Open Policy Agent (OPA) is an open source, general-purpose policy engine.
NOTES:
All published OPA images now run with a non-root uid/gid. The
uid:gid
is set to1000:1000
for all images. As a result there is no longer a need for the-rootless
image variant and hence it will be not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the--user
argument fordocker run
, or by specifying thesecurityContext
in the Kubernetes Pod specification.The minimum version of Go required to build the OPA module is 1.19
This release contains a mix of new features, bugfixes and a new builtin function.
default
keyword on functionsPreviously if a function was defined with a default
value, OPA would ignore it. Now the default
function is honored
if all functions with the same name are undefined. For example,
package example
default clamp_positive(_) := 0
clamp_positive(x) = x {
x > 0
}
$ opa eval -d example.rego 'data.example.clamp_positive(1)' -f pretty
1
$ opa eval -d example.rego 'data.example.clamp_positive(-1)' -f pretty
0
The value of a default
function follows the same conditions as that of a default
rule. In addition, a default
function satisfies the following properties:
NOTE:
default
functions used to be previously ignored. If existing policies containdefault
functions, ensure that they conform to the properties mentioned above. Otherwise, those policies will fail to evaluate.
Authored by @ashutosh-narkar.
crypto.parse_private_keys
returns zero or more private keys from the given encoded string containing DER certificate data.
If the input contains a list of one or more concatenated PEM blocks, then the built-in will output the parsed private keys
represented as objects.
See the documentation on the new built-in for all the details.
Authored by @volck.
discard
output format to opa eval
which discards the result while still showing the output of eval flags like --profile
(#6103) authored by @26tanishabanikWithRoots
compiler option that allows callers to set the roots to include in the output bundle manifest (#6088) authored by @kubajEcosystem:
Website:
CRLF
line terminations in the patch output (#6069) authored by @johanfyllingThis release focuses on bug fixes, but also includes some improvements to the SDK and commandline.
Note: This will be the last OPA release to support building with Golang 1.18. (Golang 1.21 is expected to be released in August. Keeping the support for 1.18 is blocking OPA from upgrading OpenTelemetry.)
lazyObj
when compared against other object type (6060) (authored by @johanfylling)fmt
panic in comprehension with comments (#5798) authored by @Trolloldem reported by @Djoustobject.union_n
where nested objects were mutated (#5975) authored by @qshu-splunkobject.subset
method failing to correctly compare array relationships (5968) authored by @DCRUNNNhttp.send
(#5997) authored by @ashutosh-narkartime.format
and time.parse_ns
(#5945) authored by @tjons--schema
flag to opa test
(#5923) authored by @renatoscpersistence_directory
config (#6042) authored by @blacksailstzdata
is not found on filesystem (6038) authored by @charlieegan3Store
implementation in SDK (5962) authored by @srenatus/v1/config
API result (6056) authored by @srenatusThis is a bug fix release addressing the following issues:
WWW-Authenticate
header of a 401 Unauthorized
response. Errors were returned when downloading a public image as it was assumed that authorization is not necessary for public repositories. This fix addresses this issue by challenging any 401 Unauthorized
responses by passing it to the docker.Authorizer (#5902) authored by @DerGutopa fmt
: Fix panic encountered while processing policies with comprehensions written on multiple lines with comments in these lines (#5798) authored by @TrolloldemThis release contains some enhancements, bugfixes, and a new builtin function.
opa eval
: Update OPA eval's --profile-sort
flag description to highlight the valid options to sort the profile results (#5924) authored by @ecbenezraopa fmt
: Fix cases in which invalid code was generated due to parentheses being improperly handled (#5537) authored by @Trolloldemloader
package that provide ability to register handlers for certain file extensions. This feature is currently EXPERIMENTAL (#5940) authored by @srenatuscrypto.x509.parse_keypair
: Returns a key pair from a pair of PEM or base64 encoded strings of data. See the documentation on the new built-in for all the details. (#5853) authored by @volck.io.jwt.decode_verify
: Fix issue where token verification succeeded in case where iss
constraint was required but JWT did not contain it (#5850) authored by @AleksanderBrzozowskihttp.send
: Add a new option to the http.send
input object which allows policy authors to specify a retry count for executing a HTTP request. Retries are performed with an exponential backoff delay (#5891) authored by @ashutosh-narkar_
matching only scalars in rule indexing for arrays (#5916) authored by @jaspervdjThis release contains some enhancements, bugfixes, and a new builtin function.
