Cerbos v0.38.1

Highlights

The hub storage driver can now be configured to connect to any private playground hosted on Cerbos Hub. This allows individuals and teams to use the IDE-like functionality of the playgrounds to quickly build authorization prototypes and test them end-to-end without worrying about deploying infrastructure first.

The policy version and scope of the resource and principal are now available for use in policy conditions through request.resource.policyVersion, request.resource.scope, request.principal.policyVersion and request.principal.scope.

The cerbos compile command now produces better error messages to help track down issues with missing scope policies.

In addition to signing the Cerbos release binaries and containers using Sigstore infrastructure, the release process now produces SBOMs to help trace the provenance of each Cerbos release.

The response from the InspectPolicies Admin API endpoint now includes principal and resource attributes referenced by the inspected policies. Note that this currently only an API update. The SDKs and cerbosctl updates to interact with the API will follow soon.

The official Cerbos Helm chart now includes a values.schema.json file to help discover any configuration problems.

The documentation now includes a static version of the Cerbos OpenAPI specification. For the interactive version, launch a Cerbos PDP and navigate to http://localhost:3592.

Changelog

Bug Fixes

  • Handle empty decision entries during sync (#2222)

  • Reduce memory usage in badger stream for hub audit backend (#2243)

  • Replace badger stream with prefixed key-only scan (#2247)

Features

  • Allow Hub storage driver to connect to playgrounds (#2176)

Enhancements

  • Access to scope and policy version from conditions (#2237)

  • Generate SBOMs for release artifacts (#2217)

  • Helm values schema (#2230)

  • List referenced attributes in InspectPolicies (#2224)

  • More details for missing scope errors (#2194)

Documentation

  • Add OpenAPI documentation (#2190)

  • Helm instructions for configuring Hub (#2232)

Chores

  • Add ECR to release destinations (#2199)

  • Add PolicyWrapper protobuf (#2206)

  • Add details to audit sync errors (#2211)

  • Add identity components to policy wrapper (#2221)

  • Add missing continue to ignore non-string keys in JWT claims (#2238)

  • Annotate deprecated fields in audit log entry (#2236)

  • Bump github.com/docker/docker from 25.0.5+incompatible to 26.1.4+incompatible (#2242)

  • Bump github.com/docker/docker from 27.0.0+incompatible to 27.1.0+incompatible in /tools (#2241)

  • Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 in /tools (#2198)

  • Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in /tools (#2213)

  • Bump version to 0.38.0

  • Clear disk space in Snapshots workflow (#2205)

  • Clear disk space in Test workflow (#2207)

  • Enable PR check for feature branches (#2193)

  • Expose plan.Resources from private package (#2234)

  • Generate Connect RPC stubs (#2216)

  • Migrate to just (#2214)

  • Remove callback from local audit log (#2248)

  • Set image tag for redocly/cli (#2231)

  • Share Hub base client (#2215)

  • Skip publishing snapshots to ECR (#2220)

  • Trace logs for log sync (#2212)

  • Tune Badger settings (#2244)

  • Update amannn/action-semantic-pull-request action to v5.5.3 (#2200)

  • Update bufbuild/buf-setup-action action to v1.34.0 (#2197)

  • Update bufbuild/buf-setup-action action to v1.35.1 (#2239)

  • Update dawidd6/action-download-artifact action to v4 (#2203)

  • Update dawidd6/action-download-artifact action to v6 (#2228)

  • Update go deps (#2196)

  • Update go deps (#2201)

  • Update go deps (#2209)

  • Update go deps (#2219)

  • Update go deps (#2225)

  • Update go deps (#2240)

  • Update go deps (#2251)

  • Update golangci/golangci-lint-action action to v6.1.0 (#2252)

  • Update node.js deps (#2202)

  • Update node.js deps (#2218)

  • Update node.js deps (#2226)

  • Update pnpm to v9.5.0 (#2210)

  • Update to go1.22.5 (#2204)

  • Wrap credential validation error (#2235)