This release includes a number of features, enhancements, and fixes. The default
branch for the Git repository has also been updated to main.
Schema Annotations
This release adds support for annotations. Annotations allow users to declare metadata on rules and packages. Currently, OPA supports one form of metadata: schema declarations. For example:
package example
# METADATA
# schemas:
# - input: schema.service
deny["service is missing required 'owner' label"] {
input.kind == "Service"
not input.metadata.labels.owner
}
# METADATA
# schemas:
# - input: schema.deployment
deny["deployment replica count too low for 'production' namespace"] {
input.kind == "Deployment"
input.metadata.namespace == "production"
object.get(input.spec, "replicas", 1) < 3
}Users can include schema annotations in their policies to tell OPA about the structure of external data loaded under input or data. By learning the schema of base documents, OPA can surface mistakes in the policy at authoring time (e.g., referring to a non-existent field in a JSON object or calling a built-in function with an invalid value.) For more information on the annotations and schema support see the Type Checking page in the documentation. In the future, annotations will be expanded to support other kinds of metadata and additional tooling will be added to leverage them.
Server
- The server now automatically sets GOMAXPROCS when running inside of a container that has cgroups applied. This helps the Go runtime avoid consuming too many CPU resources and being throttled by the kernel. (#3328)
- The server now logs an error if users enable the
tokenauthentication mode without a corresponding authorization policy. (#3380) authored by @kale-amruta - The server now supports a
GET /v1/configendpoint that returns OPA's active configuration. This API is useful if you need to debug the running configuration in an OPA configured via Discovery. (#2020) - The server now respects the
?prettyoption in the v0 API (#3332) authored by @clarshad - The Bundle plugin is more forgiving when it comes to Etag processing on HTTP 304 responses (#3361)
- The Decision Log plugin now supports a "Decision Per Second" rate limit configuration setting.
- The Status plugin can now be configured to use a custom reporter similar to the Decision Log plugin (e.g., so that Status messages can be sent to AWS Kinesis, etc.)
- The Status plugin now reports the number of decision logs that are dropped due to buffer limits.
- The service clients can authenticate with the Azure Identity OAuth2 implementation the client credentials JWT flow is used (#3372)
- Library users can now customize the logger used by the plugins by providing the
plugins.Loggeroption when creating the plugin manager.
Tooling
- The various OPA subcommands that accept schema files now accept a directory tree of schemas instead of only a single schema.
- The
opa refactor movesubcommand was added to support package renaming use cases (#3290) - The
opa checksubcommand now supports a-s/--schemaflag like theopa evalsubcommand.
Documentation
- The Management API docs have been restructured so that each API has a dedicated page. In addition, the Bundle API docs now include getting started steps for cloud-provider specific services (e.g., AWS, GCP, Azure, etc.)
Security
- OPA now supports PKCS8 encoded EC private keys for JWT verification (which includes service authentication, bundle verification, and verification built-in functions) (#3283). Authored by @andrehaland.
- The bundle signing and verification APIs have been updated to support custom signers/verififers (#3336). Authored by @gshively11.
Evaluation
- The
time.difffunction was added to support calculating differences between date/time values (#3348) authored by @andrehaland - The
units.parse_bytesfunction now supports floating-point values (#3297) authored by @andy-paine - The evaluator was fixed to use correct bindings when evaluating the full-extent of a partial rule set. This issue was causing unexpected undefined results and evaluation errors in some rare cases. (#3369 #3376)
- The evaluator was fixed to correctly generate package paths when namespacing is disabled partial evaluation. (#3302).
- The
http.sendfunction no longer errors out on invalid Expires headers. (#3284) - The inter-query cache now serializes elements on insertion thereby reducing memory usage significantly (because deserialized elements carry a ~20x cost.) (#3042)
- The rule indexer was fixed to correctly handle mapped and non-mapped values which could occur with
glob.matchusage (#3293)
WebAssembly
- The
opa evalsubcommand now correctly returns the set of all variable bindings and expression values when thewasmtarget is enabled. Previously it returned only set of variable bindings. (#3281) - The
glob.matchfunction now handles the default delimiter correctly. (#3294) - The
opa buildsubcommand no longer requires a capabilities file when thewasmtarget is enabled. If capabilities are not provided, OPA will use the capabilities for its own version. (#3270) - The
opa buildsubcommand now dumps the IR emitted by the planner when--debugis specified. - The
opa evalsubcommand no longer panics when a policy fails to type check and thewasmtarget is enabled. - The comparison functions can now return
falseinstead of either beingtrueorundefined. (#3271) - The internal wasm runtime will now correctly return
CancelErrto indicate cancellation errors (instead ofBuiltinErrwhich it returned previously.) - The internal wasm runtime now correctly handles non-halt built-in errors (#3320)
- The planner no longer generates unexpected scan statements when negation used over base documents under
data(#3279) and (#3305) - The planner now correctly discards out-of-scope variables when exiting comprehensions (#3325)
- The
regopackage no longer panics when thewasmtarget is enabled and undefined functions are encountered (#3251) - 🎈 The remaining exceptions in the e2e test framework for the internal wasm runtime have been resolved.
Build
- The
make imagetarget now uses the CI image for building the Go binary. This avoids platform-specific build issues by building the Go binary inside of Docker.