Create a client for interacting with the Cerbos policy decision point (PDP) server over gRPC.
Cerbos PDP server address ("host", "host:port", or "unix:/path/to/socket").
Additional client settings.
Connect via TCP with no encryption:
const cerbos = new GRPC("localhost:3593", { tls: false });
Connect via a Unix socket with no encryption:
const cerbos = new GRPC("unix:/var/run/cerbos.grpc.sock", { tls: false });
Connect to the hosted demo PDP to experiment in the playground:
const cerbos = new GRPC("demo-pdp.cerbos.cloud", { tls: true, playgroundInstance: "gE623b0180QlsG5a4QIN6UOZ6f3iSFW2" });
Add policies, or update existing policies.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be configured with the admin API enabled, and
a dynamic storage backend.
Create a policy in code:
await cerbos.addOrUpdatePolicies({
policies: [{
resourcePolicy: {
resource: "document",
version: "1",
rules: [{
actions: ["*"],
effect: Effect.ALLOW,
roles: ["ADMIN"],
}],
},
}],
});
Load a policy from a YAML or JSON file with readPolicy:
import { readPolicy } from "@cerbos/files";
await cerbos.addOrUpdatePolicies({
policies: [await readPolicy("path/to/policy.yaml")],
});
Load policies and schemas from a directory with readDirectory:
import { readDirectory } from "@cerbos/files";
const { policies, schemas } = await readDirectory("path/to/directory");
await cerbos.addOrUpdateSchemas({ schemas });
await cerbos.addOrUpdatePolicies({ policies });
Add schemas to be used for validating principal or resource attributes, or update existing schemas.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be configured with the admin API enabled, and
a dynamic storage backend.
Create a schema in code:
await cerbos.addOrUpdateSchemas({
schemas: [{
id: "document.json",
definition: {
type: "object",
properties: {
owner: { type: "string" }
}
},
}],
});
Load a schema from a JSON file with readSchema:
import { readSchema } from "@cerbos/files";
await cerbos.addOrUpdateSchemas({
schemas: [await readSchema("_schemas/path/to/schema.json")],
});
Load policies and schemas from a directory with readDirectory:
import { readDirectory } from "@cerbos/files";
const { policies, schemas } = await readDirectory("path/to/directory");
await cerbos.addOrUpdateSchemas({ schemas });
await cerbos.addOrUpdatePolicies({ policies });
Checks the health of services provided by the policy decision point server.
Optionalrequest: HealthCheckRequestOptionaloptions: RequestOptionsCheck a principal's permissions on a resource.
Optionaloptions: RequestOptionsCheck a principal's permissions on a set of resources.
Optionaloptions: RequestOptionsconst decision = await cerbos.checkResources({
principal: {
id: "user@example.com",
roles: ["USER"],
attr: { tier: "PREMIUM" },
},
resources: [
{
resource: {
kind: "document",
id: "1",
attr: { owner: "user@example.com" },
},
actions: ["view", "edit"],
},
{
resource: {
kind: "image",
id: "1",
attr: { owner: "user@example.com" },
},
actions: ["delete"],
},
],
});
decision.isAllowed({
resource: { kind: "document", id: "1" },
action: "view",
}); // => true
Delete a schema.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point (PDP) server to be configured with the admin API enabled, and
a dynamic storage backend.
The way this method handles failure depends on the version of the connected PDP server.
When the server is running Cerbos v0.25 or later, it returns true if the schema was deleted and false if the schema was not found.
With earlier versions of Cerbos, it throws an error if the schema was not found, and returns successfully if the schema was deleted; the returned value should be ignored.
Delete multiple schemas.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point (PDP) server to be configured with the admin API enabled, and
a dynamic storage backend.
The way this method handles failure depends on the version of the connected PDP server. When the server is running Cerbos v0.25 or later, it returns a DeleteSchemasResponse that includes the number of schemas that were deleted. With earlier versions of Cerbos, it throws an error if no schemas were found, and returns successfully if at least one schema was deleted; the returned value should be ignored.
Disable multiple policies.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.25 and configured with the admin API enabled, and
a dynamic storage backend.
Disable a policy.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.25 and configured with the admin API enabled, and
a dynamic storage backend.
Enable multiple policies.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.26 and configured with the admin API enabled, and
a dynamic storage backend.
Enable a policy.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be at least v0.26 and configured with the admin API enabled, and
a dynamic storage backend.
Fetch an access log entry by call ID from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be configured with
the admin API enabled
the local audit logging backend, and
access logs enabled.
Fetch a decision log entry by call ID from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be at least v0.18 and configured with
the admin API enabled
the local audit logging backend, and
decision logs enabled.
Fetch multiple policies by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Fetch a policy by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Fetch a schema by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Fetch multiple schemas by ID.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Inspect policies in the store.
Optionalrequest: InspectPoliciesRequestOptionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be at least v0.35 and configured with the admin API enabled.
Check if a principal is allowed to perform an action on a resource.
Optionaloptions: RequestOptionsList access log entries from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be configured with
the admin API enabled
the local audit logging backend, and
access logs enabled.
List decision log entries from the policy decision point server's audit log.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials; and
the Cerbos policy decision point server to be configured with
the admin API enabled
the local audit logging backend, and
decision logs enabled.
List policies.
Optionalrequest: ListPoliciesRequestOptionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
List schemas.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials, and
the Cerbos policy decision point server to be configured with the admin API enabled.
Produce a query plan that can be used to obtain a list of resources on which a principal is allowed to perform a particular action.
Optionaloptions: RequestOptionsReload the store.
Optionaloptions: RequestOptionsRequires
the client to be configured with Options.adminCredentials,
the Cerbos policy decision point server to be configured with the admin API, and
a reloadable storage backend.
Retrieve information about the Cerbos policy decision point server.
Optionaloptions: RequestOptionsCreate a client instance with a pre-specified principal.
A client for interacting with the Cerbos policy decision point server over gRPC.
Remarks
Not supported in browsers.
See the parent class for available methods.