Cerbos v0.36.0 Release Highlights: Technical Enhancements and Developer Features

Published by Rohit Ghumare on May 15, 2024
Cerbos v0.36.0 Release Highlights: Technical Enhancements and Developer Features

Introduction

Cerbos v0.36.0 enhances the efficiency and functionality of policy-driven access controls. This version introduces asynchronous audit logging, refined Kafka backend handling, and new administrative commands, all designed to optimize performance and scalability.

Asynchronous Audit Logging

One of the key enhancements in v0.36.0 is the shift to asynchronous audit logging. This change is designed to reduce the overhead associated with writing large audit log entries, particularly when dealing with slow sinks (files and stdout, for example). This change is beneficial for PDPs handling large batch requests with high volumes of data, where response times could be affected by the additional load of logging activities. By moving logging to the background, Cerbos ensures that response times are not adversely affected.

Kafka Backend Improvements

A community contribution from @rcrowe has strengthened the Kafka backend in Cerbos. The system now defaults to using system CA certificates for TLS connections unless otherwise specified. The update also enhanced error handling that prevent blocking writes during downstream outages.

New Features: cerbosctl commands

  • The cerbosctl inspect command is a new addition that provides command-line access to the inspect Admin API, a feature introduced in the previous release. This command allows users to list actions defined in each policy, offering greater visibility into policy configurations. More policy inspection options are planned for future releases.

Command-Line Usage:

$ cerbosctl inspect --policies

  • With the `cerbosctl hub epdp list-candidates` command, you can scan the policy folder and get a list of policy IDs and file paths for the policies that will be included in the Embedded PDP bundles. Keep an eye out for an upcoming update to Cerbos Hub for more details on this.

Command-Line Usage:

image

đź’ˇ Cerbos has renamed the bundle storage driver to maintain consistency across its feature set to hub. This change is backward compatible, but future versions will require an update to your configuration file from storage.driver: bundle to storage.driver: hub.

Documentation Update: Dagger Cerbos Module

The v0.36.0 release includes the addition of a Dagger Cerbos module. This module provides a compile function for compiling and testing Cerbos policy repositories and a server service for starting a Cerbos server, enhancing the development workflow.

To install the Dagger Cerbos module, run the following command:

$ dagger install github.com/cerbos/dagger-cerbos

You can find out more about this module on the Daggerverse page.

Further Reading and Resources:

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team