v0.5.0

What's Changed

This release contains several small fixes and improvements.

New Feature: Bundle Ignore

Adds support for omitting files in the bundle produced by opal-server. Use the OPAL_BUNDLE_IGNORE environment variable to specify a list of comma separated glob paths which if matched will ignore a file from being included in the policy bundle.

• add support for omitting files from bundle by @tlowerison in #372
• Fixes to bundle ignore feature by @orishavit in #394
• Merge pull request #372 from tlowerison/master + precommit by @orweis in #387

Bug fix: bitbucket webhook

Fixes #381: When sending a webhook from Bitbucket to the OPAL server with an secret configured then the the response on the request is an 401, no secret was provided. This is unexpected as the configuration looks correct.

• fix bug in parsing and make tests test secrets by @orweis in #384

Bug fix: confi default casting

• improve error logging, and fix defualt casting by @orweis in #371

Improve usability of topics in data updates

1. Have the default topic (policy_data) as a default value for DataSourceEntry.topics - To prevent users who have left this empty before from experiencing breaking changes as a result of related bug fixes in 0.4.0. Also fixes #375: Uncaught server exception when posting data update without topics
2. Warn at realtime when published entry doesn't have topics, or when client processes data update with no matching entries (this would cover what isn't covered by 1).
3. Fix documentation about topics in data updates.

Included PRs:

• Improve usability of topics in data updates by @roekatz in #389

CI Fixes

• Fix broken pre commit by @asafc in #393
• feat: Install jq to client and server by @avo-sepp in #392

Documentation Fixes

• Updated FAQ for OPAL by @filipermit in #373
• Update feature_request.md by @money8203 in #374
• Update issue templates by @orweis in #383
• Bump http-cache-semantics from 4.1.0 to 4.1.1 in /documentation by @dependabot in #377
• Bump eta, @docusaurus/core and @docusaurus/preset-classic in /documentation by @dependabot in #378
• Bump @sideway/formula from 3.0.0 to 3.0.1 in /documentation by @dependabot in #380
• improvements to docs by @orweis in #386
• add OPAL-plus by @orweis in #391

New Contributors

• @tlowerison made their first contribution in #372

Full Changelog: 0.4.0...0.5.0

v0.4.0

What's Changed

This release contains several small fixes and improvements.

Support custom OPA versions / variants

• Extract OPA executable from opa docker image by @tibotix in #316
• Add opa_image Dockerfile build argument by @tibotix in #322

Improved OPAL client healthcheck

• OPAL client healthcheck returns the value of the OPA healthcheck policy, based on sync status by @orishavit in #332

Fixed: Hanging redis lock issue

• This fix by @roekatz solves the issue of the Redis lock (around the policy git clone) staying hanging forever (preventing new workers from cloning the repo). Probably because the app crashes with segfault before releasing the lock. link: #345

Fixed: Pulling policy from private repo only succeeds for newly cloned repos

• Pass SSH environment to BranchTracker by @orishavit in #366

More webhook formats supported

• Webhooks: Support BitBucket webhooks by @roekatz in #361
• Check webhook URL properly by @orishavit in #355
• Git-webhook-azure by @orweis in #351
• Git-webhook-expand by @orweis in #342
• add support to enforce git branch by @orweis in #357

New configuration options

• Policy-updater-retry-config by @orweis in #359

Small fixes and improvements

• Add .dockerignore file by @tibotix in #317
• fixed spelling error by @garnerp in #329
• Bump loader-utils from 2.0.2 to 2.0.4 in /documentation by @dependabot in #325
• fix env-var name by @orweis in #353
• Bump ua-parser-js from 0.7.31 to 0.7.33 in /documentation by @dependabot in #363
• Stabilize release 0.4.0 by @asafc in #370
• Create pull_request_template.md by @money8203 in #369
• Change OPAL test matrix to 3.9/3.10 by @orishavit in #319
• Update cryptography dependency to >38 by @orishavit in #320
• Add rego_clone/ to Dockerignore by @orishavit in #331
• Minor bug fix Data Source Refresh by @loan75 in #311
• Support Local Health Checks for OPAL Server by @brianhyder in #309
• Topic related DataUpdate bug fixes by @roekatz in #339

Documentation Fixes

• Opal-statistics-docs by @orweis in #347
• improve docs interlinking by @orweis in #362
• Navbar fix by @filipermit in #356
• Fixes+helm by @filipermit in #352
• Small guide fixes by @filipermit in #346
• Improvement/docs by @filipermit in #333
• Improvements/getting-started by @filipermit in #327
• sp: Akso to Also by @avo-sepp in #364

New Contributors

• @loan75 made their first contribution in #311
• @tibotix made their first contribution in #316
• @brianhyder made their first contribution in #309
• @garnerp made their first contribution in #329
• @avo-sepp made their first contribution in #364
• @money8203 made their first contribution in #369

Full Changelog: 0.3.1...0.4.0

v0.3.1

What's Changed

Minor bug fixes and improvements.

