Release Notes for Self-Hosted Styra DAS
Self-Hosted Styra DAS 0.15.1 was released on June 5th, 2024.
Self-Hosted Environment Changes
All feature flags moved to global level
DAS feature flags were previous split between global and tenant-level flags which could cause variability in when each flag was read and applied. All feature flags will now be applied at the global level.
Bundle and Compliance job liveness probes
Liveness probes were added to the Kubernetes Job manifests for bundle jobs and compliance jobs.
Elasticsearch URL default explicitly defined
The values file now explicitly specifies the default Elasticsearch URL as http://elasticsearch:9200.
Fixed RoleBinding name typo
Changed the RoleBinding name from styra_das:defaul to styra_das:default.
New Features and Changes
Beta UI Additions
The Push datasource contents are now editable in the new Beta UI. Added support for the Okta datasource in the new UI.
Upgraded to OPA v0.64.1
The internal version of OPA used by Styra DAS has now been upgraded to OPA 0.64.1.
Improved Git sync frequency
The Git sync process has been improved to decouple syncs from Tenant sync cycles to ensure Git syncs occur more closely to every 60 seconds. Git sync status now also includes additional metrics to assist in identifying slow Git syncs, including previous sync timestamp, current sync start timestamp, and sync duration.
HTTP Datasource timeout parameter
HTTP datasources now support specifying an optional timeout parameter via the PUT /v1/datasources/{datasource} endpoint, which defaults to 60 seconds. Previously HTTP datasources had an implicit 1 hour timeout which was not configurable by the user. This parameter will be added to the UI in an upcoming release.
Datasource Agent status in Deployments
The Deployments tab now reports the status and version of the Datasource Agent connected to the System when using Datasource Agent v1.5.4 or later. Customers with existing Datasource Agent deployments who would like to see the Datasource Agent status reported should delete the existing Datasource Agent API token (token ending in datasources-agent) in the associated system, download a new manifest from the Install instructions for that system, and update their Datasource Agent deployment.
Increased resolution for latency graphs
Decision latency graphs for Workspaces, Systems, and Stacks have been updated to provide greater resolution for low- and sub-millisecond latency values.
Show Workspace dashboard Kubernetes node count graph when tenant has Kubernetes systems
Previously, the Kubernetes node count graph on the Workspace dashboard would only be shown if there was any Kubernetes system with nodes. This update changes the behavior to show the node count graph whenever the tenant has a Kubernetes system, even if the system has no nodes.
Fixed Issues
Features API did not return feature flags when no tenant-level flags were defined
The /v1/runtime/features API returned an invalid tenant error when no tenant-level feature flags were defined.
Storage status write could hang
Storage status write hanging could block further status writes and prevent graceful pod shutdown.
Creation and subsequent deletion of system could trigger bundle rebuilds
Bundle rebuilds for all systems could be triggered after the creation and subsequent deletion of a system.
Error after saving LDAP datasource configuration with invalid search filter
During configuration of an LDAP datasource, if an invalid search was entered and the configuration was saved, a generic error message would be shown and could result in a blank UI. This scenario will now result in the error message "Ldap search operation failed: no entries found".
Kubernetes Jobs could hang without finishing
Added liveness probes and a 15 minute maximum execution time to automatically remove Kubernetes Jobs which may be stuck.
Extra files returned from Git on Stacks API
When using a monorepo to store policies for multiple Stacks or Libraries, the Git API for a Stack could return policies from other Stacks or Libraries in some cases. In the UI, this could result in these extra files being considered drafts and cause an error when running policy validation in the Stack.
Decision mask drop action in Stack was not applied
Adding a drop action to a Stack decision mask did not drop decisions as expected.
Library with default name conflicts with Workspace policies
Using the package name default for a Git-backed Library name could result in conflicts with Workspace-level Git-backed policies.
Git sync failure and errors when fetching policies from Git branches
In rare cases, Git sync could fail for a tenant due to a conflict between multi-thread processes accessing the same Git repository copy in DAS. This could also result in API request errors when fetching files from a Git branch for that repository.
Datasource Agent receives 403 for agent status publishing with authz v2
Agent status updates from the Datasource Agent without an associated System ID receive a 403 when the tenant has authz v2 enabled. In these scenarios, the Datasource Agent will stop further agent status update requests, and the Datasource Agent version will not be displayed in the Deployments tab. This behavior only affects agent status updates (i.e., agent version and status) and does not impact datasource status updates. The Datasource Agent manifest for the Kubernetes System install instructions has been updated to include the STYRA_SYSTEM_ID env variable. Customers using the Datasource Agent in other Systems can manually update their Datasource Agent configurations to include the System ID. Customers using a single Datasource Agent to run datasources for multiple Systems or Stacks should omit the System ID from the configuration to prevent the agent from filtering datasources to only those for the configured System ID.
Entitlements built-in library rules shown outside of Policy package
The built-in library rules for the Entitlements system type were shown outside of the Policy package namespace.
Decision replay fails for Systems with invalid policies
For Systems with invalid policies (e.g., an invalid import reference), decision replay would fail without any error indication.
Decision replay fails for Custom Systems without Library data
For some Custom system configurations, decision replay could fail if the system did not import any Library data.
DAS UI crash when mocking Enterprise OPA sql.send
When mocking the Enterprise OPA sql.send built-in in DAS and running Preview on a policy, the UI could crash if the mock was missing required data.
Editor autocomplete shown when moving cursor or clicking
The DAS UI editor autocomplete suggestions were shown on cursor move or mouse click rather than just after keyboard changes.