Ability to delete policies

[roman-supy-io]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Right now there is no ability to delete policies.
This is fine with static Git-based policy driver, but with dynamic policy storage like Postgres it becomes an issue.

The use case is, if we create policies dynamically, as per Custom Role and Scope, we can store a ref to in in our DB.
When the scope gets removed, the policies need to be cleaned up as well.

Currently it's only possible as a workaround b directly removing them from the DB by scope and resource.
Which feels awkward.

What would the ideal solution look like to you?

Please provide the ability to remove the policy(es), as in:

1. cerbosClient.deletePolicy(<id>)
2. cerbosClient.deletePolicies({ ids: <ids> })

Anything else?

Thank you :)

[charithe]

Hi, the reason we haven't yet introduced a hard delete API endpoint is for two reasons:

• Keep a history of policy changes (Cerbos was originally designed exclusively for GitOps).
• It's quite easy to make the policy repository invalid by deleting a policy (e.g. deleting the middle scope of a scope chain)

You can use the DisablePolicy endpoint to disable a policy and it has the same effect as deleting one except for the fact that you can recover it quite easily with EnablePolicy.

Is your main concern the storage used by disabled policies?

[roman-supy-io]

Hi @charithe ,
no main concern is to not have the data, that's not (and will never be again) used.