Release Notes for Styra DAS
This page describes the release notes for Styra DAS delivered in November 2021.
Release Summary
Styra is built on the Open Policy Agent (OPA), a popular and widely deployed open source project developed by the founders of Styra. With primary credibility for the underlying technology, the Styra team and technology are both proven in production across verticals. Styra enables enterprises to define, enforce, validate, and continually monitor security, compliance and operational policies across the cloud-native application stack. Styra has reinvented the authorization solutions to mitigate customer risk, and reinforce commitment to trust and transparency in safeguarding customers’ data. Styra’s Declarative Authorization Service (DAS) is a sophisticated management plane that provides context-based guardrails, built from a graphical policy library to mitigate risk, reduce human error and accelerate development. Styra makes it possible for enterprises to implement policy-as-code controls and to prove their effectiveness to both internal and external security and compliance audiences.
November 30, 2021
This Styra DAS 20211130 release delivers the following new enhancements.
New Features and Enhancements
This section describes the new enhancements in Styra DAS 20211130.
API
- Starting with this release,
/v1/systemsand/v1/systems/instructionsAPIs add token access events to the activity log in addition to returning the bearer tokens.
Documentation
- The Styra DAS documentation is updated with a new look and feel.
GUI
-
This release allows you to check the status of your data source for successful state or errors it may have encountered.
-
The User Activity tab is moved from the Access Control tab to its own main section. The User Activity tab displays live or historical logs of user activity. The user activity log can be filtered by Outcome type and a case-sensitive free form text field for specific queries. The user activity log now can also be exported to S3 buckets; the export configuration settings is available in the Settings >> User Activity Export pane.
Systems
- This release sets the default system AuthZ OPA policy for the Kubernetes V2 system type more restrictive by removing access to the root API and static HTML OPA landing page.
November 23, 2021
This Styra DAS 20211123 release delivers the following new enhancement and fixed issue.
New Features and Enhancements
This section describes the new enhancement in Styra DAS 20211123.
GUI
- Starting with this release, you can now disable logins with a username and password entirely and use only SSO for authentication. SaaS users can request this feature from their Customer Success Manager (CSM) and on-premises users can enable this feature with
DISABLE_LOCAL_LOGIN_IF_SSO_ENABLEDfeature flag.
Issues Fixed
This section describes the issue fixed in Styra DAS 20211123.
API
- Fixed an issue where the OpenAPI spec was missing fields for the
/v1/authz/rolebindings/systems/<system-id>/<binding-id>endpoint.
November 16, 2021
This Styra DAS 20211116 release delivers the following new enhancements.
New Features and Enhancements
This section describes the new enhancements in Styra DAS 20211116.
API
-
Starting with this release,
POST /v1/datasources/$idAPI supportspreview=truequery parameter. It also accepts the whole data source configuration to validate the configuration and preview the data in JSON format. -
styra local plane(SLP) statuses are now available through theGET /v1/agents/slpsAPI endpoint. -
The minimum OPA agent version (
minimum_opa_version) running for a system or all systems matching a stack is now reported in theGET /v1/systems/{id}andGET /v1/stacks/{id}APIs correspondingly. -
GET /v1/stacks/{id}now also returns the list of system IDs matching the stack (matching_systems) andGET /v1/systems/{id}returns the list of stack IDs matching the system (matching_stacks). -
The list of errors reported for the system is extended with the latest bundle status. If there are any compilation errors or if it requires more recent OPA version instead of the oldest version the system agent has, then the errors are reported in the
systemsAPI and displayed in the DAS UI with system errors and warnings.
Backend
-
Starting with this release, bundles which use Rego features that are not available for the system will not be activated automatically, but requires manual activation with
forceflag. -
The minimum required OPA version is now reported for each new bundle in the Bundle Registry. It is available through the
/v1/systems/{id}/bundlesAPI (minimum_opa_versionfield). -
This release updates the Envoy and Istio systems' OPA instances configured in Quick Starts to only listen on
localhost. However, diagnostic endpoints likehealthare still open generally on port8282.
Data Sources
-
Kubernetes data source configuration now supports a new format in the
maskssection. A numeric[0]or wildcard[_]index is used to remove the resources in array properties.spec.template.spec.containers[0].env# exclude first item from containers arrayspec.template.spec.containers.env# exclude environment sub-objects of containers objectspec.template.spec.containers[_].env# exclude environment objects from all items in containers array*# whole resource
Documentation
-
The
Data Sourcessection in the OpenAPI documentation is updated with the list of supported categories and examples for each category. -
The Operations page is updated with the data source’s common properties.
GUI
-
When adding an HTTPS data source, you can now provide both public and private headers which are useful for authentication.
-
Decision export validation now allows usage of
_and.for Google Cloud Storage bucket names. -
This release allows DAS to display bundle compilation errors when a policy bundle cannot be compiled.
Systems
- The default OPA system Authorization policy is added to all Mesh system types and enables the basic Authorization on their OPA instances. The added policy does not apply by default to the Kong Mesh and Kuma system types as they do not enable OPA Authorization. For more information on OPA Authorization, see the Security page.
November 9, 2021
This Styra DAS 20211109 release delivers the following new enhancement and issue fixed.
New Features and Enhancements
This section describes the new enhancement in Styra DAS 20211109.
GUI
- Libraries now default to
refs/heads/main instead of refs/heads/master. Existing libraries that point torefs/heads/masterwill continue to work as expected.
Issues Fixed
This section describes the issue fixed in Styra DAS 20211109.
API
- Fixed an issue where empty passphrase was sent to secrets API only when the non private key (secret) fields were updated.
November 2, 2021
This Styra DAS 20211102 release delivers the following new enhancements.
New Features and Enhancements
This section describes the new enhancements in Styra DAS 20211102.
Backend
-
This release improves the error handling and messaging in some scenarios when configuring Git storage for systems, stacks, or workspace policies.
-
The installation script bucket URL now reflects the S3 bucket endpoint parameter and utilizes Kubernetes secrets and
envFrominstead of explicit environment variables.
GUI
-
This release enables the Replay Mode to replay decisions. The Replay Mode is focused on the decision replayed, where the file operations are restricted, displays the systems, stacks, and libraries contributed to the replayed decision, and highlights policies that contribute to the replayed decision. To share the replayed decision link with other users, click on the Get Link button.
-
Quick Start now supports the ability to have multiple Quick Starts in progress. The capability to save the progress status for each Quick Start is available in this release.
Metrics
- This release expands the timeseries Prometheus metrics to include Custom system types.
Security
- Styra DAS now enforces a Content Security Policy to help guard against certain types of attacks, including Cross-Site Scripting and data injection attacks.