Skip to content

Releases: permitio/opal

v0.7.5

13 Mar 17:49
686e32a
Compare
Choose a tag to compare

What's Changed

Fixes

  • Data Fetching: Introduce custom retry configuration for fetching data sources by @thilak009 in #502
  • Merge updates from permit's internal OPAL version by @roekatz in #546
    • Concurrent (thus faster) handling of updates (both policy & data) in client and server
    • Offline Mode: Support having the backup file on a shared volume used by multiple opal-client replicas (Fix file writing race).
    • Restart OPA when panic is detected
    • Upgrade fastapi_websocket_pubsub (v0.3.7) & permit-broadcaster (v0.2.5) for improved stability & performance.
    • Scopes: bug fixes & improved performance (redis access, better repo locks, better git object caching, repo sharding for handling lots of scopes).
    • Fix parsing update callbacks configuration
  • ApiPolicySource: Log errors when retrying failed bundle updates by @roekatz in #500

Build & Dependencies

  • Upgrade to Debian bookworm
  • Install netcat and jq in the common stage by @fortum-vaanavil in #499
  • remove unused rookout by @asafc in #525
  • Use redis-py to replace asyncio-redis by @calmzhu in #498
  • Update cryptography dependency by @orishavit in #520
  • [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @obsd in #547
  • [Snyk] Security upgrade fastapi from 0.103.2 to 0.109.1 by @RazcoDev in #543
  • [Snyk] Security upgrade aiohttp from 3.8.6 to 3.9.2 by @asafc in #541
  • [Snyk] Upgrade sass from 1.54.9 to 1.69.5 by @obsd in #522

Docs

New Contributors

Full Changelog: 0.7.4...0.7.5

v0.7.4

14 Sep 19:06
8c5c2c2
Compare
Choose a tag to compare

What's Changed

New Features

  • Add support for PATCH as save_method in data updates. by @thilak009 in #483

Bugfixes

Docs

New Contributors

Full Changelog: 0.7.3...0.7.4

v0.7.3

27 Jun 11:40
3afcd1a
Compare
Choose a tag to compare

What's Changed

  • Webhook: Fix not listening on webhook notifications when broadcaster isn't configured. by @roekatz in #480 - Thanks Jack Geek from our Slack community for reporting!
  • Fix multi arch support in docker build and push workflow. by @roekatz in #479

Full Changelog: 0.7.2...0.7.3

v0.7.2

20 Jun 16:40
d11bb2d
Compare
Choose a tag to compare

What's Changed

New Features

  • Support OPA tls authentication. by @oskar-christensson in #457
  • Support disabling policy updates in OPAL client (data-only mode). by @thilak009 in #470
  • Support S3 buckets as bundle servers (aka api policy source) by @orweis in #472 & @cbat98 in #473
  • Upgraded broadcaster version to 0.2.3 (Includes new support for Kafka SSL by @david-hamilton-bah in permitio/broadcaster#5)
  • Policy store data updates: Support only pushing nested keys instead of overriding entire root path (eg /v1/data on OPA) by @orishavit in #448

Fixes

  • Fix memory leaks (Leaking tasks on publishing updates & executing webhook trigger) by @roekatz in #475 & #476

Docs & Examples

New Contributors

  • @oskar-christensson made their first contribution in #457
  • @thilak009 made their first contribution in #470
  • @cbat98 made their first contribution in #473

Full Changelog: 0.7.0...0.7.2

v0.7.0

10 May 19:13
60796be
Compare
Choose a tag to compare

What's Changed

Supporting a new policy engine: Cedar Agent

Cedar Agent provides the ability to run Cedar as a standalone agent (Similar to how one would use OPA) which can then be powered by OPAL. OPAL manages the policies loaded into Cedar through git, same as for OPA, and can push data updates in real time from external data sources.
Example OPAL configuration for Cedar can be found here.

The Cedar policy language offers better readability, better performance for policy evaluation and is analyzable via automatic reasoning.

  • Add a Cedar policy engine plugin by @shaulk in #461
  • Shaul/per 5343 update cedar agent in opal by @shaulk in #463

Small fixes and improvements

  • Add platforms to build-push-action with amd64 and arm64 by @vivedo in #427
  • [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @RazcoDev in #323
  • [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @asafc in #324
  • Bump json5 from 2.2.1 to 2.2.3 in /documentation by @dependabot in #354
  • Bump webpack from 5.74.0 to 5.76.1 in /documentation by @dependabot in #410
  • Upgrade GitHub Action by @cclauss in #417
  • Docs: Add periodic_update_interval to data-sources.mdx by @roekatz in #458
  • Oded/small docs fixes by @obsd in #283
  • sort and add more questions by @orweis in #459
  • Merge pull request #347 from permitio/improve-cli-windows-support by @orweis in #349
  • Tests: Mark test_external_http_get flaky for retries by @roekatz in #460
  • bump version: 0.7.0 by @asafc in #462

New Contributors

Full Changelog: 0.6.1...0.7.0

v0.6.1

01 May 17:36
cfe2d07
Compare
Choose a tag to compare

What's Changed

Bug Fixes

  • Fix exception thrown on webhook for API policy source by @urspraveen2001 in #438
  • Fix restoring OPA from a local backup on offline mode by @roekatz in #450
  • Fix clients can't reconnect when broadcaster disconnects if statistics are enabled by @roekatz in #453

