Skip to main content

Release Notes for Styra DAS On-Premises 0.4.1

Styra DAS On-premises version 0.4.1 was released on May 12, 2020.

Release Summary

Styra DAS On-premises 0.4.1 delivers the key requirements, location of Styra DAS On-premises 0.4.0, installation docs, new features and enhancements, and the list of fixed issues.

Requirements

Any upgrade to Styra DAS On-premises 0.4.1 will require Styra DAS On-premises 0.4.0 to be installed first, or a disruptive upgrade.

important

All pods must be stopped prior to the upgrade.

Binaries

The following shows the location for Styra DAS On-premises 0.4.1.

  • Location: s3://styra-release/releases/0.4.1/on-premises.tar.gz.
  • AWS Link: aws s3 presign s3://styra-release/releases/0.4.1/on-premises.tar.gz --expires-in 600000.

Documentation

The Styra DAS On-premises installation docs are now available on <das-id>S.styra.com/v1/docs/install-on-prem/overview/ .

New Features and Enhancements

This section describes the Enhancements in Styra DAS On-premises 0.4.1.

Decision Replay

  • Prior to this release, logreplay only replayed decisions for at most 30 seconds. Therefore, logreplay was not used for analysis of big volume decisions. This release enhances the use of replay API by introducing a timeout mechanism that allows arbitrary timeout values for the logreplay. A configuration option to set the maximum replay duration is also added.

  • If data patches are provided in the request, then they are applied to the Rego data namespace before each decision replay. This could cause performance issues for larger patches and lack of ability to reuse previously loaded and patched data for subsequent queries. This release enhances the implementation details to cache the data namespace for decisions of the same revision.

Issues Fixed

This section describes the Issues Fixed in Styra DAS On-premises 0.4.1.

On-Premises

  • Support for utilizing mixture of authentication mechanisms for communications with different AWS services was added.

Examples are listed, as follows:

  • Using static credentials for local Elasticsearch (ES).

  • Using Identity and Access Management (IAM) roles authentication for AWS managed Simple Storage Service (S3).

  • OPA built-ins http.send and opa.runtime was mocked, and the ALLOW_UNSAFE_BUILTINS feature flag was deprecated.

Storage

  • When users were deleted, they were not fully removed from the rolebindings where they were attached. For example, an owner assigned to a given system. When the system ownership was changed, the patch was not supported. The UI added a new user by pulling the current list, adding the new user, and pushing the updated list. But, the handler rejected subjects list where the user was not valid. Therefore, the system owner bug was changed after the owner deletion. Starting from Styra DAS On-premises 0.4.1, do not return non-existent owners when pulling the current rolebindings.

Systems

  • When the kustomize.yaml file was not added to the Kustomize tar generation logic, the Kustomize installation option for the Kubernetes system did not include the MutatingWebhookConfiguration resource. This issue was fixed by adding the kustomize.yaml file to tar that is generated for Kustomize download.

  • For every 30 seconds, the false changes were reported for Git mounted policies causing performance issues. This issue occurred when Git or Rego data source plugin reported insignificant timestamps on each execution, which changed the data source revision even though the files did not change. Starting from Styra DAS On-premises 0.4.1, the data source plugin updates were reduced to significant changes only (file contents or folder structure).