This release contains a number of fixes, two new builtins, a few new features, and several performance improvements.
Security Fixes
This release includes the security fixes present in the recent v0.43.1 release, which mitigate CVE-2022-36085 in OPA itself, and CVE-2022-27664 and CVE-2022-32190 in our Go build tooling.
See the Release Notes for v0.43.1 for more details.
Set Element Addition Optimization
Rego Set element addition operations did not scale linearly (#4999) in the past, and like the Object type before v0.43.0, experienced noticeable reallocation/memory movement overheads once the Set grew past 120k-150k elements in size.
This release introduces different handling of Set internals during element addition operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.
Set union Built-in Optimization
The Set union builtin allows applying the union operation to a set of sets.
However, as discovered in #4979, its implementation generated unnecessary intermediate copies, which resulted in poor performance; in many cases, worse than writing the equivalent operation in pure Rego.
This release improves the union builtin's implementation, such that only the final result set is ever modified, reducing memory allocations and GC pressure. The union builtin is now about 15-30% faster than the equivalent operation in pure Rego.
New Built-in Functions: strings.any_prefix_match and strings.any_suffix_match
This release introduces two new builtins, optimized for bulk matching of string prefixes and suffixes: strings.any_prefix_match, and strings.any_suffix_match. It works with sets and arrays of strings, allowing efficient matching of collections of prefixes or suffixes against a target string.
See the built-in functions docs for all the details
This implementation fixes #4994 and was authored by @cube2222.
Tooling, SDK, and Runtime
- Logger: Allow configuration of the timestamp format (#2413)
- loader: Add support for fs.FS (authored by @ear7h)
Bundles
This release includes several bugfixes and improvements around bundle building:
- cmd: Add optimize flag to OPA eval command to allow building optimized bundles
- cmd/build+compile: Allow opt-out of dependents gathering to allow compilation of more bundles into WASM (#5035)
- opa build -t wasm|plan: Fail on unmatched entrypoints (#3957)
- opa build: Fix bundle mode to work with ignore flag
- bundle/status: Include bundle size in status information
- bundle: Remove raw bytes check for lazy bundle loading mode
Storage Fixes
This release has performance improvements and bugfixes for the disk storage system:
- storage/disk: Improve handling of in-flight transactions during truncate operations (#4900)
- storage/inmem: Allow disabling
util.Roundtripon Write for improved performance (#4708) - storage: Improve multi-bundle data with overlapping roots is handled (#4998) reported by @sirpi
- storage: Fix issue with policyID in Truncate calls (#4958) authored by @martinjoha reported by @martinjoha
Rego
- eval+rego: Support caching output of non-deterministic builtins. (#1514)
AST and Topdown
The AST and Topdown module received a number of important bugfixes in this release:
- ast/term: Fix multiple-reader race condition for Sets/Objects
- ast/compile: Respect unsafeBuiltinMap for 'with' replacements
- ast: Add capacity to array initialization when size is known (authored by @mstrYoda)
- topdown/object: Fix unchecked error case in
object.union_nbuiltin (#5073) - topdown/reachable: Fix missing operand type checks. (#4951)
- topdown/units_parse: Avoid extra decimal places for integers
- topdown/type+wasm: Fix inconsistent
is_typereturn values. (#4943) - builtins: Fix inconsistent error messages in
units.parse* - Add query parameter in canonical request of AWS Sigv4 signature to avoid 403 errors from AWS (authored by @sinhaaks)
Test Suite
- Add error type to
units.*builtin test assertions - test/e2e/certrefresh: Add
file.Sync()to eliminate test failures due to slow disk writes - topdown/exported_tests: Remove Golang 1.16 x509 exception
- cmd/bench: Fix port collision in utility function used for E2E testing
Documentation
- SECURITY: Migrate policy to web site, update content (#4272) reported by @adoliver
- Add deprecated flag to all deprecated builtins (#5072)
- builtins: Update description of
format_intto say it rounds down - docs/policy-reference: Update Rego EBNF grammar (authored by @shaded-enmity)
- docs/builtins: Fix typo in
semver.compare(#5012) reported by @tetsuya28 - docs: Fix AWS Signature section in Configuration (authored by @pauly4it)
- docs: Update port and bundle folder for GraphQL tutorial
- docs: Document that function overloading is unsupported
- docs: Fixing related_resources annotations example (#4982) reported by @humbertoc-silva
- docs: Fixing typo in metadata (#5018) authored by @cimin0 reported by @cimin0
Website + Ecosystem
-
Update links to opa-kafka-plugin
-
Add OCI documentation (authored by @carabasdaniel)
-
Add article on using OPA for data filtering in Kafka
-
Ecosystem: Add some links to Rönd (authored by @ugho16)
-
Add community integration for Fiber (authored by @mstrYoda)
-
Add Spacelift Integration (authored by @theseanodell)
-
Fix broken link for Minio OPA integration (authored by @unautre)
-
Ecosystem Additions:
Miscellaneous
-
Dockerfile: Append root "/" to $PATH (#5003) authored by @matusf reported by @matusf
-
Add VNG Cloud to adopters (authored by @vinhph0906)
-
Dependency bumps, notably:
- build: bump golang: 1.19 -> 1.19.1
- build: use go 1.19, drop go 1.16
- build(deps): bump aquasecurity/trivy-action from 0.6.1 -> 0.7.1
- build(deps): bump github.com/agnivade/levenshtein from 1.0.1 -> 1.1.1
- build(deps): bump github.com/containerd/containerd from 1.6.6 -> 1.6.8
- build(deps): bump github.com/go-ini/ini from 1.66.6 -> 1.67.0
- build(deps): bump github.com/prometheus/client_golang
- build(deps): bump google.golang.org/grpc from 1.48.0 -> 1.49.0
- build(deps): bump tj-actions/changed-files from 28.0.0 -> 29.0.3
-
Dependency removals:
- internal: Vendor gqlparser library (#5065) reported by @vikstrous2