Skip to main content

Release Notes for Self-Hosted Styra DAS

Starting with Self-Hosted Styra DAS 0.9.0, Styra DAS is transitioning to using Self-Hosted Styra DAS instead of Styra DAS On-Premises.

Self-Hosted Styra DAS 0.9.0 was released on 11-2-22.

New Features

The following new features are included in this version of Self-Hosted Styra DAS.

Bundle Promotion

Bundle Promotion copies a source Independent bundle from a source System to a destination System.

Multiple Bundles

When Separate Data Bundles and Policy Bundles is configured in Bundle Registry, the System Deployments tab lists two bundles, a System Dependent bundle and a System Independent bundle.

Delta Bundles

Delta Bundles provide a more efficient way to make data changes by only updating the delta changes to the Snapshot Bundle. By leveraging Delta Bundles, Styra DAS propagates data changes to OPAs and SLPs more efficiently. To enable this feature, please contact your Styra Customer Success Manager.

External Bundles

External Bundles are used to configure Styra DAS to allow OPA to access bundles or services from external registries, without the bundles being accessible by Styra DAS. This feature can be used to protect sensitive data. To enable this feature, please contact your Styra Customer Success Manager.

Custom Snippets

A Custom Snippet is a visual rendering of the parameters and values needed to configure a policy condition. To enable this feature, please contact your Styra Customer Success Manager.

Okta Data Source

The Okta Data Source allows you to expose your Okta users, groups, roles, and applications to Styra DAS as a Data Source. To enable this feature, please contact your Styra Customer Success Manager.

Enhancements

The following enhancements are included in this version of Self-Hosted Styra DAS.

OPA Update

Styra DAS is updated with OPA 0.44.

SLP Update

Styra DAS is updated with SLP 0.5.0. SLP 0.5.0 adds support for OPA 0.44 for Delta Bundles.

AWS IAM Role Support

Additional support for the AWS IAM Role supports S3 backend for Bundle Registry.

Styra DAS UI

Added support for "if" and "contains" keywords in the Styra DAS Editor.

HTTPS Data Source

The HTTPS Data Source dialog box now includes a new field in the Method drop-down box for QUERY. To enable this feature, please contact your Styra Customer Success Manager.

HTTP Pull Data Source

The HTTP Pull Data Source has been enhanced for configuration parity with OPA http.send. There are three new fields supported:

  • method - to POST rather than GET
  • raw_body - to POST form encoded data
  • body - to POST JSON data

Kubernetes System Enhancement

The Kubernetes System supports Ephemeral containers. This enhancement is enabled through Styra Customer Success.

Envoy 2.1 System Enhancement

The Envoy System now supports controlling the configuration of the OPA Envoy plugin.

Istio System Enhancement

The Istio System can be installed without SLP.

Entitlements System New Snippets

The Entitlements System “ABAC: Resource Has Attributes” snippet contains enhanced functionality. The Entitlements System adds a new Who Can Do What snippet, which injects the actions and resources the request subject is explicitly allowed or denied access to into the decision. The Entitlements System adds a new Who Can Do This snippet, which provides the ability to determine which subjects have explicit allow or deny permissions on a resource, or action combination.

Entitlements System Enhancement

The Entitlements System input transformations have been updated to include an example of how to decode a JWT token and place the decoded token in the context field.

Git Commits

A Styra DAS user authenticated through SSO will have their name from SSO claims used as the Git Commit Author parameter. For non-SSO users the email ID of the user is used as Author and Email parameter in a Styra DAS generated Git commit.

Token Expiration

A week before a token expires, a warning is now sent to SSO Workspace Administrators and to users explicitly assigned the Workspace Administrator role. To enable this enhancement, please contact your Styra Customer Success Manager.

OAUTHBEARER SASL Authentication

OAUTHBEARER SASL authentication is now included as an option for Kafka Decisions Export and User Activity Export.

Repo Scan

  • In Repo Scan, the list of repositories are now sorted by default and can be filtered to support organizations with large numbers of repositories.

  • In Repo Scan, the Compliance view has been updated to present data in a more useful and usable format.

  • If Repo Scan has no results (because there are no violations or because of a Repo Scan error) the display is more communicative and user-friendly.

Entitlements Diagnostics

In the Entitlements System, a Run Diagnostics button was added to the policy preview input panel. When clicked, Diagnostics is run using the preview input and the user is redirected to the Diagnostics view.

Trusted Certificate Authority

When any new Systems is created, the "Edit deployment environment" option includes "Trusted Certificate Authority".

Fixed Issues

The following fixed issues are included in this version of Self-Hosted Styra DAS.

SQL Database

An internal error that caused the SQL database to close unexpectedly was resolved through optimized database connection handling.

Relay Client

When a relay client gets into an unhealthy state, Styra adds the ability to force-evict the relay-client by ID to expedite troubleshooting.

Entitlements Installation

The Entitlements "Kubernetes Service" installation command has been fixed.

Stack Policy

Errors in a stacks policy prevented system validation from working.

Decision Replay

Decision Replay loaded incorrect input data.

System Install Commands on Windows

The System install commands did not work properly for Windows.

Data Source Publication

Publishing a Data Source through the Styra DAS UI incorrectly made two requests. One request used the wrong method and returned a 409 status code while the other succeeded.

Repo Scan

Previously in Repo Scan if the Scan Again button was clicked, there was no indication any action was occurring. Now a loading spinner is displayed.

HTTPS Data Source

When a HTTPS Data Source is created using the JSON option, no content-type header was set.

User Deletion

Events from user deletion were not added to the Activity Log.

Kubernetes System Mutating Webhook

The Kubernetes System Mutating Webhook was hardcoded and could not be edited. Mutating Webhooks can now be edited through a template variable in the Helm Chart.

Entitlement System Diagnostics

Fixed an issue where hard-coding fields in data.object could cause running diagnostics to fail.

External API Spikes

External API spikes have been seen during periodic compliance computations. http.send might be the possible cause for the API spikes and was replaced with the noop function.