Release Notes for Self-Hosted Styra DAS
Starting with Self-Hosted Styra DAS 0.9.0, Styra DAS is transitioning to using Self-Hosted Styra DAS instead of Styra DAS On-Premises.
Self-Hosted Styra DAS 0.9.0 was released on 11-2-22.
New Features
The following new features are included in this version of Self-Hosted Styra DAS.
Bundle Promotion
Bundle Promotion copies a source Independent bundle from a source System to a destination System.
Multiple Bundles
When Separate Data Bundles and Policy Bundles is configured in Bundle Registry, the System Deployments tab lists two bundles, a System Dependent bundle and a System Independent bundle.
Delta Bundles
Delta Bundles provide a more efficient way to make data changes by only updating the delta changes to the Snapshot Bundle. By leveraging Delta Bundles, Styra DAS propagates data changes to OPAs and SLPs more efficiently. To enable this feature, please contact your Styra Customer Success Manager.
External Bundles
External Bundles are used to configure Styra DAS to allow OPA to access bundles or services from external registries, without the bundles being accessible by Styra DAS. This feature can be used to protect sensitive data. To enable this feature, please contact your Styra Customer Success Manager.
Custom Snippets
A Custom Snippet is a visual rendering of the parameters and values needed to configure a policy condition. To enable this feature, please contact your Styra Customer Success Manager.
Okta Data Source
The Okta Data Source allows you to expose your Okta users, groups, roles, and applications to Styra DAS as a Data Source. To enable this feature, please contact your Styra Customer Success Manager.
Enhancements
The following enhancements are included in this version of Self-Hosted Styra DAS.
OPA Update
Styra DAS is updated with OPA 0.44.
SLP Update
Styra DAS is updated with SLP 0.5.0. SLP 0.5.0 adds support for OPA 0.44 for Delta Bundles.
AWS IAM Role Support
Additional support for the AWS IAM Role supports S3 backend for Bundle Registry.
Styra DAS UI
Added support for "if" and "contains" keywords in the Styra DAS Editor.
HTTPS Data Source
The HTTPS Data Source dialog box now includes a new field in the Method drop-down box for QUERY. To enable this feature, please contact your Styra Customer Success Manager.
HTTP Pull Data Source
The HTTP Pull Data Source has been enhanced for configuration parity with OPA http.send. There are three new fields supported:
method
- to POST rather than GETraw_body
- to POST form encoded databody
- to POST JSON data
Kubernetes System Enhancement
The Kubernetes System supports Ephemeral containers. This enhancement is enabled through Styra Customer Success.
Envoy 2.1 System Enhancement
The Envoy System now supports controlling the configuration of the OPA Envoy plugin.
Istio System Enhancement
The Istio System can be installed without SLP.
Entitlements System New Snippets
The Entitlements System “ABAC: Resource Has Attributes” snippet contains enhanced functionality. The Entitlements System adds a new Who Can Do What snippet, which injects the actions and resources the request subject is explicitly allowed or denied access to into the decision. The Entitlements System adds a new Who Can Do This snippet, which provides the ability to determine which subjects have explicit allow or deny permissions on a resource, or action combination.
Entitlements System Enhancement
The Entitlements System input transformations have been updated to include an example of how to decode a JWT token and place the decoded token in the context field.
Git Commits
A Styra DAS user authenticated through SSO will have their name from SSO claims used as the Git Commit Author parameter. For non-SSO users the email ID of the user is used as Author and Email parameter in a Styra DAS generated Git commit.
Token Expiration
A week before a token expires, a warning is now sent to SSO Workspace Administrators and to users explicitly assigned the Workspace Administrator role. To enable this enhancement, please contact your Styra Customer Success Manager.
OAUTHBEARER SASL Authentication
OAUTHBEARER SASL authentication is now included as an option for Kafka Decisions Export and User Activity Export.
Repo Scan
-
In Repo Scan, the list of repositories are now sorted by default and can be filtered to support organizations with large numbers of repositories.
-
In Repo Scan, the Compliance view has been updated to present data in a more useful and usable format.
-
If Repo Scan has no results (because there are no violations or because of a Repo Scan error) the display is more communicative and user-friendly.
Entitlements Diagnostics
In the Entitlements System, a Run Diagnostics button was added to the policy preview input panel. When clicked, Diagnostics is run using the preview input and the user is redirected to the Diagnostics view.
Trusted Certificate Authority
When any new Systems is created, the "Edit deployment environment" option includes "Trusted Certificate Authority".
Fixed Issues
The following fixed issues are included in this version of Self-Hosted Styra DAS.
SQL Database
An internal error that caused the SQL database to close unexpectedly was resolved through optimized database connection handling.
Relay Client
When a relay client gets into an unhealthy state, Styra adds the ability to force-evict the relay-client by ID to expedite troubleshooting.
Entitlements Installation
The Entitlements "Kubernetes Service" installation command has been fixed.
Stack Policy
Errors in a stacks policy prevented system validation from working.
Decision Replay
Decision Replay loaded incorrect input data.
System Install Commands on Windows
The System install commands did not work properly for Windows.
Data Source Publication
Publishing a Data Source through the Styra DAS UI incorrectly made two requests. One request used the wrong method and returned a 409 status code while the other succeeded.
Repo Scan
Previously in Repo Scan if the Scan Again button was clicked, there was no indication any action was occurring. Now a loading spinner is displayed.
HTTPS Data Source
When a HTTPS Data Source is created using the JSON option, no content-type header was set.
User Deletion
Events from user deletion were not added to the Activity Log.
Kubernetes System Mutating Webhook
The Kubernetes System Mutating Webhook was hardcoded and could not be edited. Mutating Webhooks can now be edited through a template variable in the Helm Chart.
Entitlement System Diagnostics
Fixed an issue where hard-coding fields in data.object could cause running diagnostics to fail.
External API Spikes
External API spikes have been seen during periodic compliance computations. http.send
might be the possible cause for the API spikes and was replaced with the noop
function.