Cerbos v0.29.0

This release of Cerbos is packed with new features and enhancements to make policy authoring and operations easier.


Now it’s possible to share variable definitions between multiple policies using the new ExportVariables policy type. You can define your variables in a dedicated file and import them into any of the other policies to reuse common values and expressions across your policy repo. Read more about how to use them at Variables.

A new globals object is available to policies at runtime to read environment-specific values defined in the configuration file of the Cerbos server. This is useful if you want your policies to consider certain values defined in the execution environment while evaluating the rules. See globals documentation for more information.

When evaluating scoped policies, the default behaviour of Cerbos is to fail if a policy file with the requested scope doesn’t exist. You can now relax this requirement through a configuration setting. When lenient scope search is enabled, if a policy file with the requested scope doesn’t exist in the policy repo, Cerbos will walk up through the scope chain until it finds a defined policy. Note that only leaf scopes can be missing. It’s still an error to have policies missing from the middle of the scope chain. See Scoped policies for details.

The ListPolicies admin API endpoint now supports optional parameters to filter the result list by name, version and scope.

The Kafka audit log sink can now be configured with TLS certificates for client and server authentication. This is a community contribution from @shangardezi.

@mark-piper contributed a patch to fix an issue where the request ID was not being logged to the audit entry.

When working with JSON policy files, you can use the $schema key to help the editor find the JSON schema for policies and provide auto completion and other contextual editing features. See Policy authoring for details.


Bug Fixes

  • Fix overlay e2e test caused by troublesome bitnami postgres image (#1677)

  • Log request_id in the grpc "Handled request" log message (#1691)

  • Obtain write lock while reloading index (#1659)


  • Add tls support kafka (#1667)

  • Allow reuse of variable definitions between policies (#1646)

  • Allow top-level $schema field in JSON files (#1676)

  • Introduce environment-specific global variables (#1645)

  • Lenient scope search (#1655)

  • Quit REPL when Ctrl-D is pressed on an empty prompt (#1674)


  • Add ListPolicies filtering ability to cerbosctl get (#1649)

  • Add config checksum to pod annotations so that deployment restarts on config changes (#1693)

  • Add filtering in the ListPolicies RPC (#1642)

  • Add getters for principal and resource ID fields (#1660)


  • Add E2E test for lenient scopes (#1657)

  • Add parentheses after the function name getSeconds (#1684)

  • Bump github.com/lestrrat-go/jwx/v2 from 2.0.9 to 2.0.11 (#1643)

  • Bump version to 0.29.0

  • Disable cache of Go installation for GolangCI (#1662)

  • Don’t use built-in caching in setup-go action (#1678)

  • Downgrade telepresence (#1641)

  • Run govulncheck without verbose flag (#1675)

  • Update bufbuild/buf-setup-action action to v1.22.0 (#1665)

  • Update bufbuild/buf-setup-action action to v1.23.1 (#1671)

  • Update cloud-api to 0.1.4 (#1698)

  • Update github actions deps (#1652)

  • Update go deps (#1651)

  • Update go deps (#1666)

  • Update go deps (#1672)

  • Update go deps (#1680)

  • Update module github.com/jackc/pgx/v4 to v5 (#1653)