Cerbos v0.31.0


This release introduces the runtime.effectiveDerivedRoles variable which can be used in policy condition expressions to inspect the set of activated derived roles in the current policy execution context. This feature makes it easier to write advanced policy rules without duplicating the logic used to define derived roles. Refer to documentation for more information.

Cerbos server now automatically detects when the TLS certificates change on disk and reloads them without requiring a service restart. This makes automated certificate rotation painless and encourages better security practices through short-lived certificates.

Lenient scope search can now be enabled for policy test suites either globally or on a per-test basis.

You can now configure Cerbos to not reject legacy JWTs that don’t have kid or alg claims. The default behaviour of Cerbos is to reject such tokens because they are considered insecure.

In light of the the recently discovered HTTP/2 rapid reset vulnerability affecting all public HTTP/2 implementations, Cerbos now includes a configuration option to limit the number of maximum concurrent streams per gRPC connection. The default is 1024 concurrent streams. You can set server.advanced.grpc.maxConcurrentStreams configuration to 0 to get back the previous behaviour of virtually unlimited concurrent streams.

The Cerbos Go SDK is now a separate Go module available at github.com/cerbos/cerbos-sdk-go. This makes the SDK leaner and more secure with fewer dependencies to manage. The client package available from github.com/cerbos/cerbos/client is now deprecated and will be removed in a future release. Migration in most cases would just require updating the import paths. Refer to the README at https://github.com/cerbos/cerbos-sdk-go or Go docs for more information.


Bug fixes

  • Correct link to resources test fixture schema (#1829)

  • Fix resource kind in test (#1813)


  • BREAKING Make runtime.effectiveDerivedRoles available in CEL expressions (#1778)

  • Reload certificates when they change on disk (#1841)


  • Add support for defining topology spread constraints (#1821)

  • Allow parsing JWTs with legacy keysets (#1823)

  • BREAKING Configure gRPC max concurrent streams (#1853)

  • Deprecate client package (#1815)

  • Lenient scope search in tests (#1838)

  • Migrate to protovalidate (#1800)

  • Separate Go module for API definitions (#1801)


  • Remove unstable warning from Admin API (#1835)

  • Update Neovim yamlls configuration section (#1824)


  • Add link to Laravel SDK (#1810)

  • Bump golang.org/x/net from 0.15.0 to 0.17.0 in /api/genpb (#1830)

  • Bump golang.org/x/net from 0.15.0 to 0.17.0 in /tools (#1831)

  • Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1833)

  • Bump google.golang.org/grpc from 1.58.0 to 1.58.3 in /tools (#1848)

  • Bump version to 0.31.0

  • Drop replace directive for API module (#1802)

  • Remove coverage badge (#1811)

  • Rename Cerbos Cloud to Cerbos Hub (#1836)

  • Set go.mod version to 1.21 (#1809)

  • Set go.work version to 1.21 (#1817)

  • Update Buf modules (#1822)

  • Update actions/checkout action to v4 (#1806)

  • Update amannn/action-semantic-pull-request action to v5.3.0 (#1819)

  • Update bufbuild/buf-lint-action action to v1.1.0 (#1840)

  • Update bufbuild/buf-setup-action action to v1.27.0 (#1827)

  • Update bufbuild/buf-setup-action action to v1.27.1 (#1844)

  • Update github actions deps to v3 (major) (#1807)

  • Update go deps (#1805)

  • Update go deps (#1816)

  • Update go deps (#1818)

  • Update go deps (#1826)

  • Update go deps (#1839)

  • Update go deps (#1845)

  • Update go deps (#1852)

  • Update goreleaser/goreleaser-action action to v5 (#1808)