Episode 010: 04‐30‐2024 Cerbos Deep Dive - GluuFederation/identerati-office-hours GitHub Wiki
Cerbos Deep Dive
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Emre Baran, Co-Founder / CEO
- Co-Host: Brad Tumy, Founder Tumy Technology, Host Identity Heros Podcast
Description
Cerbos is a new startup in the authorization space, positioned as an authz technology for developers, product and security teams who prefer YAML over Rego. Like other stateless PDPs that run as a sidecar, Cerbos is super fast. It also has an enterprise control plane which delivers business value for compliance and scale. In this discussion, we'll learn more about Cerbos, where it came from, what its good at, what's unique about it, and where it's headed.
Takeaways
-
Cerbos is focusing on developers--saving them time when writing new applications--avoiding the need to spend time on yet another one-off internal authorization scaffolding.
-
While other policy formats enable more complexity, Cerbos focuses on one use case which addresses a large swath of the requirements: subject - action - resource: allow | deny. So while other policy expression languages offer more flexibility, this constraint simplifies the life of developers so they don't need to learn another programming language.
-
Although it can run on any platform (even in a Webassembly component), Cerbos has a cloud-native design orientation. A typical deployment model for Cerbos is running as a sidecar next to the application that needs the authz decision.
-
Cerbos avoids lazy loading, which leads to latency and cache integrity issues. While the policies, config and keys are fetched at startup, Cerbos is stateless, and always returns a decision. This means that application is sending data for policy input, for example a JWT from an OpenID or OAuth server or other application-specific data.
-
Cerbos has really cool t-shirts.