2243

Cerbos PDP v0.35.1: Enhancements, fixes, and a new admin API

Published by Rohit Ghumare on April 10, 2024
Cerbos PDP v0.35.1: Enhancements, fixes, and a new admin API

In our latest release, Cerbos PDP v0.35.1, we focus on refining the robustness of our policy decision platform with essential bug fixes and introducing new capabilities that provide deeper insights into policy configurations. This release continues our commitment to enhancing the developer experience and the security of applications using Cerbos. Let's delve into the specifics of what v0.35.1 brings to the table.

Enhancements

Simplified Expression Handling in Query Plans

In policies, expressions like <principal-attr-map>[<resource-attr>].<field-name> <op> <const> has been optimised for better evaluation efficiency.

With v0.35.1, when a principal attribute is a map based on a resource attribute such as P.attr.workspaces[R.attr.workspaceId].role == "OWNER", the Query Plan generator will the plan to be a simple equality check between the key of match item in the map and the resource workspaceId attribute. This saves having to iterate through all the options in the plan at the application level. All existing query plan adapters are ready to support this optimization.

Lenient scoped policy handling

We've also improved how the compile cache handles absent candidates when using lenient scope search, ensuring that policy evaluations remain accurate and current and fixing a caching bug introduced with lenient scopes.

Admin API Policy Introspection

A highlight of this release is the introduction of a new work-in-progress Admin API endpoint that lays the foundation for advanced policy management capabilities. Still in its nascent stages, this endpoint allows inspecting policies within the repository and listing their attributes, such as the actions they cover, a needed dataset when constructing policies programmatically, or exposing details to end users.

To illustrate, here's how you interact with the new Admin API to list actions covered by each policy:

`GET /admin/policies/inspect`

{
   "results": {     
       "cerbos.principal.terry_tibbs.vdefault": {
           "actions": [
               "create",
               "reject"
           ]
       },
       "cerbos.resource.account.vdefault": {
           "actions": [
               "*",
               "create"
           ]
       },
       "cerbos.resource.equipment_request.vdefault/acme": {
           "actions": [
               "approve",
               "create",
               "view:public"
           ]
       }
   }
}

Enhanced Usability with cerbosctl Improvements

One of the new features included in this release is the addition of a --client flag to the cerbosctl version command, which greatly simplifies version checks. This enhancement allows users to verify the version of cerbosctl without needing to provide credentials or establish a connection to a PDP server.

Advancements in Observability with OTEL

In our journey to enhance the observability and traceability within Cerbos, we've updated our OpenTelemetry (OTEL) HTTP semantic conventions to the stable release version convention, thanks to contributions from the community, particularly by Aayush. This update ensures alignment with the latest practices in observability, providing clearer, more standardized telemetry data for monitoring Cerbos deployments, making sure tracing and metrics instrumentations use the correct attributes in traces, and dropping the correct noisy attributes from metrics.

You can read more about the OTEL HTTP semantic conventions changes here: https://opentelemetry.io/blog/2023/http-conventions-declared-stable/

While the OTEL enhancements are more under the hood, they significantly improve how developers can monitor and trace Cerbos operations, ensuring you have the necessary insights for effective observability strategies.

Documentation and Guides

Complementing the technical enhancements, we've expanded our documentation to include practical guides and updates:

Deploying Cerbos on Fly.io

We've introduced a comprehensive guide to deploying Cerbos on Fly.io, making it easier for users to get Cerbos running on this popular platform.

Visit https://docs.cerbos.dev/cerbos/latest/deployment/cloud-platforms#_fly_io for a step-by-step guide

Looking Ahead

We will keep improving the platform's reliability and usability with your support. Introducing the Admin API endpoint is the beginning of providing more granular insights into policy configurations and management. With community support, we can launch more amazing features.

As always, we're eager to hear from the community. Your feedback is invaluable as we evolve Cerbos to meet your policy management needs. Check out the full changelog on our GitHub repository for a detailed view of all the updates in v0.35.1. If you have any questions, join our Slack community.

We’re looking forward to your feedback and contributions!

DOCUMENTATION

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team

Related Articles

Introducing enhanced test management in Cerbos Hub - Search, filter, and view test results easily

Introducing enhanced test management in Cerbos Hub - Search, filter, and view test results easily

Rohit Ghumare on April 18, 2024
DOCUMENTATION
Cerbos PDP v0.35.1: Enhancements, fixes, and a new admin API

Cerbos PDP v0.35.1: Enhancements, fixes, and a new admin API

Rohit Ghumare on April 10, 2024
DOCUMENTATION
Revolutionize your authorization with Cerbos: A comprehensive video demo | ByteGrad

Revolutionize your authorization with Cerbos: A comprehensive video demo | ByteGrad

Alex Olivier on April 08, 2024
ENGINEERING
DOCUMENTATION
GUIDE
We use cookies and other forms of website navigational information to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted ads. Read about how we use cookies in our Privacy Policy. If you continue to use this site, you consent to our use of cookies.