Cerbos — Scalable Policy-Based Authorization Engine

Introduction

Cerbos runs as a sidecar or standalone service that evaluates authorization policies without requiring a database or persistent state. Policies are written as YAML files, stored alongside your code, and evaluated locally by the Cerbos engine. This makes access control logic auditable, testable, and decoupled from application code.

What Cerbos Does

• Evaluates resource-level permissions using YAML or JSON policy definitions
• Supports RBAC, ABAC, and conditional rules with derived roles
• Runs as a stateless sidecar that loads policies from the local filesystem, Git, or a storage backend
• Provides gRPC and HTTP APIs with client SDKs for Go, Java, Python, Ruby, JavaScript, and more
• Includes a built-in test framework for validating policies before deployment

Architecture Overview

Cerbos runs as a single Go binary that loads policy files at startup or watches for changes via a policy loader. When an application sends a check request, Cerbos matches the principal roles and resource kind against the policy set, evaluates conditions using CEL expressions, and returns allow or deny for each requested action. No external database is needed.

Self-Hosting & Configuration

• Deploy as a Docker container, Kubernetes sidecar, or standalone binary
• Store policies on the local filesystem, in a Git repository, or on S3-compatible storage
• Configure via a YAML file specifying the policy store, server ports, and audit logging
• Enable audit logging to capture all authorization decisions for compliance
• Use the Cerbos Playground to prototype and test policies in the browser

Key Features

• Stateless architecture with no database dependency for fast, predictable performance
• Policy-as-code with Git-based version control and CI/CD integration
• Built-in test runner that validates policies against expected outcomes
• CEL-based condition expressions for context-aware rules
• Derived roles that dynamically assign roles based on resource attributes

Comparison with Similar Tools

• OPA/Rego — General-purpose policy engine; Cerbos is purpose-built for resource authorization with a simpler DSL
• SpiceDB — Relationship-based authorization database; Cerbos uses policy files without a datastore
• Casbin — In-process library; Cerbos is a networked service with multi-language SDKs
• Permify — Zanzibar-inspired graph model; Cerbos uses attribute and role-based policies

FAQ

Q: Does Cerbos need a database? A: No. Policies are loaded from files, Git, or blob storage. Cerbos is fully stateless.

Q: Can Cerbos handle high throughput? A: Yes. Because policies are evaluated in-memory without database calls, latency is sub-millisecond at thousands of requests per second.

Q: How do I test policy changes before deploying? A: Cerbos includes a cerbos compile command and a test framework that validates policies against fixtures.

Q: Is Cerbos free? A: The core engine is open source under Apache 2.0. Cerbos Hub offers managed policy distribution and analytics.

Sources

• https://github.com/cerbos/cerbos
• https://docs.cerbos.dev