Unified API, Query Plan GA, Python and Rust SDKs - Cerbos v0.16 Release

The latest release of Cerbos, v0.16, includes a new unified API for checking permissions, promotion of the Query Plan to GA, and several updates to the REPL - also Cerbos Python and Rust SDKs have been released.

Unified API

Before this release, Cerbos had two different API endpoints that could be used depending on whether the list of resources to check were of the same kind or whether they were a mix of different kinds. This release introduces a new, unified API (RPC: CheckResources, REST: /api/check/resources) to simplify the Cerbos API surface and remove the need to understand the subtle differences between different calls.

The old RPCs and endpoints have been deprecated and are planned for removal in a future release of Cerbos but will continue to function normally for now. All the SDKs are now updated to support this new single entry point.

You can find the documentation for the new endpoint here.

Query Plan GA

Filtering and selecting a set of items from a data store while making sure that the logged-in user has access to each element in the resultset is a common problem in many applications. Given a user and the action they wish to perform on a resource category, the Cerbos Query Plan API produces a datastore-agnostic representation of constraints that must be satisfied by the resource instances to comply with access rules defined in Cerbos policies.

It was introduced as an experimental API in Cerbos 0.12.0 and this release, it is promoted to stable status. Over the intervening releases, the internals has become more intelligent at precomputing as many of the conditions as possible based on the policies and the inputs to ensure only the smallest set of conditions are returned to be passed into the data fetching layer.

You can read more about the Query Plan API in this blog post as well as the documentation for the endpoint.

REPL Updates

The Cerbos REPL gains the ability to load policies and interactively evaluate the conditions defined in them. This empowers policy authors to debug, develop, and test complex conditions with rapid feedback and no context switching. The REPL prompt is now smarter and can handle copy-pasting of large chunks of multi-line text without the need to explicitly escape newlines as well.

You can find the REPL documentation here.

Python and Rust SDKs

Expanding on the ecosystem of SDKs available for Cerbos, Python and Rust both now have an official Cerbos SDK.

These SDKs make calling and interacting with Cerbos a much more streamlined experience and provide native methods for constructing calls out to check authorization in your codebase. As with everything else with Cerbos, they are open-source and can be found on Github - Python SDK repo, Rust SDK repo.

In the coming weeks, a Ruby SDK will also be rolling out.

You can find the full release notes here and if you have any questions join our Slack community.