Cerbos v0.33.0

Highlights

Producing user-defined output from policy evaluation is now more expressive and includes the option when.conditionNotMet to produce output when the condition of a rule is not satisfied as well. This simplifies crafting policies for certain scenarios where it’s useful to know that some criteria was not met. As a part of this update, the structure of the output block has changed to make it clearer and easier to understand. Old policies will continue to work but we recommend updating your policies to use the new output syntax as follows.

Old syntax New syntax

Old syntax	New syntax
`- actions: ['view'] effect: EFFECT_ALLOW roles: ["user"] condition: match: expr: request.resource.attr.public == true output: expr: > "%s allowed to view".format([request.principal.id])`	`- actions: ['view'] effect: EFFECT_ALLOW roles: ["user"] condition: match: expr: request.resource.attr.public == true output: when: ruleActivated: > "%s allowed to view".format([request.principal.id])`

- actions: ['view']
  effect: EFFECT_ALLOW
  roles: ["user"]
  condition:
  match:
    expr: request.resource.attr.public == true
  output:
    expr: >
      "%s allowed to view".format([request.principal.id])

- actions: ['view']
  effect: EFFECT_ALLOW
  roles: ["user"]
  condition:
    match:
      expr: request.resource.attr.public == true
  output:
    when:
      ruleActivated: >
        "%s allowed to view".format([request.principal.id])

This release contains audit log improvements to provide more comprehensive visibility over policy revisions used for access decisions and ways to easily join application logs to Cerbos audit logs.

Audit log entries now contain store-specific metadata about the policies used to make the decision. For example, if the git store is used, the git commit hash of the policy used by the Cerbos engine is recorded in the audit log. This information can then be used to match access control decisions to the revision history of the policy repository during a security investigation.

The API response now include the unique call ID generated by Cerbos to create the audit log entry for that request. Applications can record this ID in their own logs to enable cross-referencing Cerbos audit logs with application logs.

As announced earlier, this release removes the deprecated client package and drops support for configuring distributed traces using the tracing configuration block. The official Go SDK is available at https://github.com/cerbos/cerbos-sdk-go and is largely a drop-in replacement with a few package renames. For the new way of configuring traces, refer to the migration instructions.

Changelog

Bug Fixes

Don’t forward connection-specific headers via gRPC-Gateway (#1938)
Query planner doesn’t use stable time (#1949)
Query planner must (pre)evaluate expressions with resource kind (#1921)
Restore User-Agent header aliasing (#1941)

Features

Add audit call ID to API responses (#1911)
Produce output if condition fails (#1932)
Record policy source attributes in audit log (#1889)

Enhancements

Add Admin API update timestamp to policy (#1903)
Add podLabels to the chart (#1912)
Configurable database connection retries (#1926)
BREAKING Drop support for tracing configuration block (#1898)
Pass all HTTP headers through unmodified from gRPC-Gateway (#1934)
BREAKING Remove deprecated client package (#1904)

Documentation

Add policy variable examples (#1940)
Fix image URLs (#1943)
Fix incorrect policy rule in tutorial (#1930)
Remove older versions (#1942)

Chores

Add 0.32.0 release notes (#1894)
Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#1935)
Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 in /tools (#1936)
Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.11.0 in /tools (#1925)
Bump golang.org/x/crypto from 0.15.0 to 0.17.0 in /tools (#1916)
Bump version to 0.33.0
Downgrade github.com/chigopher/pathlib (#1924)
Ignore source attributes in cerbosctl tests (#1908)
Readme update (#1937)
Revert "docs: Fix image URLs (#1943)
Tag API module during release (#1909)
Tidy dependencies (#1899)
Tidy dependencies (#1907)
Update actions/setup-go action to v5 (#1906)
Update buf modules (#1902)
Update copyright header (#1931)
Update github actions deps to v3 (major) (#1915)
Update github actions deps to v4 (major) (#1923)
Update go deps (#1896)
Update go deps (#1905)
Update go deps (#1914)
Update go deps (#1922)
Update go deps (#1928)
Update go deps (#1933)
Update go deps (#1950)
Update google-github-actions/auth action to v2 (#1897)
Update google-github-actions/setup-gcloud action to v2 (#1929)
Update module golang.org/x/crypto to v0.17.0 [security] (#1917)
YAML to Protobuf parser (#1939)