Previously OPA did not allow any updates to the labels provided in the boot configuration via the discovered (ie. service) config. This was done to avoid breaking the discovery configuration. But there are use cases where labels can serve as a convenient way to pass information that could be used in policies, status updates or decision logs. This change allows additional labels to be configured in the service config which are then made available during runtime.
See the Discovery documentation for more details.
Authored by @mjungsbluth.
crypto.hmac.equal
provides a convenient way to compare hashes generated by the MD5, SHA-1, SHA-256 and SHA-512 hashing algorithms.
Below is a real world example of how this built-in function can be utilized. Imagine our server is registered as a
GitHub webhook which subscribes to certain events on GitHub.com. Now we want to limit requests to those coming from GitHub.
One of the ways to do that is to first set up a secret token and validate the information. Once we create the token on GitHub,
we'll set up an environment variable that stores this token and makes it available to OPA via the opa.runtime
built-in.
In the case of GitHub webhooks the validation is done by comparing the hash signature received in the X-Hub-Signature-256
header and calculating a hash using the secret token and payload body. The check_signature
rule implements this logic.
package example
import input.attributes.request.http as http_request
allow {
http_request.method == "POST"
input.parsed_path = ["workflows", "github", "webhooks"]
check_signature
}
check_signature {
secret_key := opa.runtime().env.GITHUB_SECRET_KEY
hash_body := crypto.hmac.sha256(http_request.raw_body, secret_key)
expected_signature := concat("", ["sha256=", hash_body])
header_signature = http_request.headers["X-Hub-Signature-256"]
crypto.hmac.equal(header_signature, expected_signature)
}
See the documentation on the new built-in for all the details.
Authored by @sandokandias.
Previously the OCI Downloader had support for only three types of authentication methods, namely Client TLS Certificates
,
Basic Authentication
and Bearer Token
. This change adds support for other authentication methods such as AWS Signature,
GCP Metadata Token. See the documentation
for more details.
Authored by @DerGut.
The number of EVAL/REDO counts in the profile result are sometimes difficult to understand. This is mainly due to the fact that the compiler rewrites expressions and assigns the same location to each generated expression and the profiler keys the counters by the location. To provide more clarity, the profile output now includes the number of generated expressions for each given expression thereby helping to better understand the result and also how the evaluation works.
Here is an example of the updated profiler output with the new NUM GEN EXPR
column:
+----------+----------+----------+--------------+-------------+
| TIME | NUM EVAL | NUM REDO | NUM GEN EXPR | LOCATION |
+----------+----------+----------+--------------+-------------+
| 20.291µs | 3 | 3 | 3 | test.rego:7 |
| 1µs | 1 | 1 | 1 | test.rego:6 |
| 2.333µs | 1 | 1 | 1 | test.rego:5 |
| 6.333µs | 1 | 1 | 1 | test.rego:4 |
| 84.75µs | 1 | 1 | 1 | data |
+----------+----------+----------+--------------+-------------+
See the Profiling documentation for more details.
Authored by @ashutosh-narkar.
Ecosystem:
Website:
MISCELLANEOUS
section to improve content navigation (#4614) authored by @lakhanjindamThis release contains improvements to monitoring and an assortment of fixes and improvements.
Currently when OPA's HTTP server rejects requests per the authz policy, this is not accounted for via the management APIs. This change adds that count in the metric registry that is part of the Status API for more visibility.
(#3378) authored by @ashutosh-narkar.
Previously in 5732, we updated the decision log plugin to surface errors via the Status API. However, in that change certain events like encoder errors and log drops due to buffer size limits had no metrics associated with them. This change adds more metrics for these events so that they can be surfaced via the Status API.
(#5637) authored by @ashutosh-narkar.
