audit:
accessLogsEnabled: false # AccessLogsEnabled defines whether access logging is enabled.
backend: local # Backend states which backend to use for Audits.
decisionLogFilters: # DecisionLogFilters define the filters to apply while producing decision logs.
checkResources: # CheckResources defines the filters that apply to CheckResources calls.
ignoreAllowAll: false # IgnoreAllowAll ignores responses that don’t contain an EFFECT_DENY.
planResources: # PlanResources defines the filters that apply to PlanResources calls.
ignoreAll: false # IgnoreAll prevents any plan responses from being logged. Takes precedence over other filters.
ignoreAlwaysAllow: false # IgnoreAlwaysAllow ignores ALWAYS_ALLOWED plans.
decisionLogsEnabled: false # DecisionLogsEnabled defines whether logging of policy decisions is enabled.
enabled: false # Enabled defines whether audit logging is enabled.
excludeMetadataKeys: ['authorization'] # ExcludeMetadataKeys defines which gRPC request metadata keys should be excluded from the audit logs. Takes precedence over includeMetadataKeys.
includeMetadataKeys: ['content-type'] # IncludeMetadataKeys defines which gRPC request metadata keys should be included in the audit logs.
file:
path: /path/to/file.log # Path to the log file to use as output. The special values stdout and stderr can be used to write to stdout or stderr respectively.
kafka:
ack: all # Ack mode for producing messages. Valid values are "none", "leader" or "all" (default). Idempotency is disabled when mode is not "all".
brokers: ['localhost:9092'] # Required. Brokers list to seed the Kafka client.
clientID: cerbos # ClientID reported in Kafka connections.
closeTimeout: 30s # CloseTimeout sets how long when closing the client to wait for any remaining messages to be flushed.
encoding: json # Encoding format. Valid values are "json" (default) or "protobuf".
maxBufferedRecords: 1000 # MaxBufferedRecords sets the maximum number of records the client should buffer in memory in async mode.
produceSync: false # ProduceSync forces the client to produce messages to Kafka synchronously. This can have a significant impact on performance.
produceTimeout: 5s # ProduceTimeout sets how long to attempt to publish a message before giving up.
topic: cerbos.audit.log # Required. Topic to write audit entries to.
local:
advanced:
bufferSize: 256
flushInterval: 1s
gcInterval: 60s
maxBatchSize: 32
retentionPeriod: 168h # How long to keep records for
storagePath: /path/to/dir # Path to store the data
auxData:
jwt: # JWT holds the configuration for JWTs used as an auxiliary data source for the engine.
cacheSize: 256 # CacheSize sets the number of verified tokens cached in memory. Set to negative value to disable caching.
disableVerification: false # DisableVerification disables JWT verification.
keySets: # KeySets is the list of keysets to be used to verify tokens.
-
id: ks1 # Required. ID is the unique reference to this keyset.
local: # Local defines a local keyset. Mutually exclusive with Remote.
data: base64encodedJWK # Data is the encoded JWK data for this keyset. Mutually exclusive with File.
file: /path/to/keys.jwk # File is the path to file containing JWK data. Mutually exclusive with Data.
pem: true # PEM indicates that the data is PEM encoded.
remote: # Remote defines a remote keyset. Mutually exclusive with Local.
refreshInterval: 1h # RefreshInterval is the refresh interval for the keyset.
url: https://domain.tld/.well-known/keys.jwks # Required. URL is the JWKS URL to fetch the keyset from.
compile:
cacheDuration: 60s # CacheDuration is the duration to cache an entry.
cacheSize: 1024 # CacheSize is the number of compiled policies to cache in memory.
engine:
defaultPolicyVersion: "default" # DefaultPolicyVersion defines what version to assume if the request does not specify one.
schema:
cacheSize: 1024 # CacheSize defines the number of schemas to cache in memory.
enforcement: reject # Enforcement defines level of the validations. Possible values are none, warn, reject.
server:
adminAPI: # AdminAPI defines the admin API configuration.
adminCredentials: # AdminCredentials defines the admin user credentials.
passwordHash: JDJ5JDEwJEdEOVFzZDE2VVhoVkR0N2VkUFBVM09nalc0QnNZaC9xc2E4bS9mcUJJcEZXenp5OUpjMi91Cgo= # PasswordHash is the base64-encoded bcrypt hash of the password to use for authentication.
username: cerbos # Username is the hardcoded username to use for authentication.
enabled: true # Enabled defines whether the admin API is enabled.
advanced: # Advanced server settings.
grpc: # GRPC server settings.
connectionTimeout: 60s # ConnectionTimeout sets the timeout for establishing a new connection.
maxConnectionAge: 600s # MaxConnectionAge sets the maximum age of a connection.
maxRecvMsgSizeBytes: 4194304 # MaxRecvMsgSizeBytes sets the maximum size of a single request message. Defaults to 4MiB. Affects performance and resource utilisation.
http: # HTTP server settings.
idleTimeout: 120s # IdleTimeout sets the keepalive timeout.
readHeaderTimeout: 15s # ReadHeaderTimeout sets the timeout for reading request headers.
readTimeout: 30s # ReadTimeout sets the timeout for reading a request.
writeTimeout: 30s # WriteTimeout sets the timeout for writing a response.
cors: # CORS defines the CORS configuration for the server.
allowedHeaders: ['content-type'] # AllowedHeaders is the contents of the allowed-headers header.
allowedOrigins: ['*'] # AllowedOrigins is the contents of the allowed-origins header.
disabled: false # Disabled sets whether CORS is disabled.
maxAge: 10s # MaxAge is the max age of the CORS preflight check.
grpcListenAddr: ":3593" # Required. GRPCListenAddr is the dedicated GRPC address.
httpListenAddr: ":3592" # Required. HTTPListenAddr is the dedicated HTTP address.
logRequestPayloads: false # LogRequestPayloads defines whether the request payloads should be logged.
metricsEnabled: true # MetricsEnabled defines whether the metrics endpoint is enabled.
playgroundEnabled: false # PlaygroundEnabled defines whether the playground API is enabled.
requestLimits: # RequestLimits defines the limits for requests.
maxActionsPerResource: 50 # MaxActionsPerResource sets the maximum number of actions that could be checked for a resource in a single request.
maxResourcesPerRequest: 50 # MaxResourcesPerBatch sets the maximum number of resources that could be sent in a single request.
tls: # TLS defines the TLS configuration for the server.
caCert: /path/to/CA_certificate # CACert is the path to the optional CA certificate for verifying client requests.
cert: /path/to/certificate # Cert is the path to the TLS certificate file.
key: /path/to/private_key # Key is the path to the TLS private key file.
udsFileMode: 0o766 # UDSFileMode sets the file mode of the unix domain sockets created by the server.
storage:
# This section is required. The field driver must be set to indicate which driver to use.
driver: "disk" # Required. Driver defines which storage driver to use.
blob:
# This section is required only if storage.driver is blob.
bucket: "s3://my-bucket-name?region=us-east-2" # Required. Bucket URL (Examples: s3://my-bucket?region=us-west-1 gs://my-bucket azblob://my-container).
downloadTimeout: 30s # DownloadTimeout specifies the timeout for downloading from cloud storage.
prefix: policies # Prefix specifies a subdirectory to download.
requestTimeout: 10s # RequestTimeout specifies the timeout for an HTTP request.
updatePollInterval: 15s # UpdatePollInterval specifies the interval to poll the cloud storage. Set to 0 to disable.
workDir: