Upgraded user-defined output, audit log improvements, and more - Cerbos PDP v0.33

Published by Alex Olivier on February 13, 2024
Upgraded user-defined output, audit log improvements, and more - Cerbos PDP v0.33

The v0.33 release of Cerbos PDP is packed with new features including an upgraded user-defined output, audit log improvements, and more.

We have been working closely with Cerbos users like Utility Warehouse on this release. Utility Warehouse, per their own words, uses Cerbos as it allows their team to focus on business use cases and getting rid of technical debt, instead of wondering how to write a policy evaluation language. We can’t wait to hear more about what you would like to see in future releases - join our Slack community to join the conversation.

Upgraded user-defined output in policy evaluation

The user-defined output from a policy evaluation now has a when.conditionNotMet option that produces an output when a rule's condition is not satisfied. This improvement simplifies the crafting of policies for scenarios where it's important to know which criteria led to a denial. 

In addition, we improved the structure of the output block. It is now clearer and easier to understand, though old policies will still work.

Old syntax:

- actions: ['view']
  effect: EFFECT_ALLOW
  roles: ["user"]
  condition:
    match:
      expr: request.resource.attr.public == true
  output:
    expr: >
      "%s allowed to view".format([request.principal.id])

New Syntax:

- actions: ['view']
  effect: EFFECT_ALLOW
  roles: ["user"]
  condition:
    match:
      expr: request.resource.attr.public == true
  output:
    when:
      ruleActivated: >
        "%s allowed to view".format([request.principal.id])

Audit log improvements

Audit log entries now contain store-specific metadata about the policies used to make each decision. For example, if a git store is used, the audit log captures the git commit hash of the policy used by the Cerbos engine. This information can then be used during a security investigation to match access control decisions with the revision history of the policy repository.

Additionally, the API response now includes a unique call ID generated by Cerbos for each request, enabling applications to cross-reference Cerbos audit logs with application logs.

Breaking changes

This release removes the deprecated `client` package which has been superseded by github.com/cerbos/cerbos-sdk-go. Additionally, support for configuring traces using the tracing section of the config file has been dropped. For the new way of configuring traces, refer to the migration instructions.

You can find the full release notes for v0.33 on docs.cerbos.dev, and if you have any questions join our Slack community.

DOCUMENTATION

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team