Release Notes for Self-Hosted Styra DAS

Self-Hosted Styra DAS 0.15.0 was released on May 1, 2024.

Self-Hosted Environment Changes

Authz v2 enabled by default

This release enables Authz v2 by default for customers who may still be using legacy Authz v1 functionality. Authz v2 (released in 2021) improves on Authz v1 in many ways, including adding more granular user and API token roles for better user access management in DAS. Upon upgrading to 0.15.0, existing Authz v1 self-hosted installs will begin a migration process to create the required records for Authz v2 roles and permissions. Authz v1 will continue to be used for DAS authorization until the Authz v1 feature flags are disable and Authz v2 feature flags are enabled in your values file or until the next self-hosted version, when Authz v2 enforcement will be enabled by default. Authz v1 is planned to be fully deprecated by the end of this year.

Bundle build and compliance jobs enabled by default

Bundle build and compliance evaluation jobs are enabled by default in this release via the BUNDLE_BUILDS_JOBS and COMPLIANCE_JOBS feature flags in the values file. This runs these tasks as a Kubernetes Job rather than an in process task, resulting in better performance and consistency. CPU and memory resources for these jobs can be adjusted using the BUNDLES_JOB_LIMITS and COMPLIANCE_JOB_LIMITS feature flags.

New Role and RoleBinding for jobs

To allow for bundle build jobs and compliance evaluation jobs, a new Role and RoleBinding have been added to the Helm chart to allow DAS to create the necessary cluster resources.

Ability to set separate AWS S3 and DynamoDB prefixes

Customers deploying DAS to AWS and using S3 and DynamoDB as the data store can optionally specify separate resource prefixes for S3 buckets and DynamoDB tables created and managed by DAS. Customers can also customize the tags DAS adds to S3 buckets and DynamoDB tables. Please submit a request in the support portal or your Slack support channel for additional details to configure these options as they are not yet available directly in the Helm chart.

Optionally disable DAS control of some S3 bucket management

Customers deploying DAS to AWS and using S3 and DynamoDB as the data store can optionally disable DAS management of certain aspects of S3 bucket management, such as public access blocks and lifecycle policies. Please submit a request in the support portal or your Slack support channel for additional details to configure these options as they are not yet available directly in the Helm chart.

AWS S3 object URL patch on S3 bucket prefix change

For customers deploying DAS to AWS and using S3 and DynamoDB as the data store, DAS will automatically patch S3 object URLs from DynamoDB records if the bucket names in the records do not match the prefix configured for the DAS installation. This can be useful when restoring DAS from backup S3 buckets when the original bucket names are no longer available due to Amazon's S3 bucket name global uniqueness requirements.

Fixed Helm chart issue treating numbers as strings for feature flag values

Feature flag values which should have been treated as numbers were saved as strings to the settings ConfigMap (e.g., TIMESERIES_METRICS_PARALLELISM), resulting in invalid behavior. This release fixes this issue.

New Features and Changes

BETA: New DAS UI

Users with a WorkspaceAdministrator role can access the new DAS UI via the user menu. The new DAS UI currently implements a portion of DAS features and is being made available as a Beta to admins for feedback. Use the Exit button in the bottom left to return to the current UI experience. Please send any feedback in your support portal or Slack support channel. Some new features may only get added to the new UI moving forward. The following new features are currently available in the new UI:

System status bar: When in the policy editor for a System, the System's status is shown in the bottom left-hand corner of the screen, including current bundle deployment status, git status, and agent status.
System relationships with Stacks and Libraries: On a Systems's dashboard, the matching Stacks are shown as well as the Library dependencies used in the System's active bundle.
Stack relationships with Systems: On a Stack's dashboard, the matching Systems are shown.
Library usage: On a Library's dashboard, list the Systems using the Library in their active bundle

Upgraded to OPA v0.63.0

The internal version of OPA used by Styra DAS has now been upgraded to OPA 0.63.0.

Library unit testing

Libraries now support the ability to run Rego tests within the DAS UI through the Validate functionality in the Rego editor. Requires enabling the LIBRARY_EDITING_ENABLED feature flag.

Library impact analysis

Libraries now support the ability to run log replay to replay decisions from Systems which depend on a Library through the Validate functionality in the Rego editor in the DAS UI. This allows Library authors to evaluate the impact of Library-level policy changes on Systems using the Library. Library authors require at least read permissions on decisions in Systems depending on the Library to be able to replay those decisions. Requires enabling the LIBRARY_EDITING_ENABLED feature flag.

