This release contains a number of fixes and enhancements.
Disk Storage
The on-disk storage backend has been fully integrated with the OPA server, and can now be enabled via configuration:
storage:
disk:
directory: /var/opa # put data here
auto_create: true # create directory if it doesn't exist
partitions: # partitioning is important for data storage,
- /users/* # please see the documentationIt is intended to enable the use of OPA in scenarios where the data needed for policy evaluation exceeds the available memory.
The on-disk contents will persist among restarts, but should not be used as a single source of truth: there are no backup mechanisms, and certain data partitioning changes will require a start-over. These are things that may get improved in the future.
For all the details, please refer to the configuration and detailled Disk Storage section of the documentations.
Tooling, SDK, and Runtime
- Server: Add warning when
inputattribute is missing inPOST /v1/dataAPI (#4386) authored by @aflmp - SDK: Support partial evaluation (#4240), authored by @kroekle; with a fix to avoid using different state (authored by @Iceber)
- Runtime: Suppress payloads in debug logs for handlers that compress responses (
/metricsand/debug/pprof) (authored by @christian1607) opa test: Add file path to failing tests to make debugging failing tests easier (#4457), authored by @liamgopa fmt: avoid whitespace mixed with tabs onwithstatements (#4376) reported by @tiwood- Coverage reporting: Remove duplicates from coverage report (#4393) reported by @gianna7wu
- Plugins: Fix broken retry logic in decision logs plugin (#4486) reported by @iamatwork
- Plugins: Update regular polling fallback mechanism for downloader
- Plugins: Support for adding custom parameters and headers for OAuth2 Client Credentials Token request (authored by @srlk)
- Plugins: Log message on unexpected bundle content type (#4278)
- Plugins: Mask Authorization header value in debug logs (#4495)
- Docker images: Use GID 1000 in
-rootlessimages (#4380); also warn when using UID/GID 0. - Runtime: change processed file event log level to info
Rego and Topdown
- Type checker: Skip pattern JSON Schema attribute compilation (#4426): These are not supported, but could have caused the parsing of a JSON Schema document to fail.
- Topdown: Copy without modifying expr, fixing a bug that could occur when running multiple partial evaluation requests concurrently.
- Compiler strict mode: Raise error on unused imports (#4354) authored by @damienjburks
- AST: Fix print call rewriting in else rules (#4489)
- Compiler: Improve error message on missing
withtarget (#4431) reported by @gabrielfern - Parser: hint about 'every' future keyword import
Documentation and Website
- AWS CloudFormation Hook: New tutorial
- Community: Stretch background so it covers on larger screens (#4402) authored by @msorens
- Build: Make local dev and PR preview not build everything (#4379)
- Philosophy: Grammar fixes (authored by @ajonesiii)
- README: Add note about Hugo version mismatch errors (authored by @ogazitt)
- Integrations: Add GraphQL-Graphene (authored by @dolevf), Emissary-Ingress (authored by @tayyabjamadar), rekor-sidekick,
- Integrations CI: ensure referenced software is listed, and logo file names match; allow SVG logos
- Envoy: Update policy primer with new control headers
- Envoy: Update bob_token and alice_token in tutorial (authored by @rokkiter)
- Envoy: Include new configurable gRPC msg sizes (authored by @emaincourt)
- Annotations: add missing title to index (authored by @itaysk)
Miscellaneous
- Various dependency bumps, notably:
- OpenTelemetry-go: 1.4.1 -> 1.6.1
- Wasmtime-go: 0.34.0 -> 0.35.0
- Binaries and Docker images are now built using Go 1.18; CI runs build/test for Ubuntu and macos with Go 1.16 and 1.17.
- CI: remove go-fuzz, use native go 1.18 fuzzer