Cerbos v0.13.0

This release requires existing MySQL or Postgres users to perform a migration step before upgrading. More information can be found in the migration documentation.

Highlights

This release introduces the concept of scoped policies to address the common usecase of modelling hierarchical relationships. The new scope field of resource and principal policies allows you to define a dot-separated string describing their position in the hierarchy. At runtime, based on the scope defined by the API request, the Cerbos engine moves upwards through the set of policies in the hierarchy until one of them produces a decision. With this feature you can define a base set of access policies that can then be overridden for particular departments, tenants or any other unit of access control that makes sense for your application.

Another new feature in this release is the introduction of the cerbos run command. This command can be used as a test runner or even as a quick way to try out Cerbos. It launches a Cerbos instance in the background (loading any policies found in the policies directory) and then runs the user-provided command. Two environment variables named CERBOS_HTTP and CERBOS_GRPC are injected to the environment of the child process so that it can discover the Cerbos PDP. When the child process exits, the Cerbos instance is automatically shutdown as well. For more information, see the cerbos run documentation.

This release also adds support for using Microsoft SQL Server as a storage backend.

Changelog

Bug Fixes

  • Dangling quotes in helmfiles (#576)

  • cerbosctl get subcommands retrieve unmatching policy types (#594)

Features

  • Add --sort-by flag to cerbosctl get subcommands (#606)

  • Add SQL Server support (#575)

  • Add cerbos run command (#625)

  • Scoped policies (#660)

Enhancements

  • Add query plan API to Playground (#607)

  • Allow aux_data to be accessed as auxData (#623)

Documentation

  • Add Okta & FusionAuth tutorials (#609)

  • Add links to guide (#611)

  • Add service model explanation (#587)

  • Update CLI docs (#591)

Chores

  • Add golden files for compile results (#596)

  • Bump EndBug/add-and-commit from 7 to 8.0.1 (#578)

  • Bump EndBug/add-and-commit from 8.0.1 to 8.0.2 (#628)

  • Bump amannn/action-semantic-pull-request from 3 to 4.1.0 (#615)

  • Bump amannn/action-semantic-pull-request from 4.1.0 to 4.2.0 (#627)

  • Bump azure/setup-helm from 1 to 2.0 (#598)

  • Bump bufbuild/buf-push-action from 1.0.0 to 1.0.1 (#649)

  • Bump bufbuild/buf-setup-action from 0.7.0 to 1.0.0 (#648)

  • Bump github.com/alecthomas/kong from 0.4.0 to 0.4.1 (#664)

  • Bump github.com/aws/aws-sdk-go from 1.42.23 to 1.43.2 (#651)

  • Bump github.com/bojand/ghz in /tools (#605)

  • Bump github.com/bojand/ghz in /tools (#620)

  • Bump github.com/bufbuild/buf from 0.56.0 to 1.0.0 in /tools (#656)

  • Bump github.com/denisenkom/go-mssqldb from 0.11.0 to 0.12.0 (#583)

  • Bump github.com/fergusstrange/embedded-postgres from 1.13.0 to 1.14.0 (#618)

  • Bump github.com/fullstorydev/grpcurl in /tools (#635)

  • Bump github.com/golangci/golangci-lint in /tools (#657)

  • Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#580)

  • Bump github.com/goreleaser/goreleaser from 1.4.1 to 1.5.0 (#634)

  • Bump github.com/goreleaser/goreleaser in /tools (#603)

  • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.7.2 to 2.7.3 (#582)

  • Bump github.com/grpc-ecosystem/grpc-gateway/v2 in /tools (#584)

  • Bump github.com/jackc/pgtype from 1.9.1 to 1.10.0 (#630)

  • Bump github.com/jackc/pgx/v4 from 4.14.1 to 4.15.0 (#633)

  • Bump github.com/lestrrat-go/jwx from 1.2.17 to 1.2.18 (#585)

  • Bump github.com/minio/minio-go/v7 from 7.0.21 to 7.0.22 (#654)

  • Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (#581)

  • Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (#599)

  • Bump github.com/spf13/afero from 1.8.0 to 1.8.1 (#616)

  • Bump github.com/tidwall/gjson from 1.13.0 to 1.14.0 (#619)

  • Bump github.com/vektra/mockery/v2 from 2.9.4 to 2.10.0 in /tools (#604)

  • Bump go.elastic.co/ecszap from 1.0.0 to 1.0.1 (#652)

  • Bump go.opentelemetry.io/otel/bridge/opencensus from 0.26.0 to 0.27.0 (#638)

  • Bump go.opentelemetry.io/otel/bridge/opencensus from 0.27.0 to 0.27.1 (#655)

  • Bump go.opentelemetry.io/otel/exporters/jaeger from 1.3.0 to 1.4.0 (#632)

  • Bump go.opentelemetry.io/otel/exporters/jaeger from 1.4.0 to 1.4.1 (#662)

  • Bump go.opentelemetry.io/otel/sdk from 1.3.0 to 1.4.0 (#631)

  • Bump go.opentelemetry.io/otel/sdk from 1.4.0 to 1.4.1 (#653)

  • Bump go.uber.org/zap from 1.20.0 to 1.21.0 (#629)

  • Bump golang.org/x/tools from 0.1.8 to 0.1.9 (#602)

  • Bump google-github-actions/setup-gcloud from 0.3 to 0.4.0 (#577)

  • Bump google-github-actions/setup-gcloud from 0.4.0 to 0.5.0 (#614)

  • Bump google-github-actions/setup-gcloud from 0.5.0 to 0.5.1 (#650)

  • Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (#600)

  • Bump helm.sh/helm/v3 from 3.7.2 to 3.8.0 (#601)

  • Bump modernc.org/sqlite from 1.14.4 to 1.14.5 (#579)

  • Bump modernc.org/sqlite from 1.14.5 to 1.14.6 (#617)

  • Bump version to 0.13.0

  • Disable gci and run linters (#658)

  • Fix lint issues (#588)

  • Increase Telepresence timeout for E2E tests (#613)

  • Make log level flag case insensitive (#639)

  • Replace conventional commit check (#612)

  • Update Antora and Goreleaser config (#590)

  • Update Postgres E2E deploy script (#621)

  • Update generated code (#610)

  • Update to xxhash v2 and add policy hash functions (#597)

Other

  • Add MS SQL E2E test (#586)

  • Load testing script (#640)