openfga

Added

• Apply tags to requests that have been intentionally throttled (https://github.com/openfga/openfga/pull/1531). This will add a new log field titled "throttled" to such requests.

Fixed

• Panic that occurred on Check API with some authorization models and tuples (https://github.com/openfga/openfga/pull/1517)

Changed

• Modular Models (Schema 1.2) support is enabled by default and the experimental flag for it has been dropped (https://github.com/openfga/openfga/pull/1520)
• Bumped to Go 1.21.9 (https://github.com/openfga/openfga/pull/1523)

Security

• Patch CVE-2024-31452 - a critical issue where Check and ListObjects APIs returns incorrect results for some models and tuples. See the CVE report for more details.

Fixed

• Fix the count of datastore reads in the Check API (#1452)
• Fix the correct default used for dispatch throttling (#1479)

Security

• Bumped up the grpc-health-probe dependency in the published Docker image to the latest release which fixes some vulnerabilities (#1507)

Contributions

• Add homebrew release job by @chenrui333 (#780)

Added

• Include calls to ListObjects and StreamedListObjects methods in the dispatch_count histogram (#1427)
• Added request_duration_ms histogram which has datastore_query_count and dispatch_count as dimensions (#1444)
• Added new flag OPENFGA_AUTHN_OIDC_ISSUER_ALIASES to specify oidc issuer aliases (#1354) - Thanks @le-yams!
• Added experimental support for modular models via OPENFGA_EXPERIMENTALS=enable-modular-models (#1443). This will enable writing models that are split across multiple files.
• Added support for throttling dispatches (#1440). This will throttle Check requests that are overly complex. You can turn on this feature via OPENFGA_DISPATCH_THROTTLING_ENABLED and configured via OPENFGA_DISPATCH_THROTTLING_THRESHOLD and OPENFGA_DISPATCH_THROTTLING_FREQUENCY

Fixed

• Throw HTTP 400 when tuple condition is invalid instead of HTTP 500 (#1420)
• Fix model validation which threw error "no entrypoints defined" (#1422)

Deprecation ⚠️

• Histogram request_duration_by_query_count_ms will be removed in the next release, in favour of request_duration_ms (#1450)

Contribution

• Thanks @lekaf974 for enhancing NewLogger with builder pattern options (#1413)

Added

• Override option for timestamp in JSON logs (#1330) - thank you, @raj-saxena!
• OpenTelemetry tracing and attributes to check algorithm (#1331, #1388)
• Dispatch count to check response metadata as a query complexity heuristic (#1343)

Fixed

• Cycles detected during check now deterministically return with {allowed:false} (#1371, #1372)
• Fix incorrect path for gPRC health check (#1321)

Breaking Change ⚠️

The AuthorizationModelReadBackend interface method FindLatestAuthorizationModelID has changed to FindLatestAuthorizationModel for performance improvements. #1387

If you implement your own data store, you will need to make the following change:

func (...) FindLatestAuthorizationModelID(ctx context.Context, storeID string) (string, error) {
  //...get model ID
  return modelID, nil
}

func (...) FindLatestAuthorizationModel(ctx context.Context, storeID string) (*openfgav1.AuthorizationModel, error) {
  //...get model
  return model.(*openfgav1.AuthorizationModel), nil
}

Added

• Override option for timestamp in JSON logs (#1330) - thank you, @raj-saxena!
• OpenTelemetry tracing and attributes to check algorithm (#1331, #1388)
• Dispatch count to check response metadata as a query complexity heuristic (#1343)

Fixed

• Cycles detected during check now deterministically return with {allowed:false} (#1371, #1372)
• Fix incorrect path for gPRC health check (#1321)

Breaking Change ⚠️

The AuthorizationModelReadBackend interface method FindLatestAuthorizationModelID has changed to FindLatestAuthorizationModel for performance improvements. #1387

If you implement your own data store, you will need to make the following change:

func (...) FindLatestAuthorizationModelID(ctx context.Context, storeID string) (string, error) {
  //...get model ID
  return modelID, nil
}

func (...) FindLatestAuthorizationModel(ctx context.Context, storeID string) (*openfgav1.AuthorizationModel, error) {
  //...get model
  return model.(*openfgav1.AuthorizationModel), nil
}

Added

• Add ability to close all server resources through server.Stop() (#1318)

Changed

• Increase performance by removing redundant map.Clone() calls in model validation (#1281)

Fixed

• Fix the sorting of contextual tuples when generating a cache key during check (#1299)

Security

• Patch CVE-2024-23820 - a critical issue where issuing many ListObjects API calls that hit the --listObjects-deadline setting can lead to an out of memory error. See the CVE report for more details

