Release Notes for Self-Hosted Styra DAS

Self-Hosted Styra DAS 0.16.2 was released on October 28th, 2024.

New Features and Changes

Beta UI Additions

Added compliance policies to policy editor.
Added support for additional user roles.
Added manual bundle deployment flow support to the Beta UI.
Added support for the eopa CLI login flow.
Updated error notification display.

Spring Boot SDK system type

The new Spring Boot SDK system type can be used to manage a Spring Boot AuthorizationManager provided by the OPA Spring Boot SDK. This can enable DAS to create and manage request authorization policies with existing Spring Boot applications which take advantage of Spring Security. The Spring Boot SDK system type is optimized for use with the visual Policy Builder in the Beta UI.

Upgraded to OPA v0.68.0

The internal version of OPA used by Styra DAS has now been upgraded to OPA 0.68.0.

Agentloader v2: Improved decision log indexing performance and System-level decision log export configuration

A new decision log ingestion architecture is now available, supporting a number of performance improvements as well as enabling System-level decision log export configuration for more granular control over decision export targets. Performance improvements include a 10x higher decision indexing rate and improved scaling to process large, sudden spikes in the number of decision logs, reducing the time for decisions to become searchable in DAS and reducing the time to export decisions to external targets. This is now available to self-hosted customers via the AGENTLOADER_V2 feature flag by adding it to your Helm values file with a value of true.

Improved Systems, Stacks, and Libraries API performance

Optimizations to Stacks and Libraries improve the performance of these APIs, particularly when fetching larger lists of Stacks or Libraries or when fetching a large individual Stack or Library with many packages and policies. This includes the addition of new query parameters to the ListStacks, GetStack, and LibrariesGet API operations to filter the details returned for Stack and Library resources. Initial UI load and UI interactions with Stacks and Libraries will see improved speed as a result of these optimizations, in addition to optimizations to improve the speed of loading a System when opening a System's file tree or navigating to a System.

Additional query parameters for Systems APIs

On the ListSystems API operation, the minimum_opa_version, stacks, and migration_history query parameters have been added. On the GetSystem API operation, the rule_counts, authz, metadata, minimum_opa_version and migration_history query parameters have been added.

Rename `min_opa_version` to `minimum_opa_version` on Stacks APIs

On the ListStacks and GetStack API operations, the min_opa_version parameter has been renamed to minimum_opa_version for consistency with other APIs.

Authz v2 Rolebindings API pagination

The GET v2/authz/rolebindings API now supports limit and offset query parameters to allow for paginating rolebindings results.

StackConfigurationManager role

The new StackConfigurationManager role provides for read access to Stacks while allowing for managing Stack settings, such as Git configuration.

Prometheus OPA bundle metrics

Two new Prometheus metrics are now available to track OPA bundle status:

opa_missing_active_system_bundle - Reported if OPA does not have a System bundle.
opa_not_using_active_system_bundle - Reported if the revision of the System bundle that OPA has does not match the active bundle for the System.

Prometheus active OPAs metric

The active_opas Prometheus metric is now available to track the number of active agents (OPA or Enterprise OPA) for a system. Use this metric to monitor whether systems have an active agent or the expected number of active agents.

Datasource agent token permissions updated

To ensure Datasource agents have the correct permissions to report new status details, any existing Datasource agent tokens missing the required permission have been updated.

Fixed Issues

Increased amount of scanned rows in PostgreSQL impacted database resource usage

For certain customers, a change in the PostgreSQL query interface in 0.16.1 resulted in large queries increasing the PostgreSQL transaction count and impacting database resource usage.

Policy metadata changes via Git sync not indexed

In some cases with complex policy file layouts with sub-packages, when multiple files change in Git and sync to DAS, metadata for some of these files did not update. This metadata included both package-level metadata (e.g., created by, created at, etc.) as well as Rego-level metadata (e.g., rule names and METADATA blocks).

Policy bundle activated without context bundle due to build error

In cases where separate policy and context/data bundles are configured for a System and a bundle build error occurred for the context bundle, the policy bundle could be marked active without marking the corresponding context bundle as active.

`metadata` parameter ignored on Stacks APIs

On the ListStacks and GetStack API operations, the metadata parameter did not change API behavior as expected when set to false.

HandleDecision API resolution field value type unclear

The resolution field in the HandleDecision API operation provided unclear value type requirements. The API has been updated to provide clarity on the value types accepted.

Kubernetes OPA manifest memory limit invalid

Modifying a Kubernetes System's OPA memory limit deployment configuration resulted in an invalid manifest file.

OPA version chart unexpected ordering

On the Workspace dashboard, the OPA version chart ordered versions in an unexpected manner. The chart will now list versions with the most connected agents first.

Unclear OIDC issuer error during SSO configuration

During SSO configuration, a generic configuration error was returned without details if the OIDC issuer did not match the issuer returned by the provider.

UI Rego parser recognizing only first two operands

In conditions with 3 or more operands (e.g., count(data.x | data.y | data.z)), the UI Rego parser only recognized the first two operands.

User activity export configuration changes failed to save

In the UI, some users reported being unable to save changes to the Workspace-level user activity export configuration.

UI error on Deployments with older SLP versions

When using older SLP versions, missing expected data would cause a UI error on the Deployments page.

New Features and Changes​

Beta UI Additions​

Spring Boot SDK system type​

Upgraded to OPA v0.68.0​

Agentloader v2: Improved decision log indexing performance and System-level decision log export configuration​

Improved Systems, Stacks, and Libraries API performance​

Additional query parameters for Systems APIs​

Rename min_opa_version to minimum_opa_version on Stacks APIs​

Authz v2 Rolebindings API pagination​

StackConfigurationManager role​

Prometheus OPA bundle metrics​

Prometheus active OPAs metric​

Datasource agent token permissions updated​

Fixed Issues​

Increased amount of scanned rows in PostgreSQL impacted database resource usage​

Policy metadata changes via Git sync not indexed​

Policy bundle activated without context bundle due to build error​

metadata parameter ignored on Stacks APIs​

HandleDecision API resolution field value type unclear​

Kubernetes OPA manifest memory limit invalid​

OPA version chart unexpected ordering​

Unclear OIDC issuer error during SSO configuration​

UI Rego parser recognizing only first two operands​

User activity export configuration changes failed to save​

UI error on Deployments with older SLP versions​