Release Notes for Self-Hosted Styra DAS
Self-Hosted Styra DAS 0.14.0 was released on December 1, 2023.
New Features and Changes
Updated to OPA v0.58.0
The internal version of OPA used by Styra DAS has now been updated to OPA 0.58.0.
Kubernetes node count reporting
For customers with Kubernetes systems, the workspace dashboard now includes a graph representing the monthly average node count across all Kubernetes systems for the last year. Details, including how node counts are calculated, can be found on the Kubernetes system Node Count page.
Enterprise OPA dynamodb Built-ins Update
Styra DAS supports defining and mocking Enterprise OPA's dynamodb.get and dynamodb.query built-ins in the policy editor.
Bundle revision digest in Decisions
This feature adds an 8-character digest (hash) of the bundle's revision string to each bundle built by Styra DAS. Decision logs in the Decisions tab and API now return the revision digest, returned in either the revision field or the bundles field, based on the log format for that OPA's version. The revision digest for a bundle can be found on the Deployments tab for a System on the bundle's card, along with the bundle version and the bundle contents digest. The original decision logs from OPA and Enterprise OPA are unaffected.
Bundle Builder performance improvements
Improved policy and data change detection speed for faster system bundle build triggers, as well as improved handling of simultaneously triggered system bundle builds. Improvements to the bundle builder to increase the rate of System bundle builds and reduce extra bundle rebuilds after version upgrades or restarts.
agentbundle service split into two services
The agentbundle service has been split into two services:
- New
bundleregistryservice is responsible for background bundle building for the bundle registry as well as the manual bundle-compile API, and - Existing
agentbundleremains responsible for the /v1/bundles API and ad-hoc bundle compilation when bundle registry is not enabled.
Decision Replay OPA environment variable
When replaying a decision or when running log replay, Styra DAS will set an OPA runtime environment variable (STYRA_DAS_REPLAY), which policies can use to modify policy evaluation behavior during decision and log replay. This can be useful for policies which evaluate sensitive data from the input (e.g., a JWT) in combination with a decision mask for that sensitive data.
Workspace Admin override of disabled local login
Tenants with SSO login configured have the option to disable local login (username and password login), ensuring users must log in only through the SSO provider. This release adds new functionality to this feature which allows users with a WorkspaceAdmin role to override disabled local login in situations where SSO login fails (e.g., due to an SSO provider outage or incident).
Support Zstandard compression for Data Sources
Added support for Zstandard (zstd) compression for PUT and PATCH actions on the /v1/data/{datasource} endpoint. Zstandard provides speed and compression improvements over gzip. Both gzip and plain JSON remain supported for this endpoint.
Fixed Issues
Large decision indexing Fix
Decision indexing could pause on a large decision and block indexing of newer decisions, resulting in the Decisions tab in the Styra DAS UI missing newer decisions. With this fix, Styra DAS will attempt to truncate decision fields until the decision size can be indexed, otherwise the large decision will be dropped from indexing. Truncated decision fields will be shown as **TRUNCATED** in the decision log view. This change does not affect nor modify the original decision log records.
Fixed bundle build recovery after Rego error
In situations where a System bundle build failure was a result of a Rego compilation error due to invalid Rego policy code in the System, bundle builds could still fail after resolving the original Rego policy code issue.
Fixed Delta Bundle Build with Root Data
In systems where a root-level data.json was present, delta bundles could fail to build.
Fixed bundle export of separate policy and data bundles
When exporting system bundles to Amazon S3 or Google Cloud Storage with the separate policy and data bundles option enabled, the generated discovery bundle had an incorrect resource name for the context bundle reference.
Fixed StackOwner Git configuration permissions
Users with a StackOwner role but no workspace-level role did not have permissions to edit a Stack's Git configuration.
Fixed Kubernetes compliance violations for complex rules
In cases where a Kubernetes rule used more than one library helper function/rule, a compliance violation for that rule may not have been returned in the violation count and list of violations depending on the return value of the library helper function/rule used.