Fixed

• Goroutine leak in ListObjects because of a leak in ReverseExpand (#1297)

Changed

• Reduce goroutine overhead in ListObjects (#1173)

Added

• Support for cancellation/timeouts when evaluating Conditions (#1237)
• Tracing span info for Condition evaluation (#1251)

Fixed

• Resolve rewrites involving exclusion (e.g. but not) more deterministically in Check (#1239)

• Record span errors correctly in Check, ListObjects, and StreamedListObjects (#1231)

• Log request validation errors correctly (#1236)

Changed

• Enable support for Conditional Relationship Tuples by default. (#1220)

  ⚠️ Prior to upgrading to this release please first upgrade to v1.3.10, and then you can proceed with upgrading to this release. Rolling back from this release to a release prior to v1.3.9 has negative side-effects because of the introduction of Conditions. If you rollback from this release to a release prior to v1.3.9 then conditional relationship tuples will be treated unconditionally, because relationship tuples prior to v1.3.9 had no concept of Conditions.

• Added stricter gRPC server max message size constraints (#1222)

  We changed the default gRPC max message size (4MB) to a stricter 512KB to protect the server from excessively large request context fields. This shouldn't impact existing clients since our calculated max message size should be much smaller than 512KB given our other input constraints.

Changed

• Bumped up to Go 1.21.5 (#1219)

Fixed

• Reorder protobuf fields for persisted Assertions (#1217)

  Assertions written on or after v1.3.8 should be re-written to resolve some binary encoding issues that were introduced.

• Handle floating point conversion errors in conditions (#1200)

Fixed

• Avoid panic when processing a nil set of writes (#1208) - thanks @stgraber!

• Decoding of null conditions in SQL storage implementations (#1212)

Added

• Experimental support for ABAC Conditional Relationships.

  To enable experimental support for ABAC Conditional Relationships you can pass the enable-conditions experimental flag. For example, openfga run --experimentals=enable-conditions. The upcoming v1.4.0 release will introduce official support for this new feature. For more information please see our official blog post. The v1.4.0 release will have more official documentation on openfga.dev.

  ⚠️ If you enable experimental support for ABAC and introduce models and/or relationship tuples into the system and then choose to rollback to a prior release, then you may experience unintended side-effects. Care should be taken!

  Read on for more information.

  If you introduce a model with a condition defined in a relation's type restriction(s) and then rollback to a prior OpenFGA release, then the model will be treated as though the conditioned type restriction did not exist.

  model
    schema 1.1
  
  type user
  
  type document
    relations
      define viewer: [user with somecondition]
  
  condition somecondition(x: int) {
    x < 100
  }
  

  and then you rollback to v1.3.7 or earlier, then the model above will be treated equivalently to

  model
    schema 1.1
  
  type user
  
  type document
    relations
      define viewer: [user]
  

  Likewise, if you write a relationship tuple with a condition and then rollback to a prior release, then the tuple will be treated as an unconditioned tuple.

  - document:1#viewer@user:jon, {condition: "somecondition"}
  

  will be treated equivalently to document:1#viewer@user:jon in v1.3.7 or earlier. That is, Check(document:1#viewer@user:jon) would return {allowed: true} even though at the tuple was introduced it was conditioned.

• Minimum datastore schema revision check in the server's health check (#1166)

  Each OpenFGA release from here forward will explicitly reference a minimum datastore schema version that is required to run that specific release of OpenFGA. If OpenFGA operators have not migrated up to that revision then the server's health checks will fail.

• Username/password configuration overrides for the openfga migrate entrypoint (#1133). Thanks for the contribution @martin31821!

  Similar to the server's main entrypoint openfga run, you can now override the datastore username and password with environment variables. when running the openfga migrate utility.

• Healthcheck definitions in Dockerfile (#1134). Thanks @Siddhant-K-code!

Changed

• Database iterators yielded by the RelationshipTupleReader storage interface now accept a context parameter which allows iteration to be promptly terminated (#1055)

  We have noticed improvements in query performance by adding this because once a resolution path has been found we more quickly cancel any further evaluation by terminating the iterators promptly.

• Improved tuple validation peformance with precomputation of TTUs (#1171)

• Refactored the commands in the pkg/server/commands package to uniformly use the Options builder pattern (#1142). Thanks for the contribution @ilaleksin!

• Upgraded to Go 1.21.4 (#1143). Thanks @tranngoclam!

Fixed

• If two requests were made with the same request body and contextual tuples but the order of the contextual tuples differed, then the cache key that is produced is now the same.(#1187)

• Use NoOp TracerProvider if tracing is disabled (#1139 and #1196)

Security

• Bumped up the grpc-health-probe dependency to the latest release which fixed some vulnerabilities.

