Cerbos: Why and what

Published by Emre Baran on March 17, 2024
Cerbos: Why and what

The concept of security has transitioned from a mere necessity to a strategic enabler, empowering developers to innovate with confidence. At the forefront of this transformation is Cerbos, a solution designed to redefine how permissions and access control are implemented within applications. 


Cerbos distinguishes itself by streamlining the integration of roles, permissions, and access control mechanisms, transforming what was traditionally a months-long endeavor into a matter of days. This efficiency is particularly evident in the context of monolithic systems, where implementing authorization, although straightforward, can quickly become cumbersome as the system expands. It's crucial to understand that authorization (AuthZ) is distinct from authentication (AuthN). While AuthN identifies and verifies a user, AuthZ determines their permissions within the system, a process that becomes increasingly complex as roles and permissions proliferate with organizational growth.

The challenge intensifies as systems transition to microservices, breaking the simplicity of monolithic authorization. In a zero-trust architecture, each microservice must independently verify a user's credentials and permissions, complicating updates to the authorization layer as it now spans across numerous services, potentially written in different programming languages. This fragmentation necessitates a more unified, scalable approach to authorization.

Enter Cerbos, a state-of-the-art, open-core authorization system designed to address these challenges head-on. Cerbos centralizes authorization decisions, making them accessible across various components of your stack, from backend and frontend to mobile and batch processing jobs. It achieves this through YAML policies powered by Google's Common Expression Language (CEL), enabling a clear, human-readable representation of complex authorization logic.

These YAML policies bring numerous advantages. They make authorization logic transparent, testable, and decoupled from the core application code, allowing for DevOps practices to be applied to policy management. Changes to policies can be made independently of the application code, facilitating easier updates and audits. Cerbos provides a simple API that returns straightforward allow or deny responses to authorization queries, insulating developers from future policy changes and ensuring that deployments remain safe and consistent with established tests.

Cerbos is designed to seamlessly integrate into your environment, running as a binary in various configurations like Kubernetes sidecar or service, on bare metal, or as an AWS Lambda function. Its stateless nature and independence from other services make it infinitely scalable, ready to operate as soon as policies are loaded. Cerbos prioritizes performance, offering SDKs in all major languages and ensuring rapid communication through GRPC and ProtoBuf, making authorization checks feel like local function calls.

The core of Cerbos is open-source and freely available under the Apache2 license, providing a robust set of tools including a unit test framework, policy compiler, and REPL, along with support for multiple storage backends. For those seeking enhanced policy management, Cerbos Hub offers a collaborative IDE for policy authoring, continuous testing, and synchronized deployment, ensuring that your authorization layer remains agile, secure, and aligned with your evolving needs.

Cerbos represents a paradigm shift in authorization, offering a solution that not only meets the technical demands of modern software architectures but also aligns with the agile methodologies that drive today's development practices. It's an indispensable tool for any tech stack, enabling developers and architects to implement robust, scalable, and maintainable authorization layers that empower rather than hinder innovation.


Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team