The Admin API does not have a DELETE Policy endpoint. How do we clean up policies in the data store when they are no longer needed?
07/14/2023, 7:33 AM
At the moment we only support disabling policies. They can't be permanently deleted from the database using the API.
Others have asked for this as well so it's in our radar.
07/14/2023, 4:09 PM
thanks. i think this would be one of the biggest hurdles for us before fully committing to using Cerbos
we have potentially an unbounded number of Principal Policies that can be defined and having the ability to clean them up when they are no longer needed could help performance.
@Charith (Cerbos) is there anything we should be aware of if we went directly to the DB to delete policies? How would that affect the running Cerbos instances, caching, etc.?
07/14/2023, 4:30 PM
When deleting policies you have to be careful not to delete a policy that has dependents or you'll end up with an invalid store. That's one of the reasons why we haven't introduced hard deletion. Storage is pretty cheap and the tables are indexed so unless you have many millions of records, I'd be surprised to see any performance impact.
Since you're using principal policies, they are relatively safe to delete because they don't have dependencies. Once you have deleted records, you could call the store reload Admin API endpoint to refresh the cache. But, you don't have to do it. Those cached entries will eventually expire and get dropped from the cache anyway.