Resource policies define rules for actions that can be performed on a given resource.

basicResource.yaml defines a resource policy for basicResources, with create, read, update and delete actions. This policy expects a principal to have either the ADMIN or USER role.

A basicResource is expected to have two attributes, ownerId and isPublished, which are used in the policy to make decisions about which actions should be permitted.

Attribute schemas are optional JSON schemas that are used by the Cerbos PDP at request time to validate the incoming request having all the required data to make a correct authorization decision. The server configuration can be set to either give a warning or reject the request if the input doesn't conform to these schemas.

_schemas/principal.json defines a schema for the principals, while _schemas/basicResource.json defines a schema for the basicResources.

basicResource_test.yaml defines a test suite and related test data that checks that the permissions are implemented as expected.

.cerbos.yaml is used to configure a Cerbos PDP server container to load the policies from disk.

.cerbos-hub.yaml is used to configure a Cerbos Hub workspace to compile policy bundles from commits matching the configured labels, to be deployed to connected Cerbos PDP instances.

The simplest way to run Cerbos is using the container, which is shown below. See the documentation for other ways to install and run Cerbos locally.

Verify that the policies are correct by running

docker run --rm -it \
  -v $(pwd):/basic-crud \
  ghcr.io/cerbos/cerbos:latest \
  compile --verbose /basic-crud

Launch a PDP server by running

docker run --rm --name cerbos \
 -v $(pwd):/basic-crud \
 -p 3592:3592 \
 -p 3593:3593 \
 ghcr.io/cerbos/cerbos:latest \
 server --config=/basic-crud/.cerbos.yaml

The API documentation can then be found at http://localhost:3592.