Policy testing flexibility, configurable concurrent streams, and more - Cerbos v0.31

The v0.31 release of Cerbos is packed with new features such as flexible policy testing, support for derived roles inspection, TLS certificate rotation automation, and more.

We have been working closely with users of Cerbos such as Envoy, Blockchain.com, Utility Warehouse, 9fin, and Salesroom on this release. We can’t wait to hear more about what you would like to see in future releases - join our Slack community to join the conversation.

Introducing runtime.effectiveDerivedRoles for Advanced Policy Management

The new runtime.effectiveDerivedRoles variable allows policy authors to inspect activated derived roles within the current policy execution context. That means you can now craft sophisticated policy rules without the redundancy of redefining derived role logic. For more details on how to leverage this feature, dive into our updated documentation.

Automated TLS Certificate Rotation

In our continuous effort to streamline security practices, Cerbos now offers automatic detection and reloading of TLS certificates. When your certificates are updated on disk, Cerbos will seamlessly reload them without the need for a service restart, facilitating automated certificate rotation and the use of short-lived certificates for enhanced security.

Flexibility in Policy Testing with Lenient Scope Search

Policy test suites just got more flexible. You can now enable lenient scope search globally or on an individual test basis. This way, you have broader control and ease when writing and managing your policy tests.

Legacy JWT Support

We understand the necessity to support legacy systems; therefore, Cerbos v0.31 introduces configurations that allow the use of JWTs without kid or alg claims while maintaining default secure behavior against such potentially insecure tokens.

Configurable concurrent streams

Following recent discoveries of vulnerabilities in all public HTTP/2 implementations, we've incorporated a configuration option to limit the number of concurrent streams per gRPC connection, with a default set to 1024. This addition provides an extra layer of protection while also giving you the option to revert to unlimited concurrent streams if required.

You can find the full release notes for v0.31 on docs.cerbos.dev, and if you have any questions join our Slack community.