Skip to content

v0.2.0
Compare
Choose a tag to compare
@asafc asafc released this 22 Aug 12:21
· 934 commits to master since this release
0.2.0
36898a1

What's Changed

TL;DR

This version has a lot of small fixes and improvements as longs as a few new features: restricted topics, nested .manifest files, client connections load limiting. We are also releasing a big new feature (OPAL Scopes), that allows a single OPAL server deployment to serve separate scopes of policy and data (in essence: multi-tenancy).

We also did a bunch of cleanups to the repo (code formatting, packaging, updated dependencies, etc) as well as updated the base image to the official docker.

Feature: OPAL Scopes (experimental)

OPAL Scopes is a new experimental feature that allows a single OPAL server to track multiple git repositories,
and in essence enables true multi-tenancy by a single OPAL deployment.

OPAL Server can now track multiple "scopes" that each can have its own separate data sources
and policy sources (i.e: git repo) and each OPAL Client may subscribe to a single scope.

--

Feature: Restricted topics

You can now add a permitted_topics claim on an OPAL token (when generating the token with the /token endpoint) that is enforced by the OPAL server, and restricts what topics a client can subscribe to.

--

Feature: Nested manifests

Manifests allow you to determine the order rego policies are loaded into OPA. We now support multiple nested manifest files (instead of one per repo):
Each line in the .manifest file should contain a path, relative to the .manifest file, which could be one of the following:

  • A policy / data file (i.e: a .rego file or data.json file).
  • A folder, containing another .manifest file to be loaded recursively.

--

  • Support nested manifests and relative paths (#216) authored by @roekatz

Feature: Client load limiting

OPAL server can now (load) limit the amount of connections from OPAL clients and return 429.

Check out this docker compose example as well as the PR notes.

--

  • Introduce client load limiting feature (#221) authored by @roekatz

Base image improvements

  • Only install rookout deps for a dedicated image tag (#253) authored by @roekatz
  • Rk/python3.10 image base (#254) authored by @roekatz

Project structure and tooling

Bug fixes and small improvements

  • fix race condition in example opal docker configs (#219) authored by @asafc
  • Remove un-needed usage of len() (#215) authored by @MatanyaStroh
  • fix ref before assignment (#223) authored by @obsd
  • fix webhook endpoint when git source is api bundle server (#226) authored by @asafc
  • change ddtrace to trace all processes (#227) authored by @obsd
  • Remove unused imports + fix run-with-security script (#244) authored by @asafc
  • refix: remove unused imports (#245) authored by @asafc
  • Return a full bundle when client requests a base revision that doesn't exist (#285) authored by @orishavit
  • Log exception and retry if thrown in polling task (#287) authored by @orishavit
  • Pubsub: Use new broadcaster disconnection bugfix (conditioned with a feature flag) (#246) authored by @roekatz
  • Read OPAL_LOG_SERIALIZE as boolean (#280) authored by @michivi
  • Add retry options for the policy store (#282) authored by @michivi
  • Fix pipe opa logs (#267) authored by @asafc
  • Redis broadcaster URI does not support password authentication (#279) authored by @treysidechain
  • Update README.md (#237) authored by @orweis

New Contributors

Full Changelog: 0.1.21...0.2.0

Contributors

singingwolfboy, orishavit, and 8 other contributors
Assets 8
Loading