In our latest release, Cerbos PDP v0.35.1, we focus on refining the robustness of our policy decision platform with essential bug fixes and introducing new capabilities that provide deeper insights into policy configurations. This release continues our commitment to enhancing the developer experience and the security of applications using Cerbos. Let's delve into the specifics of what v0.35.1 brings to the table.
In policies, expressions like <principal-attr-map>[<resource-attr>].<field-name> <op> <const>
has been optimised for better evaluation efficiency.
With v0.35.1, when a principal attribute is a map based on a resource attribute such as P.attr.workspaces[R.attr.workspaceId].role == "OWNER"
, the Query Plan generator will the plan to be a simple equality check between the key of match item in the map and the resource workspaceId attribute. This saves having to iterate through all the options in the plan at the application level. All existing query plan adapters are ready to support this optimization.
We've also improved how the compile cache handles absent candidates when using lenient scope search, ensuring that policy evaluations remain accurate and current and fixing a caching bug introduced with lenient scopes.
A highlight of this release is the introduction of a new work-in-progress Admin API endpoint that lays the foundation for advanced policy management capabilities. Still in its nascent stages, this endpoint allows inspecting policies within the repository and listing their attributes, such as the actions they cover, a needed dataset when constructing policies programmatically, or exposing details to end users.
To illustrate, here's how you interact with the new Admin API to list actions covered by each policy:
`GET /admin/policies/inspect`
{
"results": {
"cerbos.principal.terry_tibbs.vdefault": {
"actions": [
"create",
"reject"
]
},
"cerbos.resource.account.vdefault": {
"actions": [
"*",
"create"
]
},
"cerbos.resource.equipment_request.vdefault/acme": {
"actions": [
"approve",
"create",
"view:public"
]
}
}
}
One of the new features included in this release is the addition of a --client flag to the cerbosctl version command, which greatly simplifies version checks. This enhancement allows users to verify the version of cerbosctl without needing to provide credentials or establish a connection to a PDP server.
In our journey to enhance the observability and traceability within Cerbos, we've updated our OpenTelemetry (OTEL) HTTP semantic conventions to the stable release version convention, thanks to contributions from the community, particularly by Aayush. This update ensures alignment with the latest practices in observability, providing clearer, more standardized telemetry data for monitoring Cerbos deployments, making sure tracing and metrics instrumentations use the correct attributes in traces, and dropping the correct noisy attributes from metrics.
You can read more about the OTEL HTTP semantic conventions changes here: https://opentelemetry.io/blog/2023/http-conventions-declared-stable/
While the OTEL enhancements are more under the hood, they significantly improve how developers can monitor and trace Cerbos operations, ensuring you have the necessary insights for effective observability strategies.
Complementing the technical enhancements, we've expanded our documentation to include practical guides and updates:
We've introduced a comprehensive guide to deploying Cerbos on Fly.io, making it easier for users to get Cerbos running on this popular platform.
Visit https://docs.cerbos.dev/cerbos/latest/deployment/cloud-platforms#%5Ffly%5Fio for a step-by-step guide
We will keep improving the platform's reliability and usability with your support. Introducing the Admin API endpoint is the beginning of providing more granular insights into policy configurations and management. With community support, we can launch more amazing features.
As always, we're eager to hear from the community. Your feedback is invaluable as we evolve Cerbos to meet your policy management needs. Check out the full changelog on our GitHub repository for a detailed view of all the updates in v0.35.1. If you have any questions, join our Slack community.
We’re looking forward to your feedback and contributions!
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team
Join thousands of developers | Features and updates | 1x per month | No spam, just goodies.