Cerbos v0.9.0

In the biggest release yet, Cerbos is now faster and much better integrated with the wider service and cloud ecosystems.

Highlights

New Decision Engine

Written from the ground up to handle the specialised use cases Cerbos is designed for, the brand new policy decision engine is significantly faster and more efficient than the previous version. This new engine is fully backward compatible with all existing policies while being much faster: during benchmarking we have seen speed-ups of up to 17x in some cases. With this new engine we are much better placed to handle even the most demanding use cases and build exciting new features in the future.

Native JWT Support

Many applications these days make use of JSON Web Tokens (JWT) for carrying signed authentication claims between services. Now with native support for JWT, the Cerbos PDP is able to verify the tokens and use the claims directly when evaluating policies. This is a great way to ensure attributes about the principal are accurate and verified while reducing the burden on developers to correctly extract and transmit the claims over to Cerbos. See 0.9.0@cerbos:configuration:auxdata.adoc for more information.

Cloud Storage

The new blob storage driver supports reading policies from cloud blob stores such as AWS S3, Google Cloud Storage, or any S3-compatible storage implementation like Minio. This enables you to host your policy repository on highly available, versioned and encrypted storage services offered by major cloud providers and run Cerbos on serverless environments like AWS Lambda, Google Cloud Functions, Google Cloud Run or Knative. See Blob driver for more information.

Hierarchies

Hierarchical relationships are a common occurrence in software development. Whether you use directory services like Active Directory/LDAP or whether your data model naturally imposes hierarchical relationships on objects, Cerbos policy rules can be written to deal with tree-like data using the new hierarchy functions introduced in this release. See the hierarchy function documentation for more details.

GitHub Actions

Validating and testing policies in your GitHub workflows is now much easier using the official Cerbos Actions. See Validating and testing policies in CI environments for details on how to integrate them into your workflow.

Changelog

Bug Fixes

  • Create blob store work dir when it does not exist (#385)

  • Rename cors.enabled config key to cors.disabled (#334)

Features

  • Add JWT aux data support to Go SDK (#377)

  • Implement storage driver for cloud object stores. (#347)

  • JWT auxiliary data source (#371)

  • Switch to new policy engine (#354)

Enhancements

  • Add sorting option to the list policies method options (#320)

  • Hierarchy function improvements (#342)

  • BREAKING Rename globals to variables (#346)

  • re-use compiled global expressions (#336)

Documentation

  • Document how to obtain protobuf definitions (#338)

  • Document how to use GitHub Actions (#387)

  • Document the policy LIST endpoint (#378)

  • Offer minimal configuration and full configuration in documentation (#358)

  • Update README (#384)

Chores

  • Add stargazers badge to readme (#348)

  • Bump github.com/alecthomas/chroma from 0.9.2 to 0.9.4 (#369)

  • Bump github.com/aws/aws-sdk-go from 1.40.34 to 1.41.6 (#382)

  • Bump github.com/containerd/containerd from 1.5.5 to 1.5.7 (#345)

  • Bump github.com/dgraph-io/badger/v3 (#350)

  • Bump github.com/doug-martin/goqu/v9 from 9.16.0 to 9.17.0 (#349)

  • Bump github.com/doug-martin/goqu/v9 from 9.16.0 to 9.17.0 (#362)

  • Bump github.com/doug-martin/goqu/v9 from 9.17.0 to 9.18.0 (#370)

  • Bump github.com/fergusstrange/embedded-postgres from 1.10.0 to 1.11.0 (#340)

  • Bump github.com/google/cel-go from 0.8.0 to 0.9.0 (#380)

  • Bump github.com/google/gops from 0.3.20 to 0.3.21 (#351)

  • Bump github.com/google/gops from 0.3.20 to 0.3.21 (#364)

  • Bump github.com/jwalton/gchalk from 1.1.0 to 1.1.1 (#353)

  • Bump github.com/jwalton/gchalk from 1.1.0 to 1.2.1 (#363)

  • Bump github.com/minio/minio-go/v7 from 7.0.14 to 7.0.15 (#381)

  • Bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.0 (#339)

  • Bump github.com/open-policy-agent/opa from 0.33.0 to 0.33.1 (#352)

  • Bump helm.sh/helm/v3 from 3.7.0 to 3.7.1 (#365)

  • Bump version to 0.9.0

  • Configure Dependabot to update tools (#360)

  • Configure semantic commit checker (#372)

  • Fix version in snapshot builds (#386)

  • Move CEL code to conditions package (#335)

  • Refactor test framework to use templating (#375)

  • Remove scratchDir from storage configuration options (#367)

  • Update container repository to GHCR (#383)

  • Update goreleaser configuration (#359)