Releases: open-policy-agent/opa
v0.10.6
This release migrates the OPA documentation over to Hugo (from
GitBook). Going forward the OPA documentation will be generated using
Hugo and hosted on Netlify (instead of GitHub Pages). The Hugo/Netlify
stack brings us inline with the goal for other CNCF projects and
provides nice features like "preview before merge".
This release includes a small but backwards incompatible change to the
http.send built-in. Previously, http.send would always decode
responses as JSON even if the Content-Type was unset or explicitly not
JSON. If you were previously relying on HTTP responses that did not
set the Content-Type correctly, you will need to update your policy to
pass "force_json_decode": true as in the http.send parameters.
Fixes
- Fix panic in mod operation (#1245)
- Fix eval tree enumeration to return errors (#1272)
- Fix http.send to handle non-JSON responses (#1258)
- Fix backticks in SSH example that were causing problems (#1260)
- Fix IAM examples to use regex instead of glob syntax (#1282)
Miscellaneous
- Add support to register custom stages in the compiler
- Add rootless Docker image stream
- Improve hash distribution on objects
- Reduce number of allocs in set membership implementation
- docs: Add homebrew install instruction to the Getting Started tutorial
- docs: Many improvements around := vs ==, best practices, cheatsheet, etc.
- cmd: Add --fail-defined flag to eval subcommand
- server: Fix patch path escaping
v0.10.5
- These release contians a small but backwards incompatible change to
the custom decision logger API. Custom decision loggers can now
return an error which will cause the OPA to fail-closed.
Fixes
- Fix substring built-in bounds checking (#1235)
- Add trailing newlines when pretty printing API responses
- Add default Go metrics to Prometheus
- Add pprof endpoint to HTTP server
v0.10.4
-
This release adds support for scoping bundles to specific roots
underdata. This allows bundles to be used in conjunction with
sidecars likekube-mgmtthat load local data and policy into
OPA. See the Bundles
page for more details. -
This release includes a small but backwards incompatible change to
the Decision Log event format. Instead of including the OPA version
as a top-level field, the OPA version is included in the labels. The
OPA version field was only added in v0.10.3 so this should not
impact many consumers.
Fixes
v0.10.3
-
This release includes support for authentication via client
certificates (thanks @srenatus!) For improvements to authentication
see #1163. -
This release includes a backwards incompatible change to the
plugin interface. Specifically, when plugins are registered, callers
must provide a factory that can validate configuration before
instantiating the plugin. This allows OPA to ensure that all
configuration is valid before activating changes. Since plugins were
undocumented prior to this release, this change should be low
impact. For details on plugin development see the new Plugins page
on the website. -
This release includes a backwards incompatible change to the HTTP
decision logger event type. Specifically, "null" inputs are now
handled correctly and decision logs for ad-hoc queries now populate
the "query" field in the event instead of the "path" field. If you
are using consuming decision log events in Go, please switch to the
decision logger framework documented here: https://github.com/open-policy-agent/opa/blob/master/docs/book/plugins.md.
Fixes
- Add OPA version to decision logs (#1089)
- Add query metrics to decision logs (#1033)
- Add health endpoint to HTTP server (#1086)
- Add line of failure in
opa test(#961) - Fix panic caused by assignment rewriting (#1125)
- Fix parser to avoid duplicate comments in AST (#426)
- Fix semantic check for function references (#1132)
- Fix query API to return 4xx on bad request (#1081)
- Fix incorrect early exit from ref resolver (#1110)
- Fix rewriting of assignment values (#1154)
- Fix resolution inside references (#1155)
- Fix '^' location of lines starting with tabs (#1129)
- docs: Update count function doc to mention strings (#1126) (#1122)
Miscellaneous
- Add tutorial for OPA/Ceph integration using Rook
- Add metrics timer for server handler
- Add support for custom backends in decision logger
- Fix find operation on sets for non-empty refs
- Fix bug in local declaration rewriting
- Fix discovery docs to show a realistic example
- Update decision log event to include error
- Update decision log events to model paths and queries
- Update server and decision logger to represent input properly
- Update server to include decision ID in error events
- Avoid zero values in http.Transport{} in REST client
WebAssembly
- wasm: Add support for composite terms (#1113)
- wasm: Add support for not keyword (#1112)
- wasm: Add == operator
- wasm: Add checks on single term and dot stmts
- wasm: Add support for boolean and null literals
- wasm: Add support for pattern matching on composites
- wasm: Fix planner for chained iteration
- wasm: Fix pretty printer writer usage
- wasm: Output filenames in testgen errors
- wasm: Refactor assignment for better typing
- wasm: Remove module dumping from build command
- wasm: Rename ir.LoopStmt to ir.ScanStmt
- wasm: Update tester to allow for missing cases
v0.10.2
Fixes
- Add manifest metadata to bundle data (#1079) (#1062)
- Add profile command to REPL (#838)
- Add decision ID note in API docs (#1061)
- Fix formatting of trailing comments in composites (#1060)
- Fix panic caused by input being set incorrectly (#1083)
- Fix partial eval to apply saved terms (#1074)
Miscellaneous
- Add Stringer implementation for expr values
- Add Stringer implementation on metrics object
- Add helper function to compile strings
- Add note to configuration reference about -c flag
- Add support for configuration discovery
- Add support for multiple tracers
- Add trace helper to rego package
- Add code coverage percentage
- Fix REPL to check number of assignment operands
- Fix bug in test runner rule name dedup
- Fix security link in REST API reference
- Fix formatting of empty sets
- Fix incorrect reporting of module parse time
- Fix out of range errors for eq/assign in compiler
- Fix parser to limit size of exponents
- Update compiler to iterate over modules in sort order
- Update OPA front page
- Mark diagnostics feature as deprecated
v0.10.1
v0.10.0
Major Features
-
Wasm compiler. This release adds initial/experimental support for
compiling Rego policies into Wasm executables. Wasm executables can be loaded
and executed in compatible Wasm runtimes like V8 (nodejs). You can try this
out by runningopa build. -
Data mocking. This release adds support for replacing/mocking the
data
document using thewithkeyword. In the past,withonly supported the
inputdocument. This made it tricky to test context-dependent policies. With
the newwithkeyword support, it's easier to write tests against contextual
policies. -
Negation Optimization. This release includes an optimization in partial
evaluation for dealing with negated statements (notkeyword). In the past,
OPA would generate a support rule for negated statements. This is harder for
clients to consume and not readily optimized. The optimization computes the
necessary cross-product of the negated query and inlines it into the caller.
