We value your privacy

This website or its third-party tools process personal data. You can opt out of the sale of your personal information by clicking on the “Do Not Sell or Share My Personal Information” link.

Opt-out Preferences

We use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. However, you can opt out of these cookies by checking "Do Not Sell or Share My Personal Information" and clicking the "Save My Preferences" button. Once you opt out, you can opt in again at any time by unchecking "Do Not Sell or Share My Personal Information" and clicking the "Save My Preferences" button.

Do Not Sell or Share My Personal Information
Powered by Cookieyes logo

Upgrading to Cerbos 0.14.0

This release introduces matrix tests for policy tests and existing test files require minor changes to be compatible with the new test runner.

input section

  • resource field has been replaced with a list field named resources that must contain one or more resources to use as input to the test.

  • A new list field named principals has been added to define the list of principals to be used as input to the test.

  • requestID field has been removed.

expected section

  • resource is a new, required field that must be populated to indicate which resource is being referred to in the expectation.

  • Only resource and principal combinations that are expected to produce an ALLOW result needs to be defined in the expected section. If no pair is defined, it is assumed to produce a DENY result.

The example below illustrates how to convert an existing test to the new format.

Before Cerbos 0.14.0 After Cerbos 0.14.0 
---
name: AlbumObjectTestSuite
resources:
  alicia_private_album:
    kind: "album:object"
    attr:
      owner: "alicia"
      id: "XX125"
      public: false
      flagged: false

principals:
  alicia:
    id: "alicia"
    roles: ["user"]

  bradley:
    id: "bradley"
    roles: ["user"]

  maria:
    id: "maria"
    roles: ["moderator", "user"]

tests:
  - name: View album
    input:
      actions: ["view"]
      resource: alicia_private_album
    expected:
      - principal: alicia
        actions:
          view: EFFECT_ALLOW

      - principal: bradley
        actions:
          view: EFFECT_DENY

      - principal: maria
        actions:
          view: EFFECT_DENY
yaml
 
---
name: AlbumObjectTestSuite
resources:
  alicia_private_album:
    kind: "album:object"
    attr:
      owner: "alicia"
      id: "XX125"
      public: false
      flagged: false

principals:
  alicia:
    id: "alicia"
    roles: ["user"]

  bradley:
    id: "bradley"
    roles: ["user"]

  maria:
    id: "maria"
    roles: ["moderator", "user"]

tests:
  - name: View album
    input:
      actions: ["view"]
      principals: ["alicia", "bradley", "maria"]
      resources: ["alicia_private_album"]
    expected:
      - principal: alicia
        actions:
          view: EFFECT_ALLOW
yaml