v0.7.7

What's Changed

• add httpx client for HttpFetchProvider and make it default by @omer9564 in #590

New Contributors

• @omer9564 made their first contribution in #590

Full Changelog: 0.7.6...0.7.7

v0.7.6

What's Changed

Bug Fixes

• Make fetcher's retry behavior configurable when importing OpalClient as python package by @roekatz in #564
• Add missing x-amz-content-sha256 header when generating headers for… by @kbalthaser in #519
• Move polling periodic data entries to client (support scopes) by @roekatz in #573

CI, Dependencies & Security

• Added python 3.11 and 3.12 to tests CI by @danyi1212 in #570
• Docker image: Mitigate risk for some vulnerabilities as reported by Snyk @roekatz in #562
• Upgrade vulnerable OPAL Docusarus version by @maya-barak in #567
• [Snyk] Security upgrade cryptography from 41.0.7 to 42.0.4 by @RazcoDev in #552
• [Snyk] Fix for 3 vulnerabilities by @roekatz in #566
• [Snyk] Upgrade sass from 1.69.5 to 1.71.1 by @RazcoDev in #563

Docs

• Added mention to the fact that github webhook should be in json format by @TheZalRevolt in #528
• Policies can now also come from an API server (configure_external_data_sources.mdx) by @emily-zall in #577
• Update location of fetcher register by @emmanuel-ferdman in #574
• Update security-parameters.mdx by @maxrabin in #568

New Contributors

• @kbalthaser made their first contribution in #519
• @maya-barak made their first contribution in #567
• @danyi1212 made their first contribution in #570
• @emily-zall made their first contribution in #577
• @emmanuel-ferdman made their first contribution in #574
• @maxrabin made their first contribution in #568
• @TheZalRevolt made their first contribution in #528

Full Changelog: 0.7.5...0.7.6

v0.7.5

What's Changed

Fixes

• Data Fetching: Introduce custom retry configuration for fetching data sources by @thilak009 in #502
• Merge updates from permit's internal OPAL version by @roekatz in #546
  • Concurrent (thus faster) handling of updates (both policy & data) in client and server
  • Offline Mode: Support having the backup file on a shared volume used by multiple opal-client replicas (Fix file writing race).
  • Restart OPA when panic is detected
  • Upgrade fastapi_websocket_pubsub (v0.3.7) & permit-broadcaster (v0.2.5) for improved stability & performance.
  • Scopes: bug fixes & improved performance (redis access, better repo locks, better git object caching, repo sharding for handling lots of scopes).
  • Fix parsing update callbacks configuration
• ApiPolicySource: Log errors when retrying failed bundle updates by @roekatz in #500

Build & Dependencies

• Upgrade to Debian bookworm
• Install netcat and jq in the common stage by @fortum-vaanavil in #499
• remove unused rookout by @asafc in #525
• Use redis-py to replace asyncio-redis by @calmzhu in #498
• Update cryptography dependency by @orishavit in #520
• [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @obsd in #547
• [Snyk] Security upgrade fastapi from 0.103.2 to 0.109.1 by @RazcoDev in #543
• [Snyk] Security upgrade aiohttp from 3.8.6 to 3.9.2 by @asafc in #541
• [Snyk] Upgrade sass from 1.54.9 to 1.69.5 by @obsd in #522

Docs

• Update README.md by @orweis in #501
• Make it clear Bundle Server does not serve OPA bundles by @roekatz in #544
• Tweak healthcheck docs by @orweis in #527
• Fix command format and typo in Triggering data updates tutorial #549 by @jonis100 in #550

New Contributors

• @fortum-vaanavil made their first contribution in #499
• @calmzhu made their first contribution in #498
• @gemanor made their first contribution in #537
• @jonis100 made their first contribution in #550

Full Changelog: 0.7.4...0.7.5

v0.7.4

What's Changed

New Features

• Add support for PATCH as save_method in data updates. by @thilak009 in #483

Bugfixes

• Fix hanging inline OPA on very long log lines. by @roekatz in #489
• Upgrade gitpython to mitigate CVE-2023-40267. by @philipclaesson in #490
• Explicitly close web socket on server before endpoint exits. @roekatz in #496

Docs

• kafka sasl docs by @orweis in #485
• tweaks to improve the docs by @orweis in #486
• Add tinytodo to docs by @obsd in #487
• Update inline opa config docs with an example and link by @jasonmcintosh in #493
• add basic tutorial about self signed certificates by @asafc in #495

New Contributors

• @jasonmcintosh made their first contribution in #493
• @philipclaesson made their first contribution in #490

