Cerbos v0.12.0


We are excited to introduce the new experimental query planner API to address a common use case in access control scenarios: filtering a list to retain only those items that a particular user has access to. You can now send a principal, action and resource kind to /api/x/plan/resources and obtain a tree representation of conditions that must be satisfied in order for that principal to be allowed to perform the action on that resource kind. This API addresses a long-standing request from our users and the underlying algorithms and the representation format will be further refined in upcoming releases based on user feedback. See Resources Query Plan for details about the new API.

Another exciting change in this release is the freshly revamped cerbosctl utility. In addition to being able to list and filter policies, you can now also list the schemas stored on the PDP. We have streamlined the user experience to reflect the common CLI patterns provided by other, highly popular infrastructure management tools and thereby reduce the time required to become familiar with Cerbos. This is one of the rare cases where we felt that a breaking change was necessary to improve PDP resource usage and to make the user experience better. The cerbosctl list command has been replaced with cerbosctl get and the underlying Admin API endpoints have changed to provide policy listing and retrieval with much more predictable and constrained resource usage regardless of how many policies are stored in the policy repository. See Admin API documentation and Cerbosctl documentation for more details.

You can now use auxData in policy test suites to verify that the policies behave as you expect given various permutations of JWT data. When tests fail, you can inspect the evaluation graph of the request using the verbose flag to the test runner. See 0.12.0@policies:compile.adoc for details.

Schema validation can now be disabled for particular actions to support special cases such as resource creation where most of the necessary attributes might not be available to pass the validation step.

In addition to the headline features outlined above, a variety of security, usability, reliability and documentation improvements are included in this release as well. Those include: switching the container base image to scratch, stricter JSON parsing for REST endpoints, automated documentation generation for configuration from source code analysis and, a new end-to-end test suite to exercise all supported storage drivers.


Bug Fixes

  • Detect files with multiple policies (#522)


  • Enable switching off schema validation for certain actions (#562)

  • BREAKING Replace cerbosctl list with cerbosctl get (#536)

  • Resources query planner (#505)


  • Add auxData and traces to tests (#508)

  • Add query planner filter kind (#558)

  • Query planner returns detailed error (#555)

  • Query planner to accept known resource attributes (#540)

  • BREAKING Refactor policy Admin API endpoints (#516)

  • Simplify query plan logical operation expressions with a single operand (#561)

  • Strict JSON request parsing (#537)

  • Switch from Distroless to scratch (#531)


  • Document the query plan response (#559)

  • Generate full configuration overview from code (#507)

  • Upgrade to DocSearch v3 (#526)


  • Add CodeCov integration (#563)

  • Add end-to-end test suite (#544)

  • Add workflow to run E2E tests (#554)

  • Bump github.com/alecthomas/chroma from 0.9.4 to 0.10.0 (#568)

  • Bump github.com/aws/aws-sdk-go from 1.42.22 to 1.42.23 (#510)

  • Bump github.com/bojand/ghz from 0.96.0 to 0.105.0 in /tools (#546)

  • Bump github.com/envoyproxy/protoc-gen-validate from 0.6.2 to 0.6.3 (#566)

  • Bump github.com/fergusstrange/embedded-postgres from 1.12.0 to 1.13.0 (#565)

  • Bump github.com/fullstorydev/grpcurl in /tools (#549)

  • Bump github.com/goreleaser/goreleaser from 0.184.0 to 1.2.5 in /tools (#547)

  • Bump github.com/goreleaser/goreleaser in /tools (#569)

  • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.5.0 to 2.7.2 in /tools (#545)

  • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.7.1 to 2.7.2 (#518)

  • Bump github.com/lestrrat-go/jwx from 1.2.13 to 1.2.14 (#527)

  • Bump github.com/lestrrat-go/jwx from 1.2.14 to 1.2.15 (#552)

  • Bump github.com/lestrrat-go/jwx from 1.2.15 to 1.2.17 (#564)

  • Bump github.com/minio/minio-go/v7 from 7.0.18 to 7.0.20 (#525)

  • Bump github.com/minio/minio-go/v7 from 7.0.20 to 7.0.21 (#572)

  • Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 (#520)

  • Bump github.com/spf13/afero from 1.6.0 to 1.7.0 (#519)

  • Bump github.com/spf13/afero from 1.7.0 to 1.7.1 (#533)

  • Bump github.com/spf13/afero from 1.7.1 to 1.8.0 (#551)

  • Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#512)

  • Bump github.com/tidwall/gjson from 1.12.1 to 1.13.0 (#567)

  • Bump go.uber.org/zap from 1.19.1 to 1.20.0 (#543)

  • Bump google.golang.org/grpc/cmd/protoc-gen-go-grpc from 1.1.0 to 1.2.0 in /tools (#548)

  • Bump modernc.org/sqlite from 1.14.2 to 1.14.3 (#515)

  • Bump modernc.org/sqlite from 1.14.3 to 1.14.4 (#550)

  • Bump version to 0.12.0

  • Disable patch version updates for AWS SDK (#511)

  • Enable more linters (#530)

  • Enable server tests in CI (#557)

  • Extend test templates and refactor admin service tests (#513)

  • Fix struct field alignment (#524)

  • Handle case when query plan filter is nil (#553)

  • Run E2E tests on schedule (#556)

  • Tests for AddOrUpdateSchema endpoint (#541)

  • Update copyright notice (#534)

  • Wait for server to be ready before tests (#574)

  • Tidy go.mod correctly (#529)


  • Fix list policies endpoint returning error message (#509)