open-policy-agent/opa v0.26.0

on GitHub

This release contains a number of enhancements and bug fixes.

Built-in Functions

• This release includes a number of built-in function improvements for Wasm compiled policies. The following built-in functions have been implemented natively and no longer need to be supplied by SDKs: graph.reachable, json.filter, json.remove, object.get, object.remove, and object.union.

• This release fixes several bugs in the Wasm implementation of certain regex built-in functions (#2962), format_int (#2923) and round (#2999).

• This release adds ceil and floor built-in functions. Previously these could be implemented in Rego using round however these are more convenient.

Enhancements

• OPA has been extended support OAuth2 JWT Bearer Grant Type and OAuth2 Client Credential JWT authentication options for communicating with control plane services. This change allows OPA to use services that rely on Ping Identity as well as GCP service accounts for authentication. OPA has also been extended to support custom authentication plugins (thanks @gshively11).

• OPA plugins can now enter a "WARN" state to indicate they are operating in a degraded capacity (thanks @gshively11).

• The opa bench command can now benchmark partial evaluation queries. The options to enable partial evaluation are shared with opa eval. See opa bench --help for details.

• Wasm compiled policies now contain source locations that are included inside of runtime error messages (such as object key conflicts.) In addition, Wasm compiled policies only export the minimal set of APIs described on the WebAssembly#exports page.

Fixes

• ast: Fix parsing of numbers to reject leading zeroes (#2947) authored by @LCartwright.
• bundle: Fix loader to only verify bundle keys if configured to do so (#3028).
• cmd: Fix build to avoid packaging policy.wasm twice (#3007).
• cmd: Fix pretty-printed PE output to hide spurious blank lines
• server: Fix false-positive in bundle root check that would prevent data updates in some cases (#2868).
• server: Fix query cache to respect ?instrument option (#3000).
• server: Fix server to support discovery on inter-query cache configuration
• topdown: Fix PE to avoid generating expressions that do not type check (#3012).
• wasm: Fix planner to avoid generating a conflict error in some cases (#2926).
• wasm: Fix planner to generate correct virtual document iteration instructions (#3065).
• wasm, topdown: Fix with keyword handle to ensure last statement wins (#3010).
• wasm: Fix planner to handle assignment conflicts correctly when else keyword is used (#3031).

Documentation

• Add new section on integrating policies with OAuth2 and OIDC.
• Update Kubernetes admission control tutorial to work as non-root user.
• Fix link to signing documentation (#3027) authored by @princespaghetti.

Backwards Compatibility

• Previously, OPA deduplicated sets and objects in all cases except when iterating over/referring directly to values generated by partial rules. This inconsistency would only be noticed when running ad-hoc queries or within policies when aggregating the results of array comprehensions (e.g., count([1 | p[x]]) could observe duplicates in p.) This release removes the inconsistency by deduplicating sets and objects in all cases (#429). This was the second oldest open issue on the project.

Deprecations

• OPA now logs warnings when it receives legacy bundle config sections instead of the bundles section introduced in v0.13.0.