File-based Audit Log, Wildcards, and Ruby SDK - Cerbos v0.17 Release

Published by Alex Olivier on June 06, 2022
image

The latest release of Cerbos, v0.17, includes a new file-based audit logging backend, wildcard role support, and a new Ruby SDK.

We have been working closely with users of Cerbos at Utility Warehouse, 9fin, Salesroom, Refine, and Doorfeed on this release and can’t wait to hear more on what you would like to see in future versions - to join the conversation in the Cerbos Slack community.

File-based Audit Log

This release introduces a new file-based audit logging backend for structured logs that log aggregators can ingest.

Having the audit trails from all Cerbos instances aggregated in a log management system provides system and security operators fine-grained visibility into all the resources secured by Cerbos. The collected audit data can help monitor live trends, create alerts for exceptional or suspicious patterns, and investigate past incidents.

Wildcard Roles

Resource policies and derived role definitions now support the special * operator to be used with roles and parentRoles fields to match any role.

Previously, in order for a derived role or a policy rule to activate, at least one of the principal’s roles had to match the set of roles enumerated in the rule. With this change, derived roles or policy rules can be defined to effectively ignore the principal’s role. One of the ways in which this feature can be used is to model capability-based access rules based on grants defined in a JWT.

Ruby SDK

Continuing on from the last release, a new Ruby SDK is now available.

The Cerbos SDKs make calling and interacting with Cerbos a much more streamlined experience and provide native methods for constructing calls out to check authorization in your codebase.

client = Cerbos::Client.new("localhost:3593", tls: false)

decision = client.check_resource(
  principal: {
    id: "user@example.com",
    roles: ["USER"],
  },
  resource: {
    kind: "document",
    id: "1",
    attributes: {
      owner: "author@example.com"
    }
  },
  actions: ["view", "edit"]
)

decision.allow?("view") # => true
decision.allow?("edit") # => false

As with everything else with Cerbos, all SDKs are open-source and can be found on our Github account. Next up is a .NET SDK which will be released in the coming weeks.

You can find the full release notes here and if you have any questions join the Cerbos Slack community.

DOCUMENTATION

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team