First-class schema support for attributes - Cerbos v0.11 Release

Published by Alex Olivier on December 20, 2021
image

The latest version of Cerbos has been released with the focus being on a streamlined experience when making check calls.

With v0.11 release a schema can be optionally defined for the attributes of a principal and each of the different resources in your system. With schemas, request time checks can be enabled to ensure that all the properties required to make a policy decision have been provided in the call, leading to fewer unexpected denied results during development due to missing attributes.

For developers, the schema provides a level of confidence that the requests being made to the Cerbos instance are correctly formatted and populated. The Cerbos response will include schema validation errors encountered while processing the request, if any. When strict schema enforcement is enabled, requests will be implicitly denied -- thus providing peace of mind that decisions are made using correct data points. You can find more about how to define a schema in the documentation.

Policy authors - be it product, security or other teams - can define a set of attributes upfront for use in the policy logic. This means that condition logic can be safe in assuming that an attribute exists and of the correct type. This leads to more streamlined and succinct business logic rather than having to handle edge cases around existence and types in expressions.

In addition to schema support, v0.11 release includes initial support for OpenTelemetry to provide end to end distributed tracing of requests when calling out to a Cerbos PDP instance.

You can find the full release notes here and if you have any questions join our Slack community.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team