Audit log filtering, database improvements and Helm updates - Cerbos v0.24 Release

Published by Alex Olivier on January 09, 2023
image

The latest release of Cerbos - v0.24 - includes updates to audit logging filters, database connection improvements and more options when deploying via Helm.

We have been working closely with users of Cerbos such as Blockchain.com, Utility Warehouse, 9fin, Salesroom, and Doorfeed on this release and can’t wait to hear more on what you would like to see in future releases - join our Slack community to join the conversation.

Cerbos v0.24 Release

More control over audit logging

Cerbos audit log decision entries now include request metadata. Previously, request metadata was only logged with access log entries. Which metadata gets logged is determined by the includeMetadataKeys and excludeMetadataKeys settings. The behaviour of these settings has changed slightly and users are advised to test the Cerbos deployment with the new version to ensure that the audit logs are still produced in the way they expect. The new behaviour is as follows:

  • If both includeMetadataKeys and excludeMetadataKeys are empty, no metadata will be logged
  • If only includeMetadataKeys is defined, only those metadata keys will be logged
  • If only excludeMetadataKeys is defined, all metadata keys not in the exclusion list will be logged
  • If both includeMetadataKeys and excludeMetadataKeys are defined, only included keys will be logged as long as they're not in the exclusion list.

A new setting named decisionLogFilters has been introduced to allow users to reduce the amount of audit log entries generated. With these filter settings, it's now possible to do the following:

  • Ignore CheckResources calls where none of the actions were denied
  • Ignore all PlanResources calls
  • Ignore PlanResources calls that produce ALWAYS_ALLOW plans

See the audit documentation for more information.

Database connectivity improvement

If a database store is configured as the policy repository and if the database is unavailable at the time Cerbos starts, Cerbos now attempts to reconnect to the database a few times before giving up. Previously, Cerbos exited immediately if the database was unavailable.

Helm deployment enhancements

It's now possible to add custom annotations to the Deployment and Service resources created by the Cerbos Helm chart. This is useful for integrating with Kubernetes operators and utilities that work with annotated resources.

If you have cert-manager installed in your cluster, the Cerbos Helm chart can be configured to automatically request a certificate from one of the issuers. This gets rid of the manual step required to create a Certificate resource for Cerbos before the chart is deployed.

Other improvements and fixes

The Cerbos engine used to operate on the assumption that a resource policy always existed as a fallback for principal policies. This led to certain requests that referenced non-existent resources from being completely denied even when a principal policy existed to provide decisions for some actions. This limitation has been removed in this release.

Policy testing framework gains the ability to detect tests that exercise the same combination of (principal, resource, action) more than once. Previously this led to confusing outputs when the duplicate tests produced conflicting results.

You can find the full release notes here and if you have any questions join our Slack community.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team