Added

• Provenance manifests generation (openfga.intoto.jsonl) for verification of release artifacts with SLSA attestations.

Changed

• Removed the experimental flag check-query-cache.

  If you wish to enable the Check query cache you no longer need the experimental flag.

The v1.4.0-rc1 release is an experimental release candidate that introduces new support for ABAC Conditions in OpenFGA.

For more information, take a look at our blog post Conditional Relationship Tuples for OpenFGA. This blog post talks more about the feature and how to make use of it.

Added

• Export metrics from MySQL and Postgres (#1023)

Fixed

• Return all results when OPENFGA_LIST_OBJECTS_MAX_RESULTS=0 (#1067)
• Promptly return if max results are met before deadline in ListObjects (#1064)
• Fix sort order on ReadChanges (#1079)

Changed

• Write Authorization Models in a single database row (#1030)

  ⚠️ In order to avoid downtime, we recommend upgrading to at least v1.3.3 before upgrading to v1.3.5.

  This is the second of a series of releases that will progressively introduce changes via code and database migrations that will allow authorization models to be stored in a single database row.

  See here for more details.

Fixed

• Incorrect string in model validation error message (#1057)
• Incorrect results can be returned by Check API when passing in contextual tuples and the check-query-cache experimental flag is turned on (#1059)

Changed

• Bumped up to Go 1.21.3 (#1060)

Security

• Patches CVE-2023-45810. See the CVE for more details

Added

• Configurable size limit for Authorization Models (#1032)

  We've introduced a new size limit for authorization models, providing a consistent behavior across datastores, which defaults to 256KB. This can be configured by using the --max-authorization-model-size-in-bytes flag.

Fixed

• Reduce use of GOB in encoded cache key (#1029)

Changed

• Persist Authorization Models serialized protobuf in the database (#1028)

  In the next series of releases will progressively introduce changes via code and database migrations that will allow authorization models to be stored in a single database row.

  See here for more details.

Added

• Support TLS for OTLP trace endpoint (#885) - thanks @matoous
• Configurable limits to database reads per ListObjects query (#967)
• Datastore query count labels to traces and query latency histogram in ListObjects (#959)
• Github workflow to check markdown links (#1016) - thanks @sanketrai1

Fixed

• Change response code to internal error for concurrency conflicts (#1011)

Changed

• Use slices and maps packages from go1.21 (#969) - thanks @tranngoclam
• Moved request validations to RPC handlers so library integrations benefit (#975, #998)
• Refactored internal usages of ConnectedObjects to ReverseExpand (#968)
• Expose validation middleware (#1005)
• Upgrade grpc validator middleware to the latest v2 package (#1019) - thanks @tranngoclam

Security

• Patches CVE-2023-43645 - see the CVE for more details

  [BREAKING] If your model contained cycles or a relation definition that has the relation itself in its evaluation path, then Checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. You will need to update your models to remove the cycles.

Added

• Count datastore queries involved in Check resolution metadata (#880)

  OpenFGA request logs and traces will now include a field datastore_query_count that shows how many queries were involved in a single Check resolution.

• Histogram metric to report the datastore_query_count per Check (#924)

  This new metric can be used to report percentiles of the number of database queries required to resolve Check requests.

• Check request duration histogram labeled by method and datastore query count (#950)

  The request_duration_by_query_count_ms metric reports the total request duration (in ms) labelled by the RPC method and ranges of observations for the datastore_query_count. This metrics allows operators of an OpenFGA server to report request duration percentiles for Check requests based on the number of database queries that were required to resolve the query.

• Optimize Check to avoid database lookups in some scenarios (#932)

• CachedCheckResolver for caching Check subproblems (#891)

  This experimental feature adds new caching capabilities to the OpenFGA server. It is an "opt-in" feature and thus must be enabled. To enable this feature you must specify the experimental flag check-query-cache and set the --check-query-cache-enabled=true flag.

  openfga run --experimentals check-query-cache --check-query-cache-enabled=true
  

• Server request logs now include the user-agent (#943)

Changed

• Default Check and ListObjects concurrency read limits (#916)

  In our last release v1.3.0 we modified the default behavior of Check and ListObjects such that it limits/restricts the degree of concurrency that is allowed for a single request. This change was unintended. This release reverts the default behavior back to unbounded concurrency limits (the prior default). The change mostly affects those using OpenFGA as a library.

• Bumped up to Go 1.21 (#952)

Security

• Patches CVE-2023-40579 - see the CVE for more details