Cerbos v0.41.0

Highlights

Since the last release, a lot of behind-the-scenes work has gone into revamping the Cerbos engine to better support scope permissions and role policies. Scope permissions allow users to change how scoped policies are evaluated by Cerbos. The default behaviour of scoped policies for a given action is to stop at the first policy in the scope chain that produces a decision. However, if the scopePermissions field of a scoped resource or principal policy is set to SCOPE_PERMISSIONS_REQUIRE_PARENTAL_CONSENT_FOR_ALLOWS, any ALLOW decision produced by that policy requires another ALLOW decision from a policy higher up in the scope chain. Effectively, scope permissions is a way to restrict child scopes from being more permissive than their parents.

Role policies supplement resource policies by allowing policy authors to further narrow the set of permissions for a given role. Any action not explicitly allowed by a role policy is immediately denied. Any allowed actions must still be allowed by the relevant resource policies as well. Role policies are activated based on the set of roles sent as principal.roles in the Cerbos CheckResources request and can be used to implement custom roles within applications.

Time-based functions used in condition expressions such as getHours and getMinutes default to UTC unless the time zone is explicitly provided as an argument to the function. Before upgrading, it’s recommended to review your policies to make sure that time calculations use the correct time zone. Refer to timestamps documentation to identify the affected functions.

Query planner now correctly handles expressions that refer to the principal or resource scope.

Policy tests are now stricter and will fail if a test defines an output expectation for an action that doesn’t exist in the input actions list.

Cerbos now correctly detects the number of available CPUs in Amazon ECS deployments. This should help reduce CPU throttling of the Cerbos process and make it more responsive.

Changelog

Bug fixes

Add missing policy required for mutable e2e tests (#2502)
Correctly handle defaultPolicyVersion engine config (#2449)
Correctly handle partial rule table and event subscription (#2455)
Fall back to default policy version sooner in query planner (#2450)
Reload rule table when store contents change (#2452)
Return validation errors and effective policies in query planner responses (#2447)
Rule table reload should only purge (#2467)
Use correct filterDebug type in e2e query planner test (#2448)

Features

Replace labels with deployments in bundle API v2 (#2483)
Use scope value in the query plan (#2485)

Enhancements

Correctly set GOMAXPROCS on ECS (#2459)
Fail tests with unreachable output expectations (#2418)
Lazy rule table (#2460)
Rule table engine (#2442)
Support bundlev2 (#2395)
BREAKING Switch to ContextEval to evaluate CEL expressions (#2495)

Documentation

Correct examples for math functions (#2445)
Scope permissions (#2487)
Update 03_calling-cerbos.adoc of tutorial to use the updated /api/check/resources endpoint (#2429)
Update what-is-cerbos.adoc tenant →tenet (#2406)

Chores

Add 0.41.0 release notes
Add read function to private package (#2433)
Add tests for resource policy with REQUIRE_PARENTAL_CONSENT_FOR_ALLOWS (#2466)
Bump filippo.io/age from 1.2.0 to 1.2.1 (#2423)
Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in /tools (#2491)
Bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2 in /tools (#2405)
Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in /tools (#2414)
Bump version to 0.41.0
Decouple role policies from scope permissions (#2496)
Downgrade protovalidate to 0.9.1 (#2486)
Implicit denies are now attributed to role policies instead of scoped resources (#2500)
Initialise protovalidate lazily (#2482)
Make ephemeral engine configurable (#2446)
Protect against non leaf REQUIRE_PARENTAL_CONSENT scopes (#2493)
BREAKING REQUIRE_PARENTAL_CONSENT refinements for resource and principal policies (#2484)
Remove SQL Server dependencies (#2394)
Remove SQL Server driver (#2393)
Remove map of relations section from the best practises page (#2399)
Replace golang.org/x/exp/maps with stdlib maps (#2504)
BREAKING Role policy deny rows (#2475)
Small optimisation in rule table lazy load (#2461)
Specify service when checking health via HTTP (#2468)
Temporarily disable fail-on-error behaviour for Coveralls unit test coverable uploads in GitHub workflow (#2476)
Test against npm v11 and pnpm v10 (#2439)
Update Prisma guide to use v2.0 (#2501)
Update alecthomas/kong to v1.5.1 (#2404)
Update copyright header (#2434)
Update dawidd6/action-download-artifact action to v7 (#2417)
Update dependency node to v22.13.0 (#2444)
Update github actions deps (#2427)
Update github actions deps (#2464)
Update github.com/bufbuild/protovalidate-go to 0.8.0 (#2428)
Update github.com/go-git/go-git/v5 (#2437)
Update go deps (#2397)
Update go deps (#2407)
Update go deps (#2415)
Update go deps (#2431)
Update go deps (#2435)
Update go deps (#2443)
Update go deps (#2453)
Update go deps (#2457)
Update go deps (#2463)
Update go deps (#2472)
Update go deps (#2478)
Update go deps (#2488)
Update go deps (#2498)
Update golang.org/x/crypto to 0.35.0 (#2494)
Update golang.org/x/net to 0.33.0 (#2425)
Update golangci/golangci-lint-action action to v6.5.0 (#2479)
Update module golang.org/x/crypto to v0.31.0 [security] (#2413)
Update module golang.org/x/net to v0.33.0 [security] (#2424)
Update node.js deps (#2398)
Update node.js deps (#2408)
Update node.js deps (#2416)
Update node.js deps (#2426)
Update node.js deps (#2430)
Update node.js deps (#2499)
Update pnpm to v9.15.3 (#2436)
Update pnpm to v9.15.4 (#2454)
Update sigstore/cosign-installer action to v3.8.1 (#2489)
Upgrade CEL (#2412)
Upgrade to Go 1.24 (#2480)
Upgrade to go-yaml 1.15.6 (#2403)
Use global protovalidate Validator (#2497)
update dawidd6/action-download-artifact action to v8 (#2474)
update github actions deps (#2473)
update node.js deps (#2458)
update node.js deps (#2490)
update npm to v11 (#2471)
update pnpm to v10.2.1 (#2470)