Cerbos v0.11.0

Highlights

This release’s defining feature is the support for defining schemas for the contextual data that is required to evaluate policies. From the get go, Cerbos was designed to be a stateless application that had no access to your important data. Client applications have the responsibility of sending all the data required to evaluate access policies with each request to the PDP. With the new schema support introduced in this release, policy authors can define JSON schemas for the principal and resource attributes required by each policy. Using the full expressive power of JSON schema draft 2020-12, the entire shape of the request can be defined including the enforcing strict data types and formats for fields and marking some fields as required.

Schema enforcement is disabled by default for backward compatibility. Once you have defined schemas and updated your policies to reference them, you can initially configure the Cerbos PDPs to warn when requests don’t conform to the schema. The warnings are returned in the response and logged to the audit logs as well. After you have fixed the warnings, set the enforcement level to reject and any invalid request will result in a DENY response. See 0.11.0@policies:schemas.adoc for more information.

This release also adds preliminary support for OpenTelemetry distributed traces in either W3C Trace Context or B3 formats. See 0.11.0@configuration:tracing.adoc for more information.

Changelog

Bug Fixes

  • Make auxData optional in the OpenAPI example (#476)

Features

  • Attribute validation using JSON schemas (#485)

  • Support for OpenTelemetry traces (#443)

Enhancements

  • Add schema support to playground (#496)

  • Log the number of policies found on startup (#488)

Documentation

  • Add schema example to photo-share tutorial (#490)

  • Add tutorials to documentation (#454)

  • Make the Admin API docs follow a consistent style (#486)

  • References variable for container image (#455)

Chores

  • Add docs publication workflow (#459)

  • Add latest tag and remove JFrog (#445)

  • Bump github.com/aws/aws-sdk-go from 1.42.15 to 1.42.19 (#471)

  • Bump github.com/aws/aws-sdk-go from 1.42.19 to 1.42.22 (#500)

  • Bump github.com/aws/aws-sdk-go from 1.42.4 to 1.42.7 (#447)

  • Bump github.com/aws/aws-sdk-go from 1.42.7 to 1.42.9 (#452)

  • Bump github.com/aws/aws-sdk-go from 1.42.9 to 1.42.15 (#466)

  • Bump github.com/fergusstrange/embedded-postgres from 1.11.0 to 1.12.0 (#450)

  • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.6.0 to 2.7.0 (#451)

  • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.7.0 to 2.7.1 (#472)

  • Bump github.com/jackc/pgx/v4 from 4.13.0 to 4.14.1 (#464)

  • Bump github.com/lestrrat-go/jwx from 1.2.11 to 1.2.12 (#475)

  • Bump github.com/lestrrat-go/jwx from 1.2.11 to 1.2.13 (#477)

  • Bump github.com/lestrrat-go/jwx from 1.2.9 to 1.2.11 (#446)

  • Bump github.com/minio/minio-go/v7 from 7.0.15 to 7.0.16 (#462)

  • Bump github.com/minio/minio-go/v7 from 7.0.16 to 7.0.18 (#498)

  • Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2 (#449)

  • Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 (#479)

  • Bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 (#463)

  • Bump github.com/tidwall/gjson from 1.10.2 to 1.12.1 (#494)

  • Bump github.com/tidwall/sjson from 1.2.3 to 1.2.4 (#495)

  • Bump go.opentelemetry.io/otel/bridge/opencensus from 0.25.0 to 0.26.0 (#497)

  • Bump go.opentelemetry.io/otel/exporters/jaeger from 1.2.0 to 1.3.0 (#493)

  • Bump google-github-actions/setup-gcloud from 0.2.1 to 0.3 (#491)

  • Bump helm.sh/helm/v3 from 3.7.1 to 3.7.2 (#492)

  • Bump modernc.org/sqlite from 1.14.1 to 1.14.2 (#501)

  • Bump version to 0.11.0

  • Fix schema cache and blob store timeout (#502)

  • Only generate NOTICE during a release (#499)

  • Update docs branch list during release (#442)