This is a quick release to fix a bug with derived role imports where only the last imported role set was available during policy execution.
There are a few ergonomics improvements bundled with this release as well.
- Hierarchy functions
An extension to CEL that makes working with hierarchy representations in policy conditions easier. You can now write policy rules that inspect attributes describing the positions where your resources and principals belong to in a hierarchy. See hierarchy documentation for details.
- Globals in conditions
You can define common CEL expressions in the new
globalssection of a policy and refer to them in conditions. This enables code reuse and easier updates to business logic with reduced opportunities for making mistakes. Please note that this feature is still unstable and will be stabilised in a future release.
- Name policy rules
When authoring policies, you can name individual policy rules using the optional
namefield. This aids the Cerbos engine to produce better error messages and also helps you improve your own documentation and communication efforts by being able to identify and refer to individual rules by name.
- Filter policy list
When listing policies using the Admin API or the
cerbosctlutility, you can filter the list based on values of policy fields.
- Intermingle tests with policies
Policy test files no longer need to be in a separate directory from the policy definitions. If you prefer to keep the tests closer to the policy they are testing, it is now possible to do so.
Preserve all imported derived roles during execution (#330)
Document how to obtain gRPC stubs (#326)