Matrix Testing, Time Conditions and more - Cerbos v0.14 Release

Published by Alex Olivier on March 08, 2022
image

This release includes many improvements that enhance policy authoring and testing along with updates that make deployment, management, and monitoring of Cerbos easier.

Matrix Tests

Being confident that your policies correctly implement your business requirements is key in order to begin evolving rules overtime. Cerbos already allows a test suite to be defined but this release adds a new capabiltiy - Matrix Tests.

You can now define a set of principals, resources, and actions in a test case and the test runner automatically runs tests against all combinations of principal, resource, and action tuples to help you catch those edge cases that may not have been thought about.

This is one of the rare cases where a breaking change was necessary to make the developer experience better. Existing test suites must be updated to work with this version of Cerbos. See upgrade documentation for more information.

Time-based Policy Conditions

One of the many powerful ways you can define policies is to make decisions based on time - for example allow a user access to a feature for a certain number of days with the end date defined as an attribute of the prinicpal.

This release includes a new now function which returns the current timestamp and thus can be used to work out if the date has passed or not and return the correct ALLOW/DENY result.

An example of what this would look like in a resource policy - where the actions are different features - could look something like this:

- actions: ['featureA']
  effect: EFFECT_ALLOW
  roles:
    - USER 
  condition:
    match:
      expr: now() < timestamp(P.attr.trialEnd)

These very dynamic policies are only possible in Attribute-based Access Control (ABAC) systems and the stateless nature of Cerbos means that these decisions are distributed and performant regardless of how you deploy your application. You can find out more about conditions in the docs.

Add/Update Policies via cerbosctl put

The cerbosctl management tool now supports adding or updating policies and schemas to a running Cerbos instance using the new put subcommand. The Admin API must be enabled on the Cerbos instance and it must be configured to use one of the database storage backends such as Postgres or MySQL in order for this command to work. For more information see cerbosctl put documentation.

Docker healthcheck and cache size control

Along with these big updates, we have added support for the Docker healthcheck directive as well as giving you more granular control over the cache sizes for when Cerbos is being run in Kubernetes or other orchestration system that imposes memory resource limits.

You can find the full release notes here and if you have any questions join our Slack community.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team