New Contributors

Full Changelog: 0.6.0...0.6.1

v0.6.0

21 Apr 08:02
001c8ae
Compare
Choose a tag to compare

What's Changed

New Features in Policy Store Control (Client)

  • Automatic resolution of ordering issues: Any failed policy store loading operation (file loading / deletion) would be re-attempted after completing other operations (instead of bailing out), thus eventually achieving the correct loading order via trial and error. by @roekatz in #425
    • Eliminates the need to explicitly define .manifest files on most cases (although having an explicit manifest might still be beneficial for performance).
    • Resolves the known issue of handling moved/renamed modules.
  • OAuth2 support for policy store authentication by @scarlier in #407
  • Add option to ignore specific policy files by @orweis in #414
    • Could be used to prevent opal-client from overriding policy files managed outside OPAL.
  • Optional offline mode, where policy store's data is restored from a local backup file on client startup (Thus being able to handle queries even when server connection can't be established) by @roekatz in #441

Server Multi Process Stability

Bug fixes in using opal-server with multiple workers (UVICORN_NUM_WORKERS) and/or multiple instances (e.g. pod replicas).

  • Fix leader worker sometimes not getting git webhook event (Bug in broadcaster subscription) by @roekatz in #398
  • Turn on BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED by default (Fixes silent connection losses to Postgres broadcaster) @roekatz in #443
  • Bump fastapi_websocket_pubsub ver to 0.3.3 by @roekatz in #423

Health Checks

  • Make client's health check always available (without requiring persisting health status in OPA by setting OPAL_OPA_HEALTH_CHECK_POLICY_ENABLED) by @roekatz in #420
  • Expose new /ready endpoint - would return 200 OK if OPA was loaded from either server or backup (on newly available offline mode) at least once. by @roekatz in #441

Scopes Stability

Introduce quite a few refactors & changes in scopes we've been working on and testing internally lately. by @roekatz in #436.

  • Bug fixes related to using multiple Uvicorn workers and / or multiple instances (e.g pod replicas).
  • Getting rid of Celery worker (a.k.a opal-server-worker) for periodically syncing scopes (Instead, using the leader process the same way it's used when scopes are disabled).
  • Bug fixes in detecting and notifying changes when multiple scopes use the same git repository (but possibly different branches).
  • Fix races in detecting and notifying changes during server setup time (cloning all scopes' repos).
  • Better logging when using scopes

Other Improvements & Fixes

  • Optionally allow to skip url matching in git webhook receiver by @asafc in #400
  • Rename OPAL_SERVER_PORT -> OPAL_SERVER_BIND_PORT to avoid configuration parsing error when k8s sets this envar to "tcp://..." if there's a service named "opal-server" (For backward compatibility old envar would still be used if has a valid port integer value). by @roekatz in #442

Docs & Examples

New Contributors

Full Changelog: 0.5.0...0.6.0

v0.5.0

27 Feb 17:39
b8866bc
Compare
Choose a tag to compare

What's Changed

This release contains several small fixes and improvements.

New Feature: Bundle Ignore

Adds support for omitting files in the bundle produced by opal-server. Use the OPAL_BUNDLE_IGNORE environment variable to specify a list of comma separated glob paths which if matched will ignore a file from being included in the policy bundle.

Bug fix: bitbucket webhook

Fixes #381: When sending a webhook from Bitbucket to the OPAL server with an secret configured then the the response on the request is an 401, no secret was provided. This is unexpected as the configuration looks correct.

  • fix bug in parsing and make tests test secrets by @orweis in #384

Bug fix: confi default casting

  • improve error logging, and fix defualt casting by @orweis in #371

Improve usability of topics in data updates

  1. Have the default topic (policy_data) as a default value for DataSourceEntry.topics - To prevent users who have left this empty before from experiencing breaking changes as a result of related bug fixes in 0.4.0. Also fixes #375: Uncaught server exception when posting data update without topics
  2. Warn at realtime when published entry doesn't have topics, or when client processes data update with no matching entries (this would cover what isn't covered by 1).
  3. Fix documentation about topics in data updates.

Included PRs:

  • Improve usability of topics in data updates by @roekatz in #389

CI Fixes

Documentation Fixes

New Contributors

Full Changelog: 0.4.0...0.5.0

v0.4.0

01 Feb 23:01
588871d
Compare
Choose a tag to compare

What's Changed

This release contains several small fixes and improvements.

Support custom OPA versions / variants

  • Extract OPA executable from opa docker image by @tibotix in #316
  • Add opa_image Dockerfile build argument by @tibotix in #322

Improved OPAL client healthcheck

  • OPAL client healthcheck returns the value of the OPA healthcheck policy, based on sync status by @orishavit in #332

Fixed: Hanging redis lock issue

  • This fix by @roekatz solves the issue of the Redis lock (around the policy git clone) staying hanging forever (preventing new workers from cloning the repo). Probably because the app crashes with segfault before releasing the lock. link: #345

Fixed: Pulling policy from private repo only succeeds for newly cloned repos

More webhook formats supported

New configuration options

Small fixes and improvements

Documentation Fixes

New Contributors

Full Changelog: 0.3.1...0.4.0

v0.3.1

14 Oct 18:52
Compare
Choose a tag to compare

What's Changed

Minor bug fixes and improvements.

This release allows you to define periodic refetching on a data source, initiated by the server.
Simply define periodic_update_interval on the entry to desire to periodically refetch.

New Contributors

Full Changelog: 0.3.0...0.3.1