This release allows you to define periodic refetching on a data source, initiated by the server.
Simply define periodic_update_interval on the entry to desire to periodically refetch.

• Data source refresh by @DServy in #305
• Small fix for removed variable by @jamielennox in #307

New Contributors

• @jamielennox made their first contribution in #307
• @DServy made their first contribution in #305

Full Changelog: 0.3.0...0.3.1

v0.3.0

What's Changed

New Feature: Inline data updates

You can now push a data update via opal that already includes the data itself (inline) instead of including a reference url and incurring another network round trip. This is best for small incremental data updates.

• Allow embedded data in DataUpdate by @orishavit in #294
• Minor bug fixes to inline data updates by @asafc in #306

Fixes: Performance and stability improvements to OPAL Scopes

OPAL Scopes is a new experimental feature that allows a single OPAL server to track multiple git repositories, and in essence enables true multi-tenancy by a single OPAL deployment. This release includes major improvements to the performance and stability of this feature.

• Improve opal scopes performance by @asafc in #298

Minor bug fixes

• Add redis dependency to OPAL by @orishavit in #296
• Update OPAL Server from worker also after initial clone by @orishavit in #297
• Fix OPAL server trying to use the broadcaster when it's not configured by @shaulk in #295

Documentation

• Publishing OPAL as online docusaurus documentation by @filipermit in #291
• Dependancy fix and removal of unecessary pages by @filipermit in #292
• Fixed transitive dependancies for docusaurus packages by @filipermit in #293
• Updated the navigation title to a more meaningful version by @filipermit in #302
• Permit.io link in the footer of docs. by @filipermit in #303

New Contributors

• @filipermit made their first contribution in #291
• @shaulk made their first contribution in #295

Full Changelog: 0.2.1...0.3.0

v0.2.1

What's Changed

• Add Scopes guide by @orishavit in #290
• Bugfix in makefile: fixed bug that caused import issues with the python packages (while the prebuilt docker images were working correctly)

Full Changelog: 0.2.0...0.2.1

v0.2.0

What's Changed

TL;DR

This version has a lot of small fixes and improvements as longs as a few new features: restricted topics, nested .manifest files, client connections load limiting. We are also releasing a big new feature (OPAL Scopes), that allows a single OPAL server deployment to serve separate scopes of policy and data (in essence: multi-tenancy).

We also did a bunch of cleanups to the repo (code formatting, packaging, updated dependencies, etc) as well as updated the base image to the official docker.

Feature: OPAL Scopes (experimental)

OPAL Scopes is a new experimental feature that allows a single OPAL server to track multiple git repositories,
and in essence enables true multi-tenancy by a single OPAL deployment.

OPAL Server can now track multiple "scopes" that each can have its own separate data sources
and policy sources (i.e: git repo) and each OPAL Client may subscribe to a single scope.

--

• OPAL Scopes: Infra (scope manager) (#247) authored by @orishavit
• Clone git repositories via celery (#248) authored by @orishavit
• OPAL Scope API (#249) authored by @orishavit
• OPAL scopes: Periodic updates (#250) authored by @orishavit
• OPAL Scopes: Client ID handling (#251) authored by @orishavit
• Check for opal_scope JWT claim when requesting scope policy (#252) authored by @orishavit
• Fix HTTP test with new target (#256) authored by @orishavit
• Set default server role to Primary (#257) authored by @orishavit
• Celery worker fixes (#258) authored by @orishavit
• Rename OPAL JWT claim to allowed_scopes (#260) authored by @orishavit
• OPAL Scopes: Policy update events (#261) authored by @orishavit
• OPAL Scopes: Data API (#262) authored by @orishavit
• Scoped docker example (#265) authored by @orishavit
• Opal scopes fixes (#288) authored by @asafc

Feature: Restricted topics

You can now add a permitted_topics claim on an OPAL token (when generating the token with the /token endpoint) that is enforced by the OPAL server, and restricts what topics a client can subscribe to.

--

• Added optional permitted_topics (#214) authored by @idan-ben-ami

Feature: Nested manifests

Manifests allow you to determine the order rego policies are loaded into OPA. We now support multiple nested manifest files (instead of one per repo):
Each line in the .manifest file should contain a path, relative to the .manifest file, which could be one of the following:

• A policy / data file (i.e: a .rego file or data.json file).
• A folder, containing another .manifest file to be loaded recursively.

--

• Support nested manifests and relative paths (#216) authored by @roekatz

Feature: Client load limiting

OPAL server can now (load) limit the amount of connections from OPAL clients and return 429.

Check out this docker compose example as well as the PR notes.

