v0.1.14

• We made a few significant changes to the update callbacks mechanism:

  • Dynamic registry of callbacks: OPAL client can now register new callbacks dynamically during runtime via its REST API (if opal client is running on http://localhost:7000, the API docs can be found on http://localhost:7000/redoc).
  • Callbacks are called for policy updates: OPAL client will now call any registered callbacks after successful policy updates, so now every change made to OPA state will invoke a callback. This allows an OPAL user to monitor OPA state changes (get "push notifications" via the callbacks mechanism; each "callback" is actually implemented as a webhook).

• We made a few small changes to OPAL's authentication mechanism:

  • We now require datasource JWTs in order to publish updates: As was previously explained in the docs, you need a datasource JWT token in order to authenticate successfully when publishing a data update. Until now, we did not enforce the peer type requirement on the token. This change essentially fixes #44.
  • New type of OPAL JWT (listener): A listener JWT is meant for a network peer that "listens" to OPA state changes, or in other words, a peer that exposes a callback to be called by OPAL client after OPA state changes.

• We added new config vars to expose the timeouts enforced on fetch providers (fixes #142):

   # Time in seconds to wait on the queued fetch task (i.e: for a fetch provider to fetch data)
   OPAL_FETCHING_CALLBACK_TIMEOUT (default: 10)
   # Time in seconds to wait for queuing a new task (if the queue is full)
   OPAL_FETCHING_ENQUEUE_TIMEOUT  (default: 10)
  

• We changed the default value of OPAL_POLICY_STORE_URL: the policy store URL should only include the host and port part of the url, not the path. i.e: if OPA is on localhost port 8181, instead of http://localhost:8181/v1, the config var should now be http://localhost:8181.

v0.1.13

This tiny release includes:

• hotfix to data updater, we removed the fetch config from the logs as it may contain sensitive credentials.
• small improvements to docs

v0.1.12

• (#125) added option to disable data updater
• (#126) added docs about update callbacks and opa healthcheck policy + added example docker compose configuration that uses callbacks
• (#127) Load policy bundle according to the order of modules specified in the bundle manifes, see docs
• (#128) extensive changes to repo cloner:
  • It tries indefinitely to clone the repo (i.e: resilient to temp network errors) - fixes opal-server stops the pulling if failed to connect #111
  • Indefinite wait for successful clone can be cancelled with new Env var: OPAL_POLICY_REPO_CLONE_TIMEOUT
  • previous local clones are discarded - this should not affect running docker (unless using a volume) but it does affect running opal as a library.
  • fixed cloning remote branches who are not master - they are now cloned correctly
  • repo cloner is now running in asyncio executor thread - until initial successful clone, /policy (bundle) api correctly return 503.
• Other small fixes and improvements

v0.1.11

• Small fix to OPAL CLI
• Upgraded Fetcher Guide (How to write custom fetch providers)

v0.1.10

• OPAL-Client now support self-signed SSL/TLS certificates - meant for dev environments (#104)
• Fixed fetch provider register, you may now select the custom fetcher by adding fetcher override to FetcherConfig (#110)
• OPA Client now support OPA authentication with bearer token (#105)
• Fixed data updater bug where opal client did not alert the user if we got error responses from authoritative data source (#109)
• Added a fully functional example OPAL fetch-provider for Postgres
• Other various small bugs and fixes

v0.1.9

Small bug fixes and improvements (no breaking changes from previous version):

• bugfix: inline OPA was being rehydrated on shutdown after responding by itself to keyboard interrupts
• Bump fastapi from 0.62.0 to 0.65.2 - addresses fastapi security issue - https://github.com/tiangolo/fastapi/releases/tag/0.65.2 (it's important to note that OPAL does not use cookies for authentication - therefore this security issue is not applicable for previous OPAL versions - however it is good requirements hygiene to upgrade none the less).
• include rpc and pub/sub logs by default - a bit more noisy but easier to detect connection issues - fixes #82.
• added mention of logging configuration and troubleshooting section to containers doc - fixes #83.
• fix requirements inconsistencies with idna and starlette.

v0.1.8

Small fixes:

• fixed broken requirements (i.e: click 8.0.1 with old typer, etc)
• fixed broken docker image - OPA changed the binary file name on their latest release
• fixed several log messages that were not JSONable - broke some logging configurations
• fixed a small issue where killing the opal client with ctrl+c would also kill OPA agent and create a race (when running with inline OPA)

v0.1.7

Fixed issues with policy fetcher (in opal client):

• could not handle error response codes from opal server like 503 (server not ready) and 401 (bad token)
• will now retry a few times to fetch a bundle
• fixed issue with policy fetcher being used as a singleton caused inconsistencies

v0.1.6

minor fix when fetching data sources from redirected source

v0.1.5

• Update completion callbacks - client will notify upon completion/error of a realtime update
• Update transactions - safer modification of OPA cache
• Special OPA readiness policy - can ask if the OPA agent is ready (received initial policy bundles and data)