Releases: open-policy-agent/opa
v0.13.5
v0.13.4
v0.13.3
v0.13.2
This release updates OPA to use the latest stable Golang release
(1.12.8) that includes important fixes in the net/http package. See
this
golang-nuts
group message for details.
v0.13.0
Multiple Bundles
This release adds support for downloading multiple bundles to OPA
using the new bundles key in the configuration. APIs that include
bundle information have been updated to support multiple bundles:
- Status API messages include the status and revision of each bundle.
- Decision Log API messages include the revision of each bundle.
- Data API responses include the revision of each bundle in the
provenance field if requested. - Health API waits for all bundles to activate if requested.
These changes are backwards compatible. If you are using the
existing bundle key in the configuration, you will not see any
changes in the APIs listed above.
We recommend that you switch to the new bundles key and update
consumers of the above APIs to support multiple bundles.
For more information on bundles see the this
page in the OPA
documentation.
Console Decision Logger
This release adds support for emitting decision logs to stdout. This
is useful for shipping decision logs directly to existing logging
backends.
You can enable console decision logging on the command line:
opa run --server --set decision_logs.console=true
Console decision logging can be enabled alongside normal and custom
decision logging.
Fixes
- ast: Report safety errors on line where expression starts (#1497)
- ast: Update rule index to support glob.match (#1496)
- bundle: Add support for loading YAML files from bundles (#1471)
- bundle: Cache compiler on storage context (#1515)
- cmd: Fix double print of rego errors (#1518)
- docs: Add section on how to express "FOR ALL" in Rego (#1307)
- docs: Fix mention of reference head var (#1477)
- docs: Remove cast_xyz functions from docs (#1405)
- server: Pass transaction in decision log event (#1543)
- storage: Add safety checks to in-memory store (#1594)
- topdown: Fix corrupt object panic caused by copy propagation (#1177)
- topdown: Fix virtual cache to allow composite key terms (#1197)
Miscellaneous
- OPA sets the User-Agent header in requests made to services.
openpolicyagent/opa:edgeDocker images are available now. The
edgetag refers to the tip of master.- OPA supports signing and encoding of JWTs. See Token
Signing
for details. - Prometheus metrics include cancelled HTTP requests.
- Compiler exposes optional unsafe built-in function check.
- Discovery query can be configured now. See Discovery
Configuration
for details. - Optimized rewriteDynamics stage in compiler to reduce allocations.
- OPA subcommands support "fails" explanation now. The "fails"
explanation is similar to the "notes" explanation except that it
prints Fail events instead of Note events. This is useful for among
other things, debugging test failures. - Partial evaluation can disable inlining on specific virtual
documents. If set correctly this can improve partial evaluation
performance significantly because OPA can avoid computing
cross-products. rego.Rego#PrepareForEValnow times partial evaluation properly.- The diagnostics feature deprecated in v0.10.1 has been removed.
v0.12.2
v0.12.1
v0.12.0
This release includes two new features and an important bug fix.
Decision Log Masking
This release includes an important feature for protecting sensitive
information in decision logs: masking. With the new decision log
masking feature you can configure OPA to remove sensitive information
from the input and result fields of decision log events. See the
Decision Log documentation for details.
AWS Signing for Bundle Downloads
This release adds support for signing bundle download requests using
an AWS signing scheme. This feature allows you to configure OPA to
download bundles directly from S3. See the Configuration
documentation for details.
Fixes
- server: Fix deadlock caused by leaked write transaction (#1478)
Miscellaneous
- server: Add request headers to authorization input (#1456)
- rego: Add time zone support to time/date built-in functions
- eval: Add --instrument flag for profiling evaluation via command line
v0.11.0
Compatibility Notes
This release includes a few small but backward incompatible
changes:
-
The compiler will reject functions that redeclare arguments. A
search of public .rego files on GitHub only returned one result
which was contained in the OPA documentation. For example:f(x) { x := 1 # bad: redeclaration of 'x' x == 1 # ok } -
Errors returned by built-in calls are no longer coded as
eval_internal_error. Instead they are returned as
eval_builtin_error. This change is made so callers can
differentiate between actual internal errors and built-in errors
that are result of bad inputs from the policy. -
The
ast.QueryCompiler#WithInputfunction and
ast.QueryContext#Inputfield have been removed because they were
unused and had no affect. -
The
ast.Compilerandast.QueryCompilerfunctions to register
extra changes now require a stage and metric name.
Major Features
This release includes a few notable features and improvements:
-
The
somekeyword allows you to declare local variables to avoid
namespacing issues. See the Some
Keyword
section in the documentation for more detail. -
The
opa test,eval, REPL, and HTTP API have been extended with a
new explanation mode for filtering tracing notes. This makes it
easier to see the output oftrace(msg)calls from your policy. -
The WebAssembly (Wasm) compiler has been extended to include support for
compiling rules into Wasm. Previously the compiler relied on partial
evaluation to inline all rules. In some cases this is not possible
due to limitations on Rego queries. In coming releases, the Wasm
support will be extended to cover the entire language. -
The
regopackage has been extended to support prepared
queries. Prepared queries cache the parsed and compiled query ASTs
for re-use across multipleEvalcalls. For small policies the
speedup can be significant. See the GoDoc for details.
Fixes
- Add Kubernetes admission control debugging tips (#1039)
- Add docs on health check API endpoint (#1086)
- Add hardened configuration example to security page (#1172)
- Add support for with keyword stacking (#802)
- Fix type inferencing on object keys (#1361)
- Fix simple Kubernetes deployment example (#874)
- Fix bug in data mocking that resulted in wrong iteration behavior (#1261)
- Fix bug in set deep copy that caused panic (#1406)
- Fix bug in REPL that prevented rules from being declared (#1104)
Miscellaneous
- docs: Better documentation for providing the
inputdocument over HTTP (#1293) - docs: Add note about HTTP_PROXY friends (#1410)
- Add CLI config overrides and ENV injection
- Add additional compiler metrics for each stage
- Add an “edge” release to the docs
- Add param to include bundle activation in /health response
- Add provenance query output
- Add support for graceful shutdown of OPA server
- Improve discovery feature documentation
- Make
jsonlogs the default and addjson-pretty - Raise error when loading empty module in bundle
- Return eval_builtin_error instead of eval_internal_error
- Rewrite == to = in queries passed to the compile API
- docs: Update bundle docs with caching info
- Update logrus to 1.4.0
- server: Add early exit on PUT /v1/policies
- topdown: Fix set unification partial eval bug
- topdown: Omit rule body from enter/redo events
v0.10.7
This release publishes the Hugo-based documentation to GitHub Pages 🎉
Fixes
- Add
array.slicebuilt-in function (#1243) - Add
net.cidr_containsandnet.cidr_intersectsbuilt-ins
(#1289). This
change deprecates the oldnet.cidr_overlapbuilt-in function. The
latter will be supported for backwards compatibility but new
policies should refer tonet.cidr_contains.
Miscellaneous
- Bump kube-mgmt container version to 0.8 in tutorial
- Remove unnecessary resizing allocs from AST set and object
- Add Kubernetes Admission Control guide