Releases: open-policy-agent/opa
v0.9.1
Fixes
- Add io.jwt.verify_es256 and io.jwt.verify_ps256 built-in functions (@optnfast)
- Add array.concat built-in function (#851)
- Add support for command line bundle loading (#870)
- Add regex split built-in function
- Fix incorrect AST node in Index events (#859)
- Fix terraform tutorial type check errors (#888)
- Fix CONTRIBUTING.md to include sign-off step (@optnfast)
- Improve save set performance (#860)
v0.9.0
Major Features
This release adds two major features to OPA itself.
-
Query Profiler: the
opa evalsubcommand now supports a--profileroption
to help policy authors understand the performance profile of their policies.
Give it a shot and let us know if you find it helpful or if you find cases
that could be improved! -
Compile API: OPA now exposes Partial Evaluation with first-class interfaces.
In prior releases, Partial Evaluation was only used for optimizations
purposes. As of v0.9, callers can use Partial Evaluation via HTTP or Golang to
obtain conditional decisions that can be evaluated on the client-side.
Fixes
- Add ADOPTERS.md file (#691)
- Add time.weekday builtin (#789)
- Fix REPL output for multiple bool exprs (#850)
- Remove support rule if default value is not needed (#820)
Miscellaneous
Here is a shortlist of notable miscellaenous improvements.
- Add any/all built-in functions (thanks @vrnmthr)
- Add built-in function to parse Rego modules
- Add copy propagation optimization to partial evaluation output
- Add docs for exercising policies with test framework
- Add extra output formats to eval subcommand
- Add support for providing input to eval via stdin
- Improve parser error readability
- Improve rule index to support unknown values
- Rewrite == with = in compiler
- Update build to enable CGO
...along with 30+ other fixes and improvements.
v0.8.2
Fixes
- Fix virtual document cache invalidation (#736)
- Fix partial cache invalidation for data changes (#589)
- Fix query to path conversion in decision logger (#783)
- Fix handling of pointers to structs (#722, thanks @srenatus)
- Improve sprintf number handling (#748)
- Reduce memory overhead of decision logs (#705)
- Set bundle status in case of HTTP 304 (#794)
Miscellaneous
- Add docs on best practices around identity
- Add built-in function to verify JWTs signed with HS246 (thanks @hbouvier)
- Add built-in function to URL encode objects (thanks @vrnmthr)
- Add query parameters to authorization policy input (#786)
- Add support for listening on a UNIX domain socket (#692, thanks @JAORMX)
- Add trace event for rule index lookups (#716)
- Add support for multiple listeners in server (thanks @JAORMX)
- Remove decision log buffer size limit by default
- Update codebase with various go-fmt/ineffassign/mispell fixes (thanks @srenatus)
- Update REPL command to set unknowns
- Update subcommands to support loader filter (#782)
- Update evaluator to cache storage reads
- Update object to keep track of groundness
v0.8.1
Fixes
Miscellaneous
- Add Kafka authorization tutorial
- Add URL query encoding built-ins
- Add runtime API to register plugins
- Update eval subcommand to support multiple files or directories (thanks @devenney)
- Update Terraform tutorial for OPA v0.8
- Fix bug in topdown query ID generation
v0.8.0
Major Features
This release includes a few major features that improve OPA's management
capabilities.
-
Bundles: OPA can be configured to download bundles of policy and data from
remote HTTP servers. This allows administrators to configure OPA to pull down
all of the policy and data required at the enforcement point. When OPA boots
it will download the bundle and active it. OPA will periodically check in with
the server to download new revisions of the bundle. -
Status: OPA can be configured to report its status to remote HTTP servers. The
status includes a description of the active bundle. This allows administrators
to monitor the status of OPA in a central place. -
Decision Logs: OPA can be configured to report decision logs to remote HTTP
servers. This allows administrators to audit and debug decisions in a central
place.
File Loading Convention
The command line file loading convention has been changed slightly. If you were
previously loading files with opa run * you should use opa run . now. OPA
will not namespace data under top-level directory names anymore. The problem
with the old approach was that data layout was dependent on the root directory
name. For example opa run /some/path1 and opa run /some/path2 would yield
different results even if both paths contained identical data.
Tracing Improvements
Thanks to @jyoverma for adding a trace built-in function that allows policy
authors to include notes in the trace. For example, authors can now embed
trace calls in their policies. When OPA encounters a trace call it will
include a "note" in the trace. Callers can filter the trace results to show only
notes. This helps diagnose incorrect decisions in large policies. For example:
package example
allow {
input.method = allows_methods[_]
trace(sprintf("input method is %v", [input.method]))
}
allowed_methods = ["GET", "HEAD"]
Fixes
- Add RS256 JWT signature verification built-in function (#421)
- Add X.509 certificate parsing built-in function (#635)
- Fix substring built-in bounds checking (#465)
- Generate support rules for negated expressions (#623)
- Ignore some built-in calls during partial eval (#622)
- Plug comprehensions in partial eval results (#656)
- Report safety errors for generated vars (#661)
- Update partial eval to check call args recursively (#621)
Other Notable Changes
- Add base64 encoding built-in functions
- Add JSON format to test and check subcommands
- Add coverage package and update test subcommand to report coverage
- Add eval subcommand to run queries from the command line (deprecates opa run --eval)
- Add parse subcommand to parse Rego modules and print AST
- Add reminder/reminder (%) operator
- Update rule index to support ==
- Update to Go 1.10
- Various fixes to fmt subcommand and format package
- Fix input and data loading to roundtrip values. Allows loading of []string, []int, etc.
As well as many other smaller improvements, refactoring, and fixes.
v0.7.1
v0.7.0
Major Features
-
Nested expressions: now you can write expressions like
(temp_f - 32)*5/9! -
Assignment/comparison operators: now you can write
x := <expression>to
declare local variables andx == ywhen you strictly want to compare two
values (and not bind any variables like with=). -
Prometheus support: now you can hook up Prometheus to OPA and collect
performance metrics on the different APIs. (thanks @rlguarino)
New Built-in Functions
This release adds and improves a bunch of built-in functions. See the Language Reference for details.
- Add globs_match built-in function (thanks @yashtewari)
- Add HTTP request built-in function
- Add time.clock and time.date built-in functions
- Add n-way set union and intersection built-in functions
- Improve walk built-in function performance for partially ground paths
Fixes
- Fix REPL assignment support (#615)
- Fix panic due to nil term value (#601)
- Fix safety check bug for call args (#625)
- Update Kubernetes Admission Control tutorial (#567)
- Update release script to build for Windows (#573)
Miscellaneous
- Add support for DELETE method in Data API (#609) (thanks @repenno)
- Add basic query performance instrumentation
- Add documentation covering how OPA compares to other systems
- Remove use of unsafe.Pointer for string hashing
v0.6.0
This release adds initial support for partial evaluation. Partial evaluation
allows callers to mark certain inputs as unknown and then evaluate queries to
produce new queries which can be evaluated once inputs become known.
Features
- Add initial implementation of partial evaluation
- Add sort built-in function (#465)
- Add built-in function to check value types