This change updates the client debug log to include the full HTTP response in case of non-200 status codes. Recording the response in the logs can help to provide more information to debug error scenarios.
(#2961) authored by @ashutosh-narkar reported by @gshively11.
object.union_n
built-in function (authored by @Azanul)This is a bug fix release that addresses a regression in 0.50.1.
This regression impacts policies with rules that, as its else-value, assign a comprehension containing variables.
Such rules would cause the compilation of the policy to fail with a rego_unsafe_var_error
error.
E.g. the following policy would fail to compile with a policy.rego:5: rego_unsafe_var_error: var x is unsafe
error:
package example
p {
false
} else := [x | x := 1]
This is a bug fix release addressing the following issues:
This release contains a mix of new features, bugfixes, security fixes, optimizations and build updates related to OPA's published images.
These new built-in functions add functionality to verify and validate JSON Schema (#5486) (co-authored by @jkulvich and @johanfylling).
json.verify_schema
: Checks that the input is a valid JSON schema objectjson.match_schema
: Checks that the document matches the JSON schemaSee the documentation for all details.
package
carries across modulespackage
scoped schema annotations are now applied across modules instead of only local to the module where
it's declared (#5251) (authored by @johanfylling). This change may cause compile-time errors and behavioural changes to
type checking when the schemas
annotation is used, and to rules calling the rego.metadata.chain()
built-in function:
rego_type_error: package annotation redeclared
error if two or more of these are annotated with the package
scope.package
scope, the schemas
annotation will be applied to type checking also for rules declared in
another file than the annotation declaration, as long as the package is the same.rego.metadata.chain()
built-in function will now contain an entry for the
package even if the annotations are declared in another file, if the scope is package
.run
commandTo load a remote bundle using opa run
, the set
directive can be provided multiple times as shown below:
$ opa run -s --set "services.default.url=https://example.com" \
--set "bundles.example.service=default" \
--set "bundles.example.resource=/bundles/bundle.tar.gz" \
--set "bundles.example.persist=true"
The following command can be used as a shorthand to easily start OPA with a remote bundle (#5674) (authored by @anderseknert):
$ opa run -s https://example.com/bundles/bundle.tar.gz
json.patch
Built-in FunctionPerformance improvements in json.patch
were achieved with the introduction of a new EditTree
data structure,
which is built for applying in-place modifications to an ast.Term
, and can render the final result of all edits efficiently
by applying all patches in a JSON-Patch sequence rapidly, and then collapsing all edits at the end with minimal wasted ast.Term
copying (authored by @philipaconrad).
For more details and benchmarks refer #5494 and #5390.
Errors encountered during decision log uploads will now be surfaced via the Status API in addition to being logged. This functionality should give users greater visibility into any issues OPA may face while processing, uploading logs etc (#5637) (authored by @ashutosh-narkar).
See the documentation for more details.
All published OPA images now run with a non-root uid/gid. The uid:gid
is set to 1000:1000
for all images. As a result
there is no longer a need for the -rootless
image variant and hence it will be not be published as part of future releases.
This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
either with the --user
argument for docker run
, or by specifying the securityContext
in the Kubernetes Pod specification.
nil
data (#5703) authored by @anderseknert/metrics/alloc_bytes
to show OPA's memory utilization (#5715) authored by @anderseknertclient_certificates
(#5538) authored by @charlieegan3strict
mode check to include unused arguments (#5602) authored by @boranx. This change may cause
compile-time errors for policies that have unused arguments in the scope when the strict
mode is enabled. These
variables could be replaced with _
(wildcard) or get cleaned up if they are not intended to be used in the body of the functions.schemas
annotations even if --schema
flag isn't used (#5506) authored by @johanfyllingallow_net
capability when fetching remote schemas (#5670) authored by @johanfyllingEcosystem:
Website:
This release migrates the ORAS Go library from v1.2.2 to v2. The earlier version of the library had a dependency on the docker package. That version of the docker package had some reported vulnerabilities such as CVE-2022-41716, CVE-2022-41720. The ORAS Go library v2 removes the dependency on the docker package.