This leads to simpler partial evaluation results that are readily optimized,
translated into other query languages (e.g., SQL and Elasticsearch),
or compiled into Wasm.
Fixes
- Add builtin to verify and decode JWT (#884)
- Add GoDoc sample for using rego.Tracer (#1002)
- Add built-in function to get runtime info (#420)
- Add support for YAML encoded input values (#290)
- Add support for client certificates (#684)
- Add support for non-zero exit code in eval subcommand (#981)
- Fix == rewriting on embedded terms (#995)
- Fix copy propagation panic in comprehensions (#1012)
- Implement regex.find_n (#1001) (#747)
- Improve with modifier target error (#343)
- Iterate over smaller set when intersecting (#531)
- Only write one trailing newline at end of file (#1032)
- Redirect HTTP requests with trailing slashes (#972)
- Update bundle reader to allow relative data.json (#1019)
- Expose version information via REST API (#277)
Miscellaneous
- Add default decision configuration
- Add extra helpers to loader result
- Add indentation to trace in failure output
- Add router option to the HTTP server
- Add support for headers in http.send (thanks @repenno)
- Deprecating --insecure-addr flag (thanks @repenno)
- Add POST v1/query API for large inputs (thanks @rite2nikhil)
- Remove heap allocations from AST set with open addressing
- Replace siphash with xxhash in AST
- Output traces on failures in verbose mode (thanks @srenatus)
- Rewrite duplicate test rule names (thanks @srenatus)
v0.9.2
Miscellaneous Fixes
- Add option to enable http redirects (#921)
- Add copy propagation to support rules (#911)
- Add support for inlining negated expressions in partial evaluation
- Add deps subcommand to analyze base and virtual document dependencies
- Add partial evaluation support to eval subcommand
- Add
net.cidr_overlapbuilt-in function (thanks @aeneasr) - Add
regex.template_matchbuilt-in function (thanks @aeneasr) - Add external security audit information (thanks @caniszczyk)
- Add initial support for plugin loading (thanks @vrnmthr)
- Fix copy propagator type assertion panic (#912)
- Fix panic in parser error detail construction (#948)
- Fix with value rewriting for call terms (#916)
- Fix coverage flag for test command (thanks @johscheuer)
- Fix compile operation timing in REPL
- Fix to indent 4 spaces instead of a tab (thanks @superbrothers)
- Fix REPL output in policy guide (thanks @ttripp)
- Multiple fixes in the Kubernetes admission controller tutorial (thanks @johscheuer)
- Improve formatting of empty ast.Body (#909)
- Improve Kubernetes admission control policy loading explanation (thanks @rite2nikhil)
- Update http.send test to work without internet access (#945)
- Update test runner to set Fail to true (#954)
Security Audit Fixes
v0.9.1
Fixes
- Add io.jwt.verify_es256 and io.jwt.verify_ps256 built-in functions (@optnfast)
- Add array.concat built-in function (#851)
- Add support for command line bundle loading (#870)
- Add regex split built-in function
- Fix incorrect AST node in Index events (#859)
- Fix terraform tutorial type check errors (#888)
- Fix CONTRIBUTING.md to include sign-off step (@optnfast)
- Improve save set performance (#860)
v0.9.0
Major Features
This release adds two major features to OPA itself.
-
Query Profiler: the
opa evalsubcommand now supports a--profileroption
to help policy authors understand the performance profile of their policies.
Give it a shot and let us know if you find it helpful or if you find cases
that could be improved! -
Compile API: OPA now exposes Partial Evaluation with first-class interfaces.
In prior releases, Partial Evaluation was only used for optimizations
purposes. As of v0.9, callers can use Partial Evaluation via HTTP or Golang to
obtain conditional decisions that can be evaluated on the client-side.
Fixes
- Add ADOPTERS.md file (#691)
- Add time.weekday builtin (#789)
- Fix REPL output for multiple bool exprs (#850)
- Remove support rule if default value is not needed (#820)
Miscellaneous
Here is a shortlist of notable miscellaenous improvements.
- Add any/all built-in functions (thanks @vrnmthr)
- Add built-in function to parse Rego modules
- Add copy propagation optimization to partial evaluation output
- Add docs for exercising policies with test framework
- Add extra output formats to eval subcommand
- Add support for providing input to eval via stdin
- Improve parser error readability
- Improve rule index to support unknown values
- Rewrite == with = in compiler
- Update build to enable CGO
...along with 30+ other fixes and improvements.