OPA v0.68.0 #628
johanfylling
announced in
Announcements
OPA v0.68.0
#628
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This release contains a mix of features and bugfixes.
Breaking Changes
entrypoint
annotation impliesdocument
scope (#6798)The entrypoint annotation's scope requirement
has changed from
rule
todocument
(https://github.com/open-policy-agent/opa/issues/6798).Furthermore, if no
scope
annotation is declared for a METADATA block preceding a rule, the presence of anentrypoint
annotation with a
true
value will assign the block adocument
scope, where therule
scope is otherwise the default.In practice, a rule entrypoint always point to the entire document and not a particular rule definition. The previous behavior was a bug, and one we've now addressed.
Authored by @anderseknert
Topdown and Rego
Runtime, Tooling, SDK
copy
method copy all values (#6949) authored by @anderseknertopa exec
: This command never supported "pretty" formatting (--format=pretty�
or-f pretty
), onlyjson
. Passingpretty
is now invalid. (#6923) authored by @srenatusNote that the flag is now unnecessary, but it's kept so existing calls like
opa exec -fjson ...
remain valid.Security Fix: CVE-2024-8260 (#6933)
This release includes a fix where OPA would accept UNC locations on Windows. Reading those could leak NTLM hashes.
The attack vector would include an adversary tricking the user in passing an UNC path to OPA, e.g.
opa eval -d $FILE
.UNC paths are now forbidden. If this is an issue for you, please reach out on Slack or GitHub issues.
Reported by Shelly Raban
Authored by @ashutosh-narkar
Docs, Website, Ecosystem
opa-config.yaml
as name for config file (#6966) (#6959) authored by @anderseknerthttp.send
in inter-query cache config docs (#6953) authored by @anderseknertMiscellaneous
Beta Was this translation helpful? Give feedback.
All reactions