github open-policy-agent/opa v1.9.0
on GitHub

16 hours ago

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing

Compile Rego Queries Into SQL Filters (#7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters: 

package filters

# METADATA
# scope: document
# compile:
#   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @srenatus and @philipaconrad

Improved Rule Indexing For "Naked" Refs (#7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar: 

package example

allow if {
    input.foo
    input.bar
}

and the input document: 

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log: 

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get: 

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @srenatus

Runtime, Tooling

  • cmd: Print eval errors to stderr (#6749) authored by @sspaink reported by @janorn
  • plugin/decision: Encoder immediately returns when event same size as limit (#7928) authored by @sspaink
  • plugin/decision: Refactor size buffer into its own type (#7884) authored by @sspaink
  • plugins/bundle: Return callback error for manually triggered bundle downloads through the SDK (#7869) authored by @sspaink reported by @victoraugustolls
  • runtime: Fix possible panic in opa run when loading bundles in watch-mode (--watch) (#7870) authored by @sspaink reported by @johanfylling

Compiler, Topdown and Rego

  • perf: Don't invoke future parser for Rego v1 (#7909) authored by @anderseknert
  • topdown: Add counter metric for http.send network requests (#7851) authored by @anivar
  • topdown: Update numbers.range_step built-in error message (#7882) authored by @charlieegan3

Docs, Website

Miscellaneous

  • Bump golangci-lint to v2.4.0 (#7878) authored by @sspaink
  • Community Guidelines: update email list (#7900) authored by @srenatus
  • ci: port binary tests to testscript (#7865) authored by @srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#7923) authored by @johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#7883) authored by @sspaink
  • rego: Add comprehensive WASM performance benchmarks (#7841) authored by @anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0
Check out latest releases or
releases around open-policy-agent/opa v1.9.0

Don't miss a new opa release

NewReleases is sending notifications on new releases.

Get notifications