Cerbos v0.39.0
Highlights
This release introduces a new, experimental policy type for defining access matrices for roles. Role policies enable policy authors to further refine the permissions by defining a set of resources and actions that a principal with a particular role is allowed to perform on them. Any action not explicitly allowed by the set of role policies that apply to a given principal are automatically denied. Everything else falls through to the familiar Cerbos policy evaluation flow to determine whether they are actually allowed or not. Please note that role policies are not fully production ready yet. More updates — including query planner support — will be added in upcoming Cerbos releases.
The blob storage driver has been re-worked to handle store updates more efficiently and robustly. If a user accidentally pushes an invalid set of files to the remote storage bucket, the PDPs will continue to use the last-known good version of the policy repository until the remote storage bucket is fixed. When the blob driver is configured with a persistent work directory, PDPs will now only download changed policy files, reducing the overall network usage while making the PDP start faster as well. New metrics have been added to report on refresh errors and the timestamp of the last successful refresh.
Thanks to a community contribution from @jinrenjie, the Cerbos API explorer now uses the correct protocol when behind a TLS-terminating proxy.
Thanks to another community discovery, a performance issue affecting schema validation has been rectified. Users with schema validation enabled on their PDPs should see much improved response times after installing this update.
The Cerbos server and the cerbosctl utility can now be installed on Nix environments using the flake available at https://github.com/cerbos/cerbos-flake.
Go developers are now able to run Cerbos in-process using the new cerbos.Serve function. This is useful for cases where running an external process is impossible or for running tests without using the Docker helpers provided by the Cerbos Go SDK.
Changelog
Enhancements
-
Add more trace spans to engine (#2324)
-
Atomic refreshes for blob storage (#2263)
-
Change how blob storage creates work directories and add metric for the last store refresh (#2284)
-
Display attributes in the cerbosctl inspect policies command (#2301)
-
Get/put cerbosctl role policy support (#2274)
-
Improvements to atomic refreshes for blob storage (#2283)
-
Keep cached files under base64 encoded directory for blob storage (#2292)
-
Remove eager log initialisation from schema validation (#2287)
Chores
-
Add AWS Marketplace (#2267)
-
Bump github.com/docker/docker from 27.1.0+incompatible to 27.1.1+incompatible in /tools (#2277)
-
Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#2306)
-
Bump version to 0.39.0
-
Clear disk space for cache workflow (#2268)
-
Clear disk space for upload workflow (#2269)
-
Clear disk space for vulnerability check (#2271)
-
Clear disk space on PR run (#2266)
-
Fix confdocs not being able to parse examples consisting of an array (#2308)
-
Reference payment via AWS Marketplace (#2322)
-
Remove Otel Host metrics (#2264)
-
Remove deprecated linters and fix linter errors (#2290)
-
Set SQL Server image pull policy for E2E tests (#2304)
-
Trust SQL Server certificate (#2307)
-
Update bufbuild/buf-setup-action action to v1.37.0 (#2286)
-
Update bufbuild/buf-setup-action action to v1.38.0 (#2296)
-
Update bufbuild/buf-setup-action action to v1.39.0 (#2302)
-
Update bufbuild/buf-setup-action action to v1.41.0 (#2311)
-
Update bufbuild/buf-setup-action action to v1.42.0 (#2320)
-
Update github actions deps (#2275)
-
Update go deps (#2276)
-
Update go deps (#2285)
-
Update go deps (#2295)
-
Update go deps (#2303)
-
Update go deps (#2310)
-
Update go deps (#2319)
-
Update go deps (#2326)
-
Update module github.com/alecthomas/kong to v1 (#2313)
-
Update node.js deps (#2312)
-
Update pnpm to v9.11.0 (#2327)
-
Update sqlite3 example to use proper in-memory DSN (#2317)
-
Upgrade to Go 1.23 (#2288)