Cerbos v0.22.0

Highlights

The query planner is now smarter and able to produce simpler, optimized plans for some of the commonly seen filter patterns. For example, checking for membership in a single-item list can be converted to a comparison operation and checking for membership in an empty list can be reduced to simply return false. This should help you build better database queries for building lists of resources filtered using access control logic.

There are several more improvements and fixes to the query planner in this release:

  • Query plan requests are now validated using schemas if they are available. This should help catch invalid requests and schema drifts early.

  • All the custom CEL functions provided by Cerbos are now supported for query plan generation.

  • A few more edge cases and bugs found by production users have been addressed.

The Cerbos engine now coordinates all parallel requests to changed policies while they’re being compiled. This should help reduce latency spikes in busy servers during policy recompilation.

To aid with debugging, if the Cerbos process receives a USR1 signal, it will now temporarily switch the log level to debug level for 10 minutes.

Validation rules for scopes have been relaxed. Scope components no longer need to be at least two characters long.

Changelog

Bug Fixes

  • Derived role condition is optional (#1301)

  • Handle other data types while optimizing IN expression (#1334)

  • Handling of null value by the query planner (#1317)

  • Missing setters in policy builders (#1325)

  • Treat non-boolean expression results as false (#1256)

  • Update hasIntersection function to support partial eval (#1278)

  • Validate required fields in PlanResourcesRequest (#1262)

Features

  • Optimise a query plan of a membership test in a single-item list (#1299)

  • Optimise query plan for index into struct (#1327)

  • Temporary log level change with USR1 signal (#1255)

  • Update list functions to support partial eval (#1281)

Enhancements

  • Group compile requests (#1235)

  • Relax validation rule for scopes (#1254)

Documentation

  • Add tip about using cerbosctl to load policies (#1332)

  • Added Engineering section with post on single process usage (#1264)

  • Fix formatting of table in tutorial (#1329)

  • Fix usage of CEL matches operator (#1245)

  • Make optionality of Scoped Policies more explicit (#1251)

  • README key concepts (#1274)

  • Updated the user logos on the readme (#1321)

  • Updating the logos (#1313)

Chores

  • Allow configuring a custom nodePort in helm chart values (#1250)

  • Bump amannn/action-semantic-pull-request from 4.5.0 to 4.6.0 (#1239)

  • Bump amannn/action-semantic-pull-request from 4.6.0 to 5.0.2 (#1283)

  • Bump github.com/denisenkom/go-mssqldb from 0.12.2 to 0.12.3 (#1285)

  • Bump github.com/dgraph-io/badger/v3 from 3.2103.2 to 3.2103.3 (#1291)

  • Bump github.com/envoyproxy/protoc-gen-validate from 0.6.8 to 0.6.13 (#1270)

  • Bump github.com/envoyproxy/protoc-gen-validate from 0.6.8 to 0.6.13 in /hack/tools/protoc-gen-jsonschema (#1273)

  • Bump github.com/envoyproxy/protoc-gen-validate from 0.6.8 to 0.6.13 in /tools (#1271)

  • Bump github.com/fergusstrange/embedded-postgres from 1.17.0 to 1.18.0 (#1241)

  • Bump github.com/fergusstrange/embedded-postgres from 1.18.0 to 1.19.0 (#1267)

  • Bump github.com/goreleaser/goreleaser from 1.11.4 to 1.11.5 in /tools (#1272)

  • Bump github.com/minio/minio-go/v7 from 7.0.37 to 7.0.38 (#1244)

  • Bump github.com/minio/minio-go/v7 from 7.0.38 to 7.0.39 (#1258)

  • Bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.40 (#1266)

  • Bump github.com/minio/minio-go/v7 from 7.0.40 to 7.0.41 (#1295)

  • Bump github.com/pterm/pterm from 0.12.46 to 0.12.48 (#1260)

  • Bump github.com/pterm/pterm from 0.12.48 to 0.12.49 (#1269)

  • Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.35.0 to 0.36.0 (#1242)

  • Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.36.0 to 0.36.1 (#1259)

  • Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.36.1 to 0.36.3 (#1294)

  • Bump go.opentelemetry.io/contrib/propagators/autoprop from 0.35.0 to 0.36.0 (#1243)

  • Bump go.opentelemetry.io/contrib/propagators/autoprop from 0.36.0 to 0.36.1 (#1257)

  • Bump go.opentelemetry.io/contrib/propagators/autoprop from 0.36.1 to 0.36.3 (#1293)

  • Bump go.opentelemetry.io/contrib/propagators/b3 from 1.10.0 to 1.11.0 (#1288)

  • Bump go.opentelemetry.io/otel from 1.10.0 to 1.11.0 (#1286)

  • Bump go.opentelemetry.io/otel/bridge/opencensus from 0.32.1 to 0.32.3 (#1290)

  • Bump go.opentelemetry.io/otel/exporters/jaeger from 1.10.0 to 1.11.0 (#1287)

  • Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from 1.10.0 to 1.11.0 (#1292)

  • Bump gocloud.dev from 0.26.0 to 0.27.0 (#1261)

  • Bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.2 (#1284)

  • Bump google.golang.org/grpc from 1.49.0 to 1.50.0 (#1268)

  • Bump google.golang.org/grpc from 1.50.0 to 1.50.1 (#1298)

  • Bump helm.sh/helm/v3 from 3.10.0 to 3.10.1 (#1296)

  • Bump helm.sh/helm/v3 from 3.9.4 to 3.10.0 (#1240)

  • Bump helm/kind-action from 1.3.0 to 1.4.0 (#1238)

  • Bump modernc.org/sqlite from 1.19.1 to 1.19.2 (#1297)

  • Bump version to 0.22.0

  • Configure Renovate (#1302)

  • Confirm hierarchy funcs support partial eval (#1282)

  • Re-generate mocks (#1324)

  • Remove single commit validation (#1316)

  • Run Go vulnerability check periodically (#1236)

  • Set output via environment file rather than stdout (#1277)

  • Stable string representation for query filter (#1307)

  • Update alpine base image from 3.15 to 3.16 (#1248)

  • Update azure/setup-helm action to v3.4 (#1322)

  • Update github actions deps (#1314)

  • Update go deps (#1304)

  • Update go deps (#1315)

  • Update go deps (#1323)

  • Update go.opentelemetry.io/otel/bridge/opencensus to 0.32.1 (#1237)

  • Update module github.com/google/go-licenses to v1 (#1305)

  • Update voxmedia/github-action-slack-notify-build action to v2 (#1306)

  • Use latest Go version in builds (#1275)