--

• Introduce client load limiting feature (#221) authored by @roekatz

Base image improvements

• Only install rookout deps for a dedicated image tag (#253) authored by @roekatz
• Rk/python3.10 image base (#254) authored by @roekatz

Project structure and tooling

• Refactor packages file tree (#220) authored by @orishavit
• pre-commit with black, isort, docformatter (#243) authored by @singingwolfboy
• Unpin dependencies in our various requires.txt files (#239) authored by @singingwolfboy
• Add dependency on asgiref (#263) authored by @singingwolfboy

Bug fixes and small improvements

• fix race condition in example opal docker configs (#219) authored by @asafc
• Remove un-needed usage of len() (#215) authored by @MatanyaStroh
• fix ref before assignment (#223) authored by @obsd
• fix webhook endpoint when git source is api bundle server (#226) authored by @asafc
• change ddtrace to trace all processes (#227) authored by @obsd
• Remove unused imports + fix run-with-security script (#244) authored by @asafc
• refix: remove unused imports (#245) authored by @asafc
• Return a full bundle when client requests a base revision that doesn't exist (#285) authored by @orishavit
• Log exception and retry if thrown in polling task (#287) authored by @orishavit
• Pubsub: Use new broadcaster disconnection bugfix (conditioned with a feature flag) (#246) authored by @roekatz
• Read OPAL_LOG_SERIALIZE as boolean (#280) authored by @michivi
• Add retry options for the policy store (#282) authored by @michivi
• Fix pipe opa logs (#267) authored by @asafc
• Redis broadcaster URI does not support password authentication (#279) authored by @treysidechain
• Update README.md (#237) authored by @orweis

New Contributors

• @idan-ben-ami made their first contribution in (#214)
• @MatanyaStroh made their first contribution in (#215)
• @orishavit made their first contribution in (#220)
• @singingwolfboy made their first contribution in (#239)
• @treysidechain made their first contribution in (#279)
• @michivi made their first contribution in (#280)

Full Changelog: 0.1.21...0.2.0

v0.1.21

• Added a docker compose example how to use kafka as broadcaster
• Added a doc with explanations: How to run OPAL with Kafka
• Added the ability to send messages from kafka directly to OPAL server (#213)

v0.1.20

Bug fixes in this release:

1. Official docker container will now run as non-root user (#210):
   This improves the security of our official container and was requested by several users.

2. Use fixed clone path for containerized opal server (#211):
   This solves a race condition we observed in some kubernetes environments. If the leader worker is killed - the next leader will pick a different clone directory and will reclone the git repo. Due to the time it takes to clone a git repo this creates a race with policy bundle requests that issue a git diff-tree command to a non-cloned repo and will cause exceptions. The new fixed version will not used a randomized clone directory if running inside docker (the official docker container sets this behavior with a new config var: OPAL_POLICY_REPO_REUSE_CLONE_PATH

NOTICE:
Some power users of OPAL are know to mount paths from the container to the external filesystem. For these users, please be aware that you might need to fix your mount paths from /app/… to /opal/… which is now the WORKDIR in the new official image (was / in the old image). Check out OPAL's Dockerfile to see if you are affected. Since this is an implementation detail of OPAL we do not consider this a breaking change. No public or otherwise documented APIs are changed by this release.

All praise to @roekatz for his great work on this release!

v0.1.19

Small fixes and improvements:

• Fixed #190: When OPAL is not provided a valid passphrase, JWT signer will now output an indicative error to log (#205)
• Fixed #200: Added error if the user is trying to run a multi-worker opal server without configuring a broadcaster (#204)
• Fixed #207: Support self signed certificates in bundle server and websockets (#208)
• Rename docker hub repo - all new versions of official docker images can now be found here: https://hub.docker.com/u/permitio
• Upgrade Loguru version to 0.6.0

v0.1.18

This is a minor release, but please pay attention to the release notes about JWT issuer and JWT audience!

Changes that require your attention

• Authorizon (the company behind OPAL) is rebranding as Permit.io (more announcements will follow).
• Therefore we moved the OPAL repo under our new organization in github. Changed all references to authorizon.com as a result.
• We also changed the default AUTH_JWT_ISSUER and AUTH_JWT_AUDIENCE.

If you upgrade to OPAL 0.1.18 you need to do one of the following: (either 1 or 2, it does not matter)

1. add these config vars to your setup (will override the new defaults with the old values)

OPAL_AUTH_JWT_AUDIENCEhttps://api.authorizon.com/v1/
OPAL_AUTH_JWT_ISSUER=https://authorizon.com/

2. Recreate all JWT tokens used by your OPAL setup (i.e: client token, etc) since OPAL server will now check the tokens with a new JWT issuer and JWT audience.

Few minor fixes:

1. #185: JWT signer - clearer error message for JWT signer with bad input
2. #186: added an example docker compose using secure mode with tokens. all you need is to clone the repo, cd to the docker/ directory and run ./run-example-with-security.sh. full instructions are here
3. #187: fixed healthcheck policy in policy-only mode (fixes #181)
4. #188: fix bug where changes to different directories in the same commit are ignored, full notes in the pull (fixes #180)
5. #189: add conditional APM to opal server (added option to configure opal with datadog)