Cerbos

At a Glance:

Cerbos is a self-hosted, open-source authorization layer that lets you define context-aware access rules in YAML policies, deployed via GitOps, and evaluated through highly available APIs for making dynamic access decisions.

Overview:

Cerbos is an open-source authorization layer that evolves with your application, providing a stateless Policy Decision Point (PDP) for evaluating access rules. It enables developers to define powerful, context-aware authorization policies for application resources using simple, structured YAML files, which are managed and deployed through existing GitOps infrastructure. The PDP runs as a separate process—as a Kubernetes service or sidecar, a systemd service, or an AWS Lambda function—and exposes two primary APIs: CheckResources to determine if a principal can access a resource, and PlanResources to query which resources of a given kind are accessible. This approach moves authorization logic out of application code, supporting both RBAC and ABAC patterns with dynamic, runtime context evaluation.

Key Decision Points:

• Deployment model: Cerbos PDP is a stateless service designed to run as a separate process in Kubernetes (as a service or sidecar), directly as a systemd service, or as an AWS Lambda function, integrating into existing infrastructure.

• Policy evaluation APIs: Authorization decisions are made by calling the CheckResources API for standard access checks and the PlanResources API to determine accessible resource sets, with responses usable via SDKs or query plan adapters.

• Policy authoring and management: Policies are written as YAML files and stored on disk, in cloud object stores, git repos, or databases, enabling GitOps workflows; Cerbos Hub offers a cloud control plane for collaborative authoring, testing, and distributing updates to PDP fleets.

• Access control models: Goes beyond simple RBAC by supporting attribute-based rules through conditions in resource policies, derived roles, and principal policies, all evaluated dynamically with contextual data at request time.

• Client SDK and integration surface: Provides client SDKs for Go, Java, JavaScript, .NET, PHP, Python, Ruby, and Rust, and query plan adapters for Prisma and SQLAlchemy to convert PlanResources responses into query instances.

Core Features:

• CheckResources API: A primary API endpoint that answers the question "Can this principal access this resource?" for making synchronous access decisions.

• PlanResources API: Provides a way to ask "Which resources of kind X can this principal access?" returning a query plan for filtering accessible resources.

• YAML-based policy definition: Access rules are defined per resource using a simple, structured YAML format, stored in git repos, cloud storage, or databases.

• Dynamic conditional evaluation: Policies support conditions evaluated at runtime using contextual data, enabling attribute-based access control (ABAC) beyond static roles.

• Query plan adapters: Available adapters for Prisma and SQLAlchemy that convert the SDK PlanResources responses into convenient database query instances.

• Cerbos Hub integration: A cloud-hosted control plane offering collaborative playgrounds, CI/CD for policy distribution, and an Embedded PDP for browser or serverless/edge deployments.

Use Cases:

• Developers who need to decouple authorization logic from application code and manage access rules as version-controlled YAML policies deployed through GitOps.

• Applications that require dynamic, context-aware access decisions where static RBAC is insufficient, using attributes evaluated at request time.

• Environments using Kubernetes where Cerbos PDP can be deployed as a sidecar or service, or serverless setups using the AWS Lambda or Embedded PDP options.

• Teams wanting a unified authorization layer that exposes CheckResources and PlanResources APIs callable via multiple language SDKs for consistent access control across services.

Open-Source Alternative Value:

As a self-hosted authorization layer under the Apache 2.0 license, Cerbos provides a transparent, stateless PDP that can be deployed within your own infrastructure using standard GitOps practices. Its YAML-based policy format makes authorization rules explicit, versionable, and reviewable in source control. The availability of both a CheckResources API for point-in-time access checks and a PlanResources API for generating filter queries addresses a functional gap in simpler authorization libraries. The project also offers a structured path for scalability through Cerbos Hub's collaborative and distribution tooling, while the core PDP remains fully runnable independently.