Release Notes: OPA v0.31.0 #4
peteroneilljr
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This release contains performance improvements for evaluating partial sets and objects,
and introduces a new ABI call to OPA's Wasm modules to speed up Wasm evaluations.
It also comes with an improvement for checking policies -- unsafe declared variables are now caught at compile time.
This means that some policies that have been working fine with previous versions, because their unsafe variables
had not ever been queried, will fail to compile with OPA 0.31.0.
See below for details and what to do about that.
Spotlights
Partial Sets and Objects Performance
Resolving an issue (#822) created on July 4th 2018,
OPA can now cache the results of partial sets and partial objects.
A benchmark that accesses a partial set of increasing size twice shows a saving of more than 50%:
These numbers were gathered querying
fixture[i]; fixture[j]
with a policy ofwhere
n
is 10, 100, or 1000.There are multiple access patterns that are accounted for: if a ground scalar is used to
access a previously not-cached partial rule,
the evaluation algorithm will calculate the set membership of
input.user
only, and cache the result.If there is a query that requires evaluating the entire partial, however, the algorithm will also cache the entire partial:
thus avoiding extra evaluations later on.
The same is true if
managers
was used as a fully materialized set in an execution.This also means that the question about whether to write
or
q[x] { ... } # partial set rule
becomes much less important for policy evaluation performance.
WebAssembly Performance
OPA-generated Wasm modules have gotten a fast-path evaluation method:
By calling the one-off function
which returns a pointer to the serialized result set (in JSON if format is 0, "value" format if 1),
the number of VM calls needed for evaluating a policy via Wasm is drastically reduced.
The performance benefit is huge:
The added
opa_eval
export comes with an ABI bump to version 1.2.See #3627 for all details.
Along the same line, we've examined the processing of query evaluations that are Wasm-backed through the
rego
package.This allowed us to avoid unneccessary work (#3666).
Unsafe declared variables now cause a compile-time error
Before this release, local variables that had been declared, i.e. introduced via the
some
keyword, had been ableto slip through the safety checks unnoticed.
For example, a policy like
would have not caused any error if
data.demo.p
wasn't queried.Querying
data.demo.p
would return an "var requires evaluation" error.With this release, the erroneous rule no longer goes unnoticed, but is caught at compile time: "var x is unsafe".
The most likely fix is to remove the rule with the unsafe variable, since it cannot have contributed to a successful
evaluation in previous OPA versions.
See #3580 for details.
Topdown and Rego
New built-in function:
crypto.x509.parse_and_verify_certificates
(#3601), authored by @jalsethThis function enables you to verify that there is a chain from a leaf certificate back to the trusted root.
New built-in function:
rand.intn
generates a random number between0
andn
(#3615), authored by @base698The function takes a string argument to ensure that the same call, within one policy evaluation, returns the same random number.
http.send
enhancement: Newcaching_mode
parameter to configure if deserialized or serialized response bodies should be cached (#3599)Custom built-in function enhancement: let custom builtins halt evaluation (#3534)
Partial evaluation: Fix stack overflow on certain expressions (#3559)
Tooling
Query Profiling:
opa eval --profile
now supports a--count=#
flag to gather metrics and profiling data over multiple runs, and displays aggregate statistics for the results (#3651).This allows you to gather more robust numbers to assess policy performance.
Docker images: Publish static image (#3633)
As of this release, you can use the staticly-built Linux binary from a docker image:
openpolicyagent/opa:0.31.0-static
.It contains the same binary that has been published since release v0.29.4, statically linked to musl, with evaluating Wasm disabled.
Fixes
http.send
: ignoretls_use_system_certs
setting on Windows. Having this set to true (the default as of v0.29.0) would always return an error on Windows.This is achieved by putting the stack first -- stack overflows now become "out of bounds" memory access traps.
Before, it would silently corrupt the static data.
Server and Runtime
New configuration for Management APIs: using
resource
, the request path for sending decision logs can be configured now (#3618), authored by @cbuto/logs
is still the default, but can now be overridden.With this change, the
partition_name
config becomes deprecated, since its functionality is subsumed by this new configurable.Documentation
Note
events for debugging via explanations (#3628) authored by @enorix["y"]
is necessary becausex.y
isn't valid (#3638) authored by @Hongbo-Miaotype_name
builtin is natively implemented in WasmBeta Was this translation helpful? Give feedback.
All reactions