Fixed SLP Resource Discovery Failures
When discovery of a Kubernetes cluster resource in a group failed, it could result in discovery failure for resources in all groups. This update add retries to discovery failures and unblocks discovery for other groups without failures.
Fixed Enterprise OPA built-ins bundle build error
When using an Enterprise OPA built-in, a system could encounter a bundle build error.
Fixed Data Source temporarily missing data
Fixed HTTP and other polling data sources to correctly redeliver updates when internal errors prevent the original update from succeeding and subsequent polling runs detect no changes.
Fixed HTTP data source persisting errors
In some cases, errors reported on an HTTP data source (e.g., due to HTTP fetch error) may not automatically clear immediately after the error is resolved.
Fixed Styra CLI download URL in Terraform install instructions
Updated the Styra CLI URL for download when following the install instructions for a Terraform system type.
Fixed Library Preview in UI
Fixed Library preview issues which may have showed no results unless previewing a selection of the policy code and may have shown an unrelated decision input to replay.
Fixed UI Error for Library Data Source Transforms
In Library data sources with an applied data transform, the UI could fail to load the data source view.
Fixed nested variable syntax highlighting
Variables with multiple levels of nesting (e.g., q.foo.bar) were displayed with incorrect syntax highlighting in the policy editor.
Fixed duplicate decisions in Decisions tab
When scrolling quickly through past decisions in the Decisions tab while a filter is also applied, duplicate decisions could occasionally be shown.
Fixed decision right click menu
In certain contexts, right clicking in the Styra DAS UI Decisions could result in an error.
Fixed UI Error for Invalid Policy File Name
In cases where a policy file name included invalid characters, the UI could fail to load the policy.
Fixed SSO Configuration UI for Library Roles
When configuring a Library role in Workspace SSO settings, relevant resources would not be shown.
Fixed Playground loading issue
When starting the DAS Playground during the Getting Started flow, the Playground could fail to load.
Fixed UI errors when OPA status is missing fields
In cases where the OPA status reported to Styra DAS is missing expected fields due to an old OPA version, the UI would show an error and no deployment or agent data.
Fixed duplicate System errors in Deployments
In cases where a system had a bundle error, an additional invalid system error would be shown.
Fixed UI error in User Activity log
When scrolling back quickly through the User Activity log in cases where there is only one page of user activity, the UI could error and go blank.
Fixed UI autocomplete error during policy authoring
In some cases in the policy editor UI, an autocomplete suggestion may have been shown when no appropriate suggestions were available for the current Rego code.
Fixed UI redirect after creating new policy
In certain circumstances, the Styra DAS UI would show the System, Stack, or Library settings after creating a new policy rather than showing the new policy.
Fixed showing Custom Snippet changes in UI
After publishing a change to an existing Custom Snippet defined in a Library, a UI refresh may have been required to show the updated Custom Snippet information in a relevant System or Stack.
Fixed Log Replay with multiple draft policies during policy validation
When running Validate in the UI policy editor with multiple policies in a draft state, all draft policies may not have been included during log replay.
Fixed S3 and GCS Data Source region selection
In tenants supporting the full list of regions for S3 and GCS Data Sources, the region selection in the UI could be partially obscured on smaller screen sizes.
Fixed UI messaging and sidebar menu collapse functionality for users without a Workspace role
When users had only System, Stack, and/or Library roles and no Workspace-level role, collapsing the sidebar menu while at the tenant root would hide the expand sidebar button. Users without a Workspace role will now see a message indicating they do not have permissions to access Workspace-level data.
Fixed UI display for System and Stack policy editor and viewer roles
Users who had the SystemPolicyEditor, SystemPolicyViewer, StackPolicyEditor, or StackPolicyViewer roles would see a blank Decisions tab for the associated System or Stack, as those roles do not provide decision access permissions. The Decisions tab will now instead be hidden for users with these roles.