Cerbos PDP v0.34.0: Enhanced usability and security

Published by Rohit Ghumare on February 25, 2024
image

Cerbos has always been at the forefront of providing robust, flexible, and easy-to-use solutions for authorization and policy decision-making. With the release of Cerbos PDP v0.34.0, we've taken significant strides in enhancing the usability of our software and bolstering security measures to ensure your applications remain secure and compliant with the latest standards.

Enhanced Diagnostic and Error Messages

One of the key highlights of this release is the substantial improvement in the diagnostics and error messaging system. Understanding that precise and clear error messages are crucial for efficient debugging and policy management, we've reworked the internals of Cerbos to provide better error descriptions, precise locations, and contextual information. This improvement is particularly beneficial for developers and policy authors, as it significantly reduces the time and effort required to identify and rectify policy syntax issues.

The policy parser has also been upgraded to detect standard policy authoring mistakes, providing warnings and suggestions to users. This feature directly responds to frequently asked questions and common challenges our user community faces, further emphasizing our commitment to making policy authoring as intuitive as possible.

Community Contributions and Security Enhancements

We are thrilled to highlight the contribution of Cerbos community member @psolarcz, who has played a pivotal role in enhancing the security of Cerbos release artifacts. Thanks to their contribution, all Cerbos release artifacts are now signed, allowing users to verify their integrity using Sigstore tools. This addition complements the existing security measures and provides an added layer of trust and reliability, ensuring that the artifacts you use are authentic and tamper-proof.

Changelog Overview

Bug Fixes

Record HTTP Remote Address: We've addressed an issue where the HTTP remote address was not correctly recorded as the peer address for HTTP requests, enhancing the accuracy of request logging and monitoring.

Features

Diagnostic Error Messages: Introducing better diagnostic error messages for policy issues is a game-changer, making it easier to understand and resolve policy-related errors.

Before v0.34.0:

Compilation errors might not have provided enough context, leaving you to comb through your policies to find the issue.

Error: Policy compilation failed.

After v0.34.0:

The compilation errors are more descriptive, offering insights into what went wrong and where.

Error: Policy compilation failed due to unresolved reference in "leave_request_policy.yaml" at line 22: 'employeeType' attribute not defined in the schema.

This detailed error message directs you exactly where the problem lies, saving time and effort in debugging.

Enhancements

Compilation Errors: The error messages provided during policy compilation have been improved, offering clearer guidance and reducing troubleshooting time.

Before v0.34.0:

Suppose you had a syntax error in your policy. The error message might have been vague, making it difficult to pinpoint the issue.

Error: Invalid policy syntax.

After v0.34.0:

With the improved error messaging, the system now provides detailed feedback, including the exact location and nature of the syntax error.

Error: Invalid policy syntax in "resource_policy.yaml" at line 14, column 5: Unexpected token '}'. Expected 'action' definition or policy closing tag.

This precise error message helps you quickly navigate to the problematic part of your policy file and correct the syntax error.

REPL Load Errors: Detailed load errors are now available in the REPL, providing more insights during interactive sessions.

Before v0.34.0:

The error might have been generic, requiring further investigation to understand the issue.

Error: Failed to load policies.

After v0.34.0:

The REPL now provides detailed error messages, including file names and specific issues.

Error: Failed to load "contract_review_policy.yaml": Missing required attribute 'reviewLevel' in condition block at line 33.

This level of detail in the error message makes it easier to identify and correct issues on the fly within the REPL environment.

Signed Release Artifacts: All release artifacts are now signed, enhancing the security and integrity of Cerbos distributions.

With the introduction of signed release artifacts, users can now verify the integrity and authenticity of Cerbos releases. This is particularly important for ensuring the security of the artifacts you download and deploy. To verify a Cerbos release artifact, you would use tools like cosign from Sigstore. An example command to verify a signed Cerbos release artifact might look like this:

cosign verify -key https://www.cerbos.dev/cosign.pub cerbos/cerbos:v0.34.0

This command would check the digital signature of the Cerbos v0.34.0 release artifact against the public key provided by Cerbos, ensuring that the artifact hasn't been tampered with and is from a trusted source.

Documentation and Chores

The documentation has been updated to reflect the latest changes, and numerous internal improvements have been made to ensure the stability and reliability of Cerbos, including updates to dependencies, testing enhancements, and workflow optimizations.

Embracing the Future

This release is a testament to our ongoing commitment to making policy management as straightforward and secure as possible. We're excited about the improvements in Cerbos PDP v0.34.0 and are eager to see how these enhancements will empower our users to build more secure and efficient applications.

You can find the full release notes for v0.34 on docs.cerbos.dev. We extend our gratitude to the Cerbos community for their invaluable contributions and feedback, which have been instrumental in shaping this release. We look forward to your continued engagement and support as we work together to advance the state of authorization and policy decision-making.

Stay tuned for more updates, and as always, we encourage you to reach out with your feedback, questions, and contributions. Together, we are improving authorization and policy management, one release at a time.

ENGINEERING
DOCUMENTATION
ANNOUNCEMENT

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team