Cerbos v0.16.0

This release consolidates the different Check APIs into a simpler API, promotes the query plan API to stable status, and adds exciting new features to the REPL to make policy development easier and more interactive.

Highlights

This release introduces a new RPC (API entrypoint) named CheckResources (REST: /api/check/resources) for performing access checks. This supersedes the existing CheckResourceSet (REST: /api/check) and CheckResourceBatch (REST: /api/check_resource_batch) RPCs and simplifies the Cerbos API surface by removing the need to understand the subtle differences between the different calls. The old RPCs have been deprecated and are planned for removal in a future release of Cerbos.

Filtering and selecting a set of items from a datastore while making sure that the logged in user has access to each element in the resultset is a common problem in many applications. Given a user and the action they wish to perform on a resource category, the Cerbos query plan API produces a datastore-agnostic representation of constraints that must be satisfied by the resource instances in order to comply with access rules defined in Cerbos policies. It was introduced as an unstable API in Cerbos 0.12.0 and in this release it is promoted to stable status. The new stable RPC is named PlanResources (REST: /api/plan/resources) and includes refinements to the representation format of complex expressions to make them simpler and easier to translate into programming language constructs. This is a breaking change for gRPC clients because the RPC has been renamed.

The Cerbos REPL gains the ability to load policies and interactively evaluate the conditions defined in them. This empowers policy authors to debug, develop, and test complex conditions with rapid feedback and no context switching. The REPL prompt is now smarter and is able to handle copy-pasting of large chunks of multi-line text without the need to explicitly escape newlines as well.

When no policies apply to a request, Cerbos produces a DENY response by default. This is now recorded in the engine traces so that policy tests can be debugged much more easily.

Changelog

Features

  • BREAKING Promote PlanResources API to stable (#872)

  • Simplify QueryPlanner AST for CEL comprehensions (#870)

  • Unified check API (#819)

Enhancements

  • Add trace for denial due to no matching policies (#858)

  • Auto-detect end of input in REPL (#859)

  • Execute policy conditions in the CEL REPL (#820)

  • Policy variables in the REPL (#853)

Documentation

  • Document Jaeger trace format (#871)

Chores

  • Add 0.15.1 release notes (#825)

  • Add CheckResources API to Playground (#821)

  • Bump actions/setup-go from 2 to 3 (#829)

  • Bump amannn/action-semantic-pull-request (#844)

  • Bump amannn/action-semantic-pull-request (#860)

  • Bump azure/setup-helm from 2.0 to 2.1 (#843)

  • Bump bufbuild/buf-setup-action from 1.3.0 to 1.3.1 (#808)

  • Bump bufbuild/buf-setup-action from 1.3.1 to 1.4.0 (#861)

  • Bump codecov/codecov-action from 2 to 3 (#830)

  • Bump github.com/alecthomas/participle/v2 (#834)

  • Bump github.com/bojand/ghz in /tools (#837)

  • Bump github.com/bufbuild/buf from 1.3.0 to 1.3.1 in /tools (#815)

  • Bump github.com/bufbuild/buf from 1.3.1 to 1.4.0 in /tools (#868)

  • Bump github.com/gdamore/tcell/v2 from 2.4.0 to 2.5.0 (#817)

  • Bump github.com/gdamore/tcell/v2 from 2.5.0 to 2.5.1 (#848)

  • Bump github.com/goreleaser/goreleaser in /tools (#851)

  • Bump github.com/goreleaser/goreleaser in /tools (#867)

  • Bump github.com/jackc/pgx/v4 from 4.15.0 to 4.16.0 (#862)

  • Bump github.com/jmoiron/sqlx from 1.3.4 to 1.3.5 (#854)

  • Bump github.com/lestrrat-go/jwx from 1.2.20 to 1.2.21 (#811)

  • Bump github.com/lestrrat-go/jwx from 1.2.21 to 1.2.22 (#831)

  • Bump github.com/lestrrat-go/jwx from 1.2.22 to 1.2.23 (#849)

  • Bump github.com/minio/minio-go/v7 from 7.0.23 to 7.0.24 (#847)

  • Bump github.com/planetscale/vtprotobuf from 0.2.0 to 0.3.0 in /tools (#850)

  • Bump github.com/pterm/pterm from 0.12.39 to 0.12.40 (#818)

  • Bump github.com/pterm/pterm from 0.12.40 to 0.12.41 (#845)

  • Bump github.com/tidwall/gjson from 1.14.0 to 1.14.1 (#864)

  • Bump github.com/vektra/mockery/v2 from 2.10.0 to 2.10.2 in /tools (#814)

  • Bump github.com/vektra/mockery/v2 from 2.10.2 to 2.10.4 in /tools (#838)

  • Bump github.com/vektra/mockery/v2 from 2.10.4 to 2.10.6 in /tools (#852)

  • Bump github.com/vektra/mockery/v2 from 2.10.6 to 2.12.0 in /tools (#869)

  • Bump go.opentelemetry.io/otel from 1.6.1 to 1.6.3 (#833)

  • Bump go.opentelemetry.io/otel/bridge/opencensus (#855)

  • Bump go.opentelemetry.io/otel/exporters/jaeger (#810)

  • Bump go.opentelemetry.io/otel/exporters/jaeger (#839)

  • Bump go.opentelemetry.io/otel/sdk from 1.6.0 to 1.6.1 (#809)

  • Bump go.uber.org/automaxprocs from 1.4.0 to 1.5.1 (#832)

  • Bump gocloud.dev from 0.24.0 to 0.25.0 (#816)

  • Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#865)

  • Bump gotest.tools/gotestsum from 1.7.0 to 1.8.0 in /tools (#836)

  • Bump helm.sh/helm/v3 from 3.8.1 to 3.8.2 (#846)

  • Bump modernc.org/sqlite from 1.15.3 to 1.15.4 (#813)

  • Bump modernc.org/sqlite from 1.15.4 to 1.16.0 (#835)

  • Bump modernc.org/sqlite from 1.16.0 to 1.17.0 (#863)

  • Bump version to 0.16.0

  • Group changelog items (#826)

  • Make playground test API response match validate and evaluate (#857)

  • Rename interface{} to any and use Go build info (#807)

  • Use the same format for GCS buckets (#806)

Other

  • Add the query planner tests (#873)