Cerbos v0.26.0

Highlights

We introduce the new bundle storage driver that allows you to connect your Cerbos instances to Cerbos Cloud, a cloud-hosted control plane and CI/CD pipeline for easily validating, testing and distributing optimized policy bundles to on-premise Cerbos instances. With Cerbos Cloud, you’re still in full control of your environment and data while delegating the toil of building and maintaining a Git-ops and observability pipeline to the cloud. Head over to https://cerbos.dev/next to learn more and register your interest in the public beta.

A new audit log sink for Kafka has been contributed by the Cerbos community member @rcrowe. With this new driver, Cerbos audit logs can be written to a Kafka topic and feed into your data processing pipeline for further processing and storage. See Kafka configuration for details. As part of this change, a new metric for monitoring audit publishing errors has been introduced as well.

It is now possible to point the disk storage driver to a gzip, zip or tar archive containing Cerbos policies and schemas. This is particularly useful for deploying Cerbos to Kubernetes with your policy archive stored under a key in a ConfigMap or a Secret. See disk driver configuration for details.

This release includes a breaking change to the way policy test results are reported. Previously the results were grouped by principals but this led to some subtle issues and confusion for users who wanted to separate principals into separate test cases. In this release of Cerbos, the test results are grouped by the name of the test case first.

The Cerbos policy testing framework now supports outputting test results in the JUnit XML format. This enables integrating the Cerbos policy testing process into most of the popular CI and testing tools available in the market. Add --test-output=junit to the cerbos compile command to produce test results in JUnit format.

The --config flag is now optional for starting a Cerbos server. If no configuration file is provided using either the --config flag or CERBOS_CONFIG environment variable, the default behaviour is to start the server with the policy directory configured to policies in the current working directory. This could be a breaking change for users who mount a custom configuration file into the Cerbos container at /conf.default.yaml because the CERBOS_CONFIG environment variable no longer points to that path. To work around this, manually set CERBOS_CONFIG=/conf.default.yaml in the environment of the container.

cerbosctl can now be used to enable disabled policies and delete schemas.

Changelog

Bug Fixes

  • Fix passing tests not being visible in JUnit test output (#1534)

  • Kafka async produce context cancellation (#1516)

  • Kafka async publish fails when the API request returns (#1510)

  • Prevent default config from being turned into a path (#1533)

Features

  • Add JUnit output format for test results (#1508)

  • Cerbos Cloud bundle store driver (#1530)

  • Kafka audit log (#1499)

Enhancements

  • Add includeDisabled to Admin API and schema deletion to cerbosctl (#1463)

  • Add principal, resource and action as properties of JUnit output (#1520)

  • Add support for reading archive files for the disk driver (#1473)

  • Audit error metric (#1513)

  • Enable auth on API explorer page (#1464)

  • Enable disabled policies (#1472)

  • BREAKING Group test results by test name (#1498)

  • BREAKING Make config flag optional (#1462)

  • Report audit close error (#1501)

Documentation

  • Add Kafka audit backend docs (#1506)

  • Add resource ID to test examples (#1488)

  • Document /api/server_info (#1469)

  • Document CEL string.format function (#1528)

  • Fix README snapshot.yml badge (#1497)

  • Fix name of test output format flag (#1481)

  • Fix typo in 04_testing-policies.adoc (#1477)

Chores

  • Add timeouts to workflows (#1505)

  • Bump github.com/docker/docker from 20.10.23+incompatible to 20.10.24+incompatible (#1517)

  • Bump github.com/docker/docker from 23.0.2+incompatible to 23.0.3+incompatible in /tools (#1518)

  • Bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 (#1507)

  • Bump golang.org/x/net from 0.5.0 to 0.7.0 (#1465)

  • Bump golang.org/x/net from 0.5.0 to 0.7.0 in /tools (#1466)

  • Bump version to 0.26.0

  • Deprecate old policy disable endpoint (#1476)

  • Ignore stdout/stderr sync errors in audit log (#1515)

  • Increase snapshot build timeout (#1509)

  • Make Otel resource schemaless (#1487)

  • Publish unstable API to BSR (#1531)

  • Remove Playground from API explorer (#1467)

  • Remove api/x/plan/resources endpoint (#1471)

  • Update bufbuild/buf-setup-action action to v1.15.0 (#1484)

  • Update bufbuild/buf-setup-action action to v1.16.0 (#1512)

  • Update bufbuild/buf-setup-action action to v1.17.0 (#1522)

  • Update github actions deps (#1475)

  • Update github actions deps (#1494)

  • Update github actions deps to v4 (major) (#1495)

  • Update go deps (#1474)

  • Update go deps (#1483)

  • Update go deps (#1493)

  • Update go deps (#1502)

  • Update go deps (#1511)

  • Update go deps (#1521)

  • Update module github.com/dgraph-io/badger/v3 to v4 (#1503)