Cerbos v0.29.0

Now it’s possible to share variable definitions between multiple policies using the new ExportVariables policy type. You can define your variables in a dedicated file and import them into any of the other policies to reuse common values and expressions across your policy repo. Read more about how to use them at Variables.

A new globals object is available to policies at runtime to read environment-specific values defined in the configuration file of the Cerbos server. This is useful if you want your policies to consider certain values defined in the execution environment while evaluating the rules. See globals documentation for more information.

When evaluating scoped policies, the default behaviour of Cerbos is to fail if a policy file with the requested scope doesn’t exist. You can now relax this requirement through a configuration setting. When lenient scope search is enabled, if a policy file with the requested scope doesn’t exist in the policy repo, Cerbos will walk up through the scope chain until it finds a defined policy. Note that only leaf scopes can be missing. It’s still an error to have policies missing from the middle of the scope chain. See Scoped policies for details.

The ListPolicies admin API endpoint now supports optional parameters to filter the result list by name, version and scope.

The Kafka audit log sink can now be configured with TLS certificates for client and server authentication. This is a community contribution from @shangardezi.

@mark-piper contributed a patch to fix an issue where the request ID was not being logged to the audit entry.

When working with JSON policy files, you can use the $schema key to help the editor find the JSON schema for policies and provide auto completion and other contextual editing features. See Policy authoring for details.