Cerbos v0.36.0

Highlights

To reduce the overhead of writing large audit log entries to slow sinks (files and stdout, for example), Cerbos now writes audit logs in the background. If you send very large batch requests containing a lot of data to Cerbos, this should help improve the response times.

A community contribution from @rcrowe makes the Kafka audit backend use system CA certificates if none are provided explicitly in configuration. It also addresses a case where asynchronous Kafka writes start blocking when the downstream brokers are down.

The new cerbosctl inspect command provides command-line access to the inspect Admin API endpoint introduced in the previous release. Currently it supports listing actions covered by each policy. More policy inspection options are planned for future releases.

Cerbos Hub integration

Early adopters of the Cerbos Hub audit log collection feature can now filter out audit log entries locally before they are sent to Hub.

For consistency, the bundle storage driver has been renamed to hub. To migrate, change storage.driver: bundle to storage.driver: hub and rename any configuration values starting with storage.bundle to storage.hub.

Embedded PDP users can use the cerbosctl hub epdp list-candidates command to scan a policy repo and list the set of policies that would be included in a Cerbos Embedded PDP bundle.

Changelog

Bug Fixes

  • Default expectation to EFFECT_DENY for unspecified actions in tests (#2116)

  • Eagerly establish gRPC connection to avoid initial delay (#2105)

  • Handle folded strings and indented newlines in YAML correctly (#2128)

  • Ignore context cancellation when writing audit log entries (#2113)

  • Include implicit EFFECT_DENY in test failure details (#2117)

  • Kafka TLS using system CA (#2120)

  • Stop blocking Kafka audit publishing when an outage occurs (#2122)

Features

  • Add cerbosctl hub epdp list-candidates command (#2078)

  • Add cerbosctl inspect policies command (#2101)

Enhancements

  • Add audit log filtering to Hub backend (#2073)

  • Apply perf patch to YAML parser (#2132)

  • Write audit logs asynchronously (#2104)

Documentation

  • Add documentation for Dagger Cerbos module (#2106)

  • Document Hub features (#2133)

  • Document how to verify cosign signatures (#2094)

Chores

  • Add 0.35.1 release notes (#2090)

  • Bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible in /tools (#2108)

  • Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.4 in /tools (#2097)

  • Bump golang.org/x/net from 0.21.0 to 0.23.0 in /api/genpb (#2110)

  • Bump version to 0.36.0

  • Check results of npm package tests (#2098)

  • Fix E2E tests combining the host address with extra colon (#2114)

  • Handle panics during parsing (#2129)

  • Remove deprecated audit log fields from filter (#2121)

  • Remove unmaintained Netlify action (#2093)

  • Remove usage of deprecated MySQL native authentication plugin (#2131)

  • Rename bundle driver to hub (#2130)

  • Test npm packages against pnpm v9 (#2102)

  • Update cloud-platforms.adoc (#2109)

  • Update github actions deps (#2125)

  • Update go deps (#2099)

  • Update go deps (#2111)

  • Update go deps (#2124)

  • Update go deps (#2139)

  • Update go deps (#2135)

  • Update go deps to v2 (major) (#2138)

  • Update golangci/golangci-lint-action action to v5 (#2127)

  • Update golangci/golangci-lint-action action to v5.3.0 (#2136)

  • Update node.js deps (#2100)

  • Update node.js deps (#2126)

  • Update node.js deps (#2137)

  • Update pnpm to v9.0.5 (#2112)

  • Update storage type for Jaeger chart (#2096)

  • Update to go1.22.3 (#2143)

  • Use latest Cerbos SDK (#2140)

  • Use new hub configuration for env var override (#2142)