In the biggest release yet Cerbos is now faster, more secure, and integrated with the wider ecosystem.
Written from the ground up to handle the specialized use cases Cerbos is designed for, the brand new policy decision engine is significantly faster and more efficient than the previous version.
This new engine is fully backward compatible with all existing policies while being much faster: during benchmarking we have seen speed-ups of up to 17x in some cases. With this new engine, the core is ready for even the most demanding use cases and lays the groundwork for exciting new features in the future.
Organizations always exist with a hierarchy - be it departments, offices, or regions - and being able to grant access based upon these structures is commonplace. With this release, Cerbos policies can now use a number of hierarchical functions in conditions to determine relationships such as a parent, child, ancestor, sibling, and more.
It is now possible to have policies that grant access to whole departments or regions that exist in your identity provider rather than having to explicitly give access to each node in the tree. See the hierarchy function documentation for more details.
Many applications these days make use of JSON Web Tokens (JWT) for carrying signed authentication claims between services. Now with native support for JWT, the Cerbos PDP is able to verify the tokens and use the claims directly when evaluating policies. This is a great way to ensure attributes about the principal are accurate and verified while reducing the burden on developers to correctly extract and transmit the claims over to Cerbos. See AuxData block for more information.
The new blob storage driver supports reading policies from cloud blob stores such as AWS S3, Google Cloud Storage, or any S3-compatible storage implementation like Minio. This enables you to host your policy repository on highly available, versioned, and encrypted storage services offered by major cloud providers and run Cerbos on serverless environments like AWS Lambda, Google Cloud Functions, Google Cloud Run, or Knative. See Blob driver for more information.
Rock-solid testing is built into the core of Cerbos and with this release, a number of GitHub Actions have been added to make integration of Cerbos with your GitHub workflow much easier. You can set up your repo to run the validation on every commit and require all policy tests to pass before merging in a change to your policy repo. See Validating and testing policies in CI environments for details on how to integrate them into your workflow.
As always you can find the full release notes here.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team