Full Changelog: 0.7.3...0.7.4

v0.7.3

What's Changed

• Webhook: Fix not listening on webhook notifications when broadcaster isn't configured. by @roekatz in #480 - Thanks Jack Geek from our Slack community for reporting!
• Fix multi arch support in docker build and push workflow. by @roekatz in #479

Full Changelog: 0.7.2...0.7.3

v0.7.2

What's Changed

New Features

• Support OPA tls authentication. by @oskar-christensson in #457
• Support disabling policy updates in OPAL client (data-only mode). by @thilak009 in #470
• Support S3 buckets as bundle servers (aka api policy source) by @orweis in #472 & @cbat98 in #473
• Upgraded broadcaster version to 0.2.3 (Includes new support for Kafka SSL by @david-hamilton-bah in permitio/broadcaster#5)
• Policy store data updates: Support only pushing nested keys instead of overriding entire root path (eg /v1/data on OPA) by @orishavit in #448

Fixes

• Fix memory leaks (Leaking tasks on publishing updates & executing webhook trigger) by @roekatz in #475 & #476

Docs & Examples

• New Cedar docs. by @shaulk in #464 & @orweis in #465
• Update helm chart tutorial by @roekatz in #468
• Fix Kafka based docker-compose example by @roekatz in #469
• docs on data.json by @orweis in #474

New Contributors

• @oskar-christensson made their first contribution in #457
• @thilak009 made their first contribution in #470
• @cbat98 made their first contribution in #473

Full Changelog: 0.7.0...0.7.2

v0.7.0

What's Changed

Supporting a new policy engine: Cedar Agent

Cedar Agent provides the ability to run Cedar as a standalone agent (Similar to how one would use OPA) which can then be powered by OPAL. OPAL manages the policies loaded into Cedar through git, same as for OPA, and can push data updates in real time from external data sources.
Example OPAL configuration for Cedar can be found here.

The Cedar policy language offers better readability, better performance for policy evaluation and is analyzable via automatic reasoning.

• Add a Cedar policy engine plugin by @shaulk in #461
• Shaul/per 5343 update cedar agent in opal by @shaulk in #463

Small fixes and improvements

• Add platforms to build-push-action with amd64 and arm64 by @vivedo in #427
• [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @RazcoDev in #323
• [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @asafc in #324
• Bump json5 from 2.2.1 to 2.2.3 in /documentation by @dependabot in #354
• Bump webpack from 5.74.0 to 5.76.1 in /documentation by @dependabot in #410
• Upgrade GitHub Action by @cclauss in #417
• Docs: Add periodic_update_interval to data-sources.mdx by @roekatz in #458
• Oded/small docs fixes by @obsd in #283
• sort and add more questions by @orweis in #459
• Merge pull request #347 from permitio/improve-cli-windows-support by @orweis in #349
• Tests: Mark test_external_http_get flaky for retries by @roekatz in #460
• bump version: 0.7.0 by @asafc in #462

New Contributors

• @vivedo made their first contribution in #427
• @RazcoDev made their first contribution in #323

Full Changelog: 0.6.1...0.7.0

v0.6.1

What's Changed

Bug Fixes

• Fix exception thrown on webhook for API policy source by @urspraveen2001 in #438
• Fix restoring OPA from a local backup on offline mode by @roekatz in #450
• Fix clients can't reconnect when broadcaster disconnects if statistics are enabled by @roekatz in #453

New Contributors

• @urspraveen2001 made their first contribution in #438

Full Changelog: 0.6.0...0.6.1

v0.6.0

What's Changed

New Features in Policy Store Control (Client)

• Automatic resolution of ordering issues: Any failed policy store loading operation (file loading / deletion) would be re-attempted after completing other operations (instead of bailing out), thus eventually achieving the correct loading order via trial and error. by @roekatz in #425
  • Eliminates the need to explicitly define .manifest files on most cases (although having an explicit manifest might still be beneficial for performance).
  • Resolves the known issue of handling moved/renamed modules.
• OAuth2 support for policy store authentication by @scarlier in #407
• Add option to ignore specific policy files by @orweis in #414
  • Could be used to prevent opal-client from overriding policy files managed outside OPAL.
• Optional offline mode, where policy store's data is restored from a local backup file on client startup (Thus being able to handle queries even when server connection can't be established) by @roekatz in #441

Server Multi Process Stability

Bug fixes in using opal-server with multiple workers (UVICORN_NUM_WORKERS) and/or multiple instances (e.g. pod replicas).

