Skip to main content

Release Notes for Styra DAS On-Premises 0.4.0

The Styra DAS On-premises 0.4.0 was released on April 28, 2020.

Release Summary

Styra DAS On-premises 0.4.0 delivers the binaries, new features and enhancements, list of issues fixed, known issues and solutions.

Binaries

The following shows the location for Styra DAS On-premises 0.4.0.

  • Location: s3://styra-release/releases/0.4.0/on-premises.tar.gz.
  • AWS Link: aws s3 presign s3://styra-release/releases/0.4.0/on-premises.tar.gz --expires-in 600000.

New Features and Enhancements

This section describes the New Features and Enhancements that focus on Integration, Storage, Stacks and Systems components in Styra DAS On-premises 0.4.0.

Integration

  • Stream decision logs to Amazon Simple Storage Service (AWS S3): Styra offers the ability to stream decision logs to AWS S3, providing unlimited historical record of decisions. This streaming occurs when decisions are received from Open Policy Agent (OPA). The decisions are stored as gzip JSON, with filenames prefixed with a timestamp (in nanoseconds) as a running identifier that is guaranteed to be unique.

Storage

  • Support out-of-band credential configuration for Elasticsearch: This feature allows you to configure Elasticsearch using a secret map similar to db_username and db_password.

  • Extend the query OpenID Connect (OIDC) user information endpoint when email information is not available in identifier (id) token: Most OIDC providers return the necessary user attributes as a part of the initial exchange with the provider in the id token. However, some OIDC providers require additional user information query to obtain the necessary user details. For such providers, Styra extends the OIDC procedure to execute the user information endpoint query when the email information is not available in the id token.

  • Upgrade OPA to include new functionality for http.send response: This release enhances the response headers to be part of the response object. Therefore, headers are included in http.send response. Now, you can use OPA for policies on REST API endpoints and ensure that they conform to certain guidelines, like allowing Cross-Origin Resource Sharing (CORS) requests.

  • Inject custom CA certificates for backend pods: This release enhances the installation of custom CA certificates by configuring the corresponding CA certificate to the Styra CLI client.

Systems

  • Introduce Kubernetes mutating webhook: Kubernetes provides multiple pluggable points for the review of authenticated API requests where a request can be inspected or even modified. This is achieved through admission control plugins. This feature allows you to use OPA policies to govern the behavior of mutation and validation phases. A Styra Kubernetes system installs two webhooks, one each for mutating and validating phase. You can use either one of them individually or both in combination. Each webhook is configured to query a specific data document on the OPA service present in the cluster.

Issues Fixed

This section describes the Issues Fixed in Styra DAS On-premises 0.4.0.

API

  • Prior to Styra DAS On-premises 0.4.0, users created a new SSO provider configuration with the same identifier with HTTP POST call, only if HTTP If-None-Match header was defined earlier. Starting from Styra DAS On-premises 0.4.0, the HTTP If-None-Match header is not required and the HTTP POST call checks for a conflict, by default. Therefore, multiple SSO providers with the same identifier was created.

On-Premises

  • The deployment kind version extensions/v1beta1 used by the "on-premises.yaml" was deprecated, and moved to the new apps/v1 version.

Known Issues and Solutions

This section describes the Known Issues and Solutions in Styra DAS On-premises 0.4.0.

  • Using IAM roles for S3 streaming and a local ES is not working.

UI

When you write a test and run the test by Previewing or Validating the test itself, you might receive “function not defined” error, because the function you are testing is defined in the draft version of a policy under test.

Workaround: Run the test by Validating the draft policy itself instead of the test module.