
roles: ["USER"],
attr: { tier: "PREMIUM" },
},
resources: [
{
resource: {
kind: "document",
id: "1",
attr: { owner: "user@example.com" },
},
actions: ["view", "edit"],
},
{
resource: {
kind: "image",
id: "1",
attr: { owner: "user@example.com" },
},
actions: ["delete"],
},
],
});
decision.isAllowed({
resource: { kind: "document", id: "1" },
action: "view",
}); // => true
Delete a schema.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point (PDP) server to be configured with the admin API enabled, and
a dynamic storage backend.
The way this method handles failure depends on the version of the connected PDP server.
When the server is running Cerbos v0.25 or later, it returns true if the schema was deleted and false if the schema was not found.
With earlier versions of Cerbos, it throws an error if the schema was not found, and returns successfully if the schema was deleted; the returned value should be ignored.
Delete multiple schemas.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point (PDP) server to be configured with the admin API enabled, and
a dynamic storage backend.
The way this method handles failure depends on the version of the connected PDP server. When the server is running Cerbos v0.25 or later, it returns a DeleteSchemasResponse that includes the number of schemas that were deleted. With earlier versions of Cerbos, it throws an error if no schemas were found, and returns successfully if at least one schema was deleted; the returned value should be ignored.
Disable multiple policies.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.25 and configured with the admin API enabled, and
a dynamic storage backend.
Disable a policy.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.25 and configured with the admin API enabled, and
a dynamic storage backend.
Enable multiple policies.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.26 and configured with the admin API enabled, and
a dynamic storage backend.
Enable a policy.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.26 and configured with the admin API enabled, and
a dynamic storage backend.
Fetch an access log entry by call ID from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be configured with
the admin API enabled
the local audit logging backend, and
access logs enabled.
Fetch a decision log entry by call ID from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be at least v0.18 and configured with
the admin API enabled
the local audit logging backend, and
decision logs enabled.
Fetch multiple policies by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Fetch a policy by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Fetch a schema by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Fetch multiple schemas by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Inspect policies in the store.
Optionalrequest: InspectPoliciesRequestOptionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be at least v0.35 and configured with the admin API enabled.
Check if a principal is allowed to perform an action on a resource.
Optionaloptions: RequestOptionsList access log entries from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be configured with
the admin API enabled
the local audit logging backend, and
access logs enabled.
List decision log entries from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be configured with
the admin API enabled
the local audit logging backend, and
decision logs enabled.
List policies.
Optionalrequest: ListPoliciesRequestOptionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
List schemas.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Produce a query plan that can be used to obtain a list of resources on which a principal is allowed to perform a particular action.
Optionaloptions: RequestOptionsReload the store.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be configured with the admin API, and
a reloadable storage backend.
Retrieve information about the Cerbos policy decision point server.
Optionaloptions: RequestOptionsCreate a client instance with a pre-specified principal.
A client for interacting with an embedded Cerbos policy decision point (PDP).
Remarks
Embedded PDP bundles are WebAssembly modules downloaded from Cerbos Hub. Bundle download URLs are available in the "Embedded" section of the "Decision points" page of your Cerbos Hub workspace.
See the parent class for available methods.