• Fix leader worker sometimes not getting git webhook event (Bug in broadcaster subscription) by @roekatz in #398
• Turn on BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED by default (Fixes silent connection losses to Postgres broadcaster) @roekatz in #443
• Bump fastapi_websocket_pubsub ver to 0.3.3 by @roekatz in #423

Health Checks

• Make client's health check always available (without requiring persisting health status in OPA by setting OPAL_OPA_HEALTH_CHECK_POLICY_ENABLED) by @roekatz in #420
• Expose new /ready endpoint - would return 200 OK if OPA was loaded from either server or backup (on newly available offline mode) at least once. by @roekatz in #441

Scopes Stability

Introduce quite a few refactors & changes in scopes we've been working on and testing internally lately. by @roekatz in #436.

• Bug fixes related to using multiple Uvicorn workers and / or multiple instances (e.g pod replicas).
• Getting rid of Celery worker (a.k.a opal-server-worker) for periodically syncing scopes (Instead, using the leader process the same way it's used when scopes are disabled).
• Bug fixes in detecting and notifying changes when multiple scopes use the same git repository (but possibly different branches).
• Fix races in detecting and notifying changes during server setup time (cloning all scopes' repos).
• Better logging when using scopes

Other Improvements & Fixes

• Optionally allow to skip url matching in git webhook receiver by @asafc in #400
• Rename OPAL_SERVER_PORT -> OPAL_SERVER_BIND_PORT to avoid configuration parsing error when k8s sets this envar to "tcp://..." if there's a service named "opal-server" (For backward compatibility old envar would still be used if has a valid port integer value). by @roekatz in #442

Docs & Examples

• Update config.py by @money8203 in #358
• Introduced "OPAL Configuration Variables" doc by @filipermit in #397
• Updates to fetch providers, config variables, opal+ and new release page by @filipermit in #401
• Fix for Doc Broken links by @renatosc in #412
• Change Slack Link by @danielbass37 in #416
• Fix typos discovered by codespell by @cclauss in #419
• fix broken tutorial links by @omriza in #429
• Introduce run-example-with-scopes.sh to demonstrate using scopes by @roekatz in #444

New Contributors

• @scarlier made their first contribution in #407
• @renatosc made their first contribution in #412
• @cclauss made their first contribution in #419
• @omriza made their first contribution in #429

Full Changelog: 0.5.0...0.6.0

v0.5.0

What's Changed

This release contains several small fixes and improvements.

New Feature: Bundle Ignore

Adds support for omitting files in the bundle produced by opal-server. Use the OPAL_BUNDLE_IGNORE environment variable to specify a list of comma separated glob paths which if matched will ignore a file from being included in the policy bundle.

• add support for omitting files from bundle by @tlowerison in #372
• Fixes to bundle ignore feature by @orishavit in #394
• Merge pull request #372 from tlowerison/master + precommit by @orweis in #387

Bug fix: bitbucket webhook

Fixes #381: When sending a webhook from Bitbucket to the OPAL server with an secret configured then the the response on the request is an 401, no secret was provided. This is unexpected as the configuration looks correct.

• fix bug in parsing and make tests test secrets by @orweis in #384

Bug fix: confi default casting

• improve error logging, and fix defualt casting by @orweis in #371

Improve usability of topics in data updates

1. Have the default topic (policy_data) as a default value for DataSourceEntry.topics - To prevent users who have left this empty before from experiencing breaking changes as a result of related bug fixes in 0.4.0. Also fixes #375: Uncaught server exception when posting data update without topics
2. Warn at realtime when published entry doesn't have topics, or when client processes data update with no matching entries (this would cover what isn't covered by 1).
3. Fix documentation about topics in data updates.

Included PRs:

• Improve usability of topics in data updates by @roekatz in #389

CI Fixes

• Fix broken pre commit by @asafc in #393
• feat: Install jq to client and server by @avo-sepp in #392

Documentation Fixes

• Updated FAQ for OPAL by @filipermit in #373
• Update feature_request.md by @money8203 in #374
• Update issue templates by @orweis in #383
• Bump http-cache-semantics from 4.1.0 to 4.1.1 in /documentation by @dependabot in #377
• Bump eta, @docusaurus/core and @docusaurus/preset-classic in /documentation by @dependabot in #378
• Bump @sideway/formula from 3.0.0 to 3.0.1 in /documentation by @dependabot in #380
• improvements to docs by @orweis in #386
• add OPAL-plus by @orweis in #391

New Contributors

• @tlowerison made their first contribution in #372

Full Changelog: 0.4.0...0.5.0