This release contains a number of fixes and enhancements.
Early Exit Optimization
This release adds an early exit optimization to the evaluator. With this optimization, the evaluator stops evaluating rules when an answer has been found and subsequent evaluation would not yield any new answers. The optimization is automatically applied to complete rules and functions that meet specific requirements. For more information see the Early Exit in Rule Evaluation section in the docs. #2092
Built-in Functions
- The
net.lookup_ip_addrfunction was added to allow policies to resolve hostnames to IPv4/IPv6 addresses (#3993) - The
http.sendfunction has been improved to close TCP connections quickly after receiving the HTTP response and avoid creating HTTP clients unnecessarily when a cached response exists (#4015). This change reduces the number of open file descriptors required in high-throughput environments and prevents OPA from encountering ulimit errors.
Rego
print()calls in the head of rules no longer cause runtime errors (#3967)- Type errors for calls to undefined functions no longer contain rewritten variable names (#4031)
- The
rego.SkipPartialNamespaceoption now correctly sets the flag on the partial evaluation queries (previously it would always set the value totrue) (#3996) authored by @thomascoquet - The internal set implementation has been updated to insert elements in sorted order rather than lazily sorting during comparisons.
- Fixed
importalias parsing bug identified by fuzzer (#3988)
WebAssembly
- The Golang SDK will now issue a
grow()call if theinputdocument exceeds the available memory space. - The
malloc()implementation will now callopa_abortif thegrow()call fails.
Server
- The decision logger adapts upload chunk sizes based on previous outputs. This allows the decision loggger to encode significantly more decisions into each upload chunk, thereby reducing heap usage for buffered decisions. For more information on the adapative chunking behaviour, see the Decision Logs page in the docs.
- The decision logger can be configured to send records to a custom plugin as well as an HTTP endpoint at the same time (#4013)
print()calls from thesystem.authzpolicy are now included in the logs (#4048)- OPA can use an Azure Managed Identities Token to authenticate with control plane services (#3916) authored by @Scowluga.
- The logging configuration will be correctly applied to service clients so that DEBUG logs are surfaced (#4071)
Tooling
- The
opa fmtcommand will not generate a line-break when there are generated variables in a function call (#4018) reported by @torsrex - The
opa inspectcommand no longer prints a blank namespace when a data.json file is included at the root (#4022) - The
opa buildcommand will output debug messages if an optimized entrypoint is discarded.
Website and Documentation
- The website has been updated to build with Hugo 0.88.1 (#3787)
- The version picker in the documentation is now scrollable (#3955) authored by @orweis
- The description of the
urlquerybuilt-in functions have been clarified (#1592) reported by @klarose - The decision logger documentation has been improved to cover controls for large-scale environments (#3976)
- The "strict built-in errors" mode is now covered in the docs along with built-in function error behaviour (#3686)
- The OAuth2 and OIDC examples around key rotation and caching have been improved
CI
- Issues and PRs that have not seen activity in 30 days will be automatically marked as "inactive"
- The
Makefilecan now produce Docker images for other architectures. We do not yet publish binaries or images for non-amd64 architectures however if you want to build OPA yourself, theMakefiledoes not prohibit it.
Backwards Compatibility
- The diagnostics buffer in the OPA server has been completely removed as part of the deprecation and removal of the diagnostic feature (#1052)