DAS UI performance improvements for high number of systems

Optimizations include improvements to initial UI load for tenants with 400 or more Systems.

Decision batch processing improvements

Improvements to the speed and efficiency of decision log batch processing.

Compliance speed improvements

Improved the speed of compliance check jobs by removing unnecessary extra authz checks.

SLP status in UI Deployments tab

The Styra Local Plane (SLP) status is now reported in the Deployments tab when configured for a system. Kubernetes systems will always show the SLP status section.

Datasource agent reports agent version on status updates

The Datasource agent now reports its version to DAS on status updates, which is included in the data returned on the agents API.

Deploy latest bundle after switching back to automatic deployment

When switching a System from manual to automatic bundle deployment, DAS will now auto-upgrade to the latest current bundle rather than waiting for a new bundle to be built to automatically deploy.

User-defined HTTPS datasource Accept header override

For HTTPS datasources, users can define specific headers for DAS to include when making requests to the specified URL. With each request, DAS includes an Accept header with a default value of the accepted content types. Previously, if a user added an Accept header value to the datasource configuration, DAS would append it to the default Accept header value. With this change, a user-defined Accept header value on an HTTPS datasource will override the value DAS sends by default.

Import rego.v1 instead of future.keywords

The DAS UI Rego editor now auto imports rego.v1 instead of future.keywords.<keyword> by default.

Editor autocomplete behavior

In the DAS UI Rego editor, code autocomplete now auto selects the first suggestion and applies it with Enter or Tab.

Enterprise OPA redis built-in support

Styra DAS supports defining and mocking Enterprise OPA's redis.query built-in in the policy editor.

Updated bundle deployment labels

Bundle deployment labels have been updated to use "Active" terminology to better reflect bundle deployment behavior. Bundles with the "Active" label are the bundles which DAS is actively serving to policy agents when those agent request bundles.

Fixed Issues

Fixed Git sync timeout

In some cases when a Git repository sync runs into an error, the sync operation could block future retries. Git sync operations are now limited to a maximum of 10 minutes.

Increased Git read timeout

In some circumstances, reading the configured Workspace, System, Stack, or Library Git repository to check for updates resulted in a timeout error, in particular for Bitbucket repositories. The Git read timeout has been increased from 45 seconds to 60 seconds to reduce the incidence of these request timeouts.

Git sync error for large policy counts

For tenants with early access to the SBOM feature, in some circumstances adding a Git-backed System, Stack, or Library with more than 100 individual policy packages could result in a Git sync error depending on policy module nesting in the origin repository.

Recreation of a Library after deletion did not trigger bundle rebuild

When recreating a Library which is already referenced in other policies after it was deleted did not always trigger a new bundle build to pull in the recreated library which could result in outdated policies in a bundle.

Delay SLP bundle serving until Kubernetes data is pushed to OPA

In scenarios where new OPAs are launched in Kubernetes clusters with frequent admission webhook requests, an OPA could receive a request before fully loading the necessary Kubernetes cluster data. This could result in request failures if the relevant policy required the Kubernetes cluster data. This SLP update prevents an OPA from indicating readiness for webhook requests until it has fully loaded both the Kubernetes cluster data and the policy bundle by delaying the first bundle delivery until all required data is loaded.

Bundle builder could create two bundles when a new policy was created

In some cases, when adding a new policy file in the UI policy editor or via the /v1/policies API, two subsequent bundles could be built.

Different bundle digests returned on bundles and bundle-compile APIs

The /v1/systems/{id}/bundles API correctly returned the bundle file digest while the /v1/systems/{id}/bundle-compile API returned the policy digest in the digest field. The bundle-compile API has been updated to return the bundle file digest and both APIs now include the additional contents_digest field containing the policy digest.

SLP status missing for Custom Systems

When using SLP with a Custom System, the status of the SLP associated with the Custom System was not reported in the /v1/agents/slps response and not shown on the Deployments page.

Fixed Kubernetes System dashboard decisions visibility for System roles

Users with a System role and no Workspace role could not view the decisions graph on the Kubernetes System dashboard.

Fixed data source size message showing as error instead of warning

The in Data Source dialog for data sources too large to show in the UI, the warning message was shown instead as an error message.

The right click context menu in the Decisions UI showed options which were not relevant to the decision log.

Fixed missing policy rule count UI error

In some cases when loading a new policy, the UI would show an error due to a missing rule count for the package before the rule count was calculated by the server.

Fixed UI error after clicking error message

In some edge cases, clicking on an error message in the UI could result in a UI crash.

Editor did not auto indent within brackets

Fixed an issue in the DAS UI Rego editor to auto indent if a new line is entered between starting and ending brackets ({} or []).

Kafka decision export client key validation

The field validation for the client key portion of Kafka decision export setup could cause valid keys to be rejected.

S3 decision export configuration issue with IAM roles

Saving the configuration for decision export to S3 would fail when configuring the AWS IAM role authenication option.

UI editor autocomplete suggestion positioning on indented line

Fixed UI editor autocomplete suggestion placeholder with tabs as indent.

System, Stack, or Library error toasts shown out of context

If an System-, Stack-, or Library-level error occurred, an error toast would be shown in the UI in any view. After this change, these errors will be shown in the Workspace view and only in the System, Stack, or Library view associated with the error.

Policy editor showed only one custom snippet if multiple were defined in a single package

When multiple custom snippets were defined in a single package, only the last custom snippet was shown in the Add rule list of snippets for the associated system type.

WorkspaceSystemCreator role did not allow sandbox system creation

The permissions for the WorkspaceSystemCreator role have been updated to allow for creating sandbox systems from the Getting Started flow.

Decision replay failed when replying an Error decision log

When replaying a decision log with an Error outcome, the UI could fail to replay the decision.

In the Deployments tab, selecting different policy agent sorting options did not sort the list of policy agents.

Success message footer blocked portion of datasource contents

When viewing a datasource with a transformation, the success message footer could block the last lines of the datasource contents for long datasources.

UI error when quickly switching between policies with snippets with decision parameters

In the UI policy editor, the UI could crash when switching quickly between policies with decision parameters.

User activity search persisted after clearing value

In the User Activity tab, once you entered a search value, that initial search value would be persisted when later returning back to the User Activity tab, even if you changed or cleared it.

Styra CLI Link init failure with skip-git option

The Styra CLI link init --skip-git command returned an error when connecting Styra Link to an existing git-backed System.

Release Notes for Self-Hosted Styra DAS

Self-Hosted Environment Changes​

Authz v2 enabled by default​

Bundle build and compliance jobs enabled by default​

New Role and RoleBinding for jobs​

Ability to set separate AWS S3 and DynamoDB prefixes​

Optionally disable DAS control of some S3 bucket management​

AWS S3 object URL patch on S3 bucket prefix change​

Fixed Helm chart issue treating numbers as strings for feature flag values​

New Features and Changes​

BETA: New DAS UI​

Upgraded to OPA v0.63.0​

Library unit testing​

Library impact analysis​

DAS UI performance improvements for high number of systems​

Decision batch processing improvements​

Compliance speed improvements​

SLP status in UI Deployments tab​

Datasource agent reports agent version on status updates​

Deploy latest bundle after switching back to automatic deployment​

User-defined HTTPS datasource Accept header override​

Import rego.v1 instead of future.keywords​

Editor autocomplete behavior​

Enterprise OPA redis built-in support​

Updated bundle deployment labels​

Fixed Issues​

Fixed Git sync timeout​

Increased Git read timeout​

Git sync error for large policy counts​

Recreation of a Library after deletion did not trigger bundle rebuild​

Delay SLP bundle serving until Kubernetes data is pushed to OPA​

Bundle builder could create two bundles when a new policy was created​

Different bundle digests returned on bundles and bundle-compile APIs​

SLP status missing for Custom Systems​

Fixed Kubernetes System dashboard decisions visibility for System roles​

Fixed data source size message showing as error instead of warning​

Fixed decision log right click context menu contents​

Fixed missing policy rule count UI error​

Fixed UI error after clicking error message​

Editor did not auto indent within brackets​

Kafka decision export client key validation​

S3 decision export configuration issue with IAM roles​

UI editor autocomplete suggestion positioning on indented line​

System, Stack, or Library error toasts shown out of context​

Policy editor showed only one custom snippet if multiple were defined in a single package​

WorkspaceSystemCreator role did not allow sandbox system creation​

Decision replay failed when replying an Error decision log​

Deployments tab policy agent dropdown did not properly sort agents list​

Success message footer blocked portion of datasource contents​

UI error when quickly switching between policies with snippets with decision parameters​

User activity search persisted after clearing value​

Styra CLI Link init failure with skip-git option​