ยซ Changelog History


keto v0.10.0-alpha.0 Release Notes

Release Date: 2022-09-27 // over 1 year ago

  • ๐Ÿš€ This release ships the long-awaited Ory Permission Language (a.k.a. ๐Ÿ‘‰ userset-rewrites) ๐ŸŽ‰. You can now define global ๐ŸŒ rules for permissions, like "every user who is an owner also has read access", and many more. Best of all, you don't have to learn a new language to express these rules, but instead just ๐Ÿ‘‰ use a subset of TypeScript. Therefore syntax highlighting, formatting tools, ๐Ÿ‘• linters, unit test frameworks, ... work out of the box ๐Ÿ“ฆ! We will give a talk ๐Ÿ—ฃ๏ธ about how we ended up with this solution at the Ory Summit, so make sure to sign up or watch the recoding on YouTube later. Start exploring the Ory Permission Language ๐Ÿ“„ by following our guide ๐Ÿ“–. ๐Ÿš€ This is only the most shiny โœจ feature we packed into this release, see the full ๐Ÿ”„ changelog for all the other fixes and features we included.

    ๐Ÿ› Bug Fixes

    • Concurrency-safe graph utils (ea9dda9)
    • Correct paths in TypeScript SDK (#1025) (8b30508)
    • Do not setup /etc/nsswitch.conf on alpine (1f9fa96):

    Go fixed the initial issue and does not rely on that file anymore, see https://github.com/golang/go/issues/35305

    • Race in serve metrics init (5f4c19b)
    • โœ‚ Remove check constraint (54c00c3):

    Tests now use the new httpclient to properly handle empty strings vs strings (where the value is omitted in the JSON request).

    http*request** metrics contain data related only to /metrics/prometheus endpoint. This commit adds endpoints from non-monitoring routers.

    • fix: register read and write routers with PrometheusManager

    • fix: register read and write routers with PrometheusManager p2

    • fix: register read and write routers with PrometheusManager p3

    • feat: grpc request metrics

    • chore: add test

    • chore: revert gRPC metric test

    • chore: re-trigger ci

    • chore: re-trigger ci

    • chore: re-trigger ci

    • fix: lint

    • fix: cve

    • fix: better error handling

    • chore: remove old httpclient

    Enable TLS and certificate checking in the gRPC client when communicating with remote hosts.

    • Uuid mapping migration paginates (3a5fb2c)
    • Validate tuples for non-nil subject (a22dd19)

    ๐Ÿ‘ท Build System

    Code Generation

    • ๐Ÿš€ Pin v0.10.0-alpha.0 release commit (52259a3):

    Bumps from v0.10.0-alpha.0.pre.0

    ๐Ÿ”จ Code Refactoring

    • Generalize tree structure (6a0b2fe):

    This will allow reusing the tree to provide debug info on how a check decision was reached.

    ๐Ÿ“š Documentation

    • โž• Add initial documentation example for rewrites (065ce46)
    • ๐Ÿ›  Fix version meta schema (b054b24)

    ๐Ÿ”‹ Features

    • โž• Add bearer token auth (5110f63)
    • ๐Ÿ”ง Configure subject-set rewrites (0ce1519):

    The subject-set rewrites can now be configured through the Ory Permission Language (OPL), which is a subset of TypeScript. The OPL config is referenced in the central configuration under namespaces as such:

      [...]
  namespaces:
    location: <location>
  [...]

    The can be any valid file, directory or URI.

    • ๐Ÿ”’ Fine-grained control over transport security (5f056b7):

    This adds two new flags to the Keto CLI:

    • --insecure-disable-transport-security: Use plaintext instead of TLS
    • --insecure-skip-hostname-verification: Use TLS, but do not verify the certificate

    By default, the Keto CLI now connects to the remote via TLS and verifies the hostname.

    • OPL typescript library on npm (446fe7d)
    • Simpler notation for subjects w/o relation (ec979df)
    • Subject-set rewrites (6f61af8)
    • ๐Ÿ‘Œ Support subject sets in check (1760459)

    โœ… Tests

    • โž• Add cases for checking subject sets (93aee83), closes #985

Previous changes from v0.9.0-alpha.0

  • ๐Ÿš€ This release ships a few changes in the API paths. Requests and responses were ๐Ÿ”จ not changed. However, we did A LOT of internal refactoring and improvements on the persistence layer. Some naming in the SDKs changed, it is a lot cleaner now. ๐Ÿšš One important change is that we removed the single table migrator. From now on to migrate from v0.6.0-alpha.1, please first migrate the legacy namespaces using v0.8.0-alpha.2 We also overhauled the whole persistence structure to ensure high scalability. This means that the migration might take a bit longer than usual, โœ… so please test the process first on a backup or staging environment. For all the details, check out the full changelog.

    ๐Ÿ’ฅ Breaking Changes

    ๐Ÿšš keto namespace migrate ... commands were removed. To migrate from v0.6.0-alpha.1, please first migrate the legacy namespaces using v0.8.0-alpha.2

    โฌ†๏ธ The protobuf API was bumped to v1alpha2. Please upgrade your client dependency ๐Ÿ‘ to that version. v1alpha1 is still supported for now, but might be dropped soon.

    ๐Ÿ›ฐ Some payload keys are now (not) required anymore. The generated SDKs will likely have breaking changes.

    Co-authored-by: Patrik [email protected] Co-authored-by: hperl [email protected]

    /check is now /relation-tupes/check

    /expand is now /relation-tuples/expand

    /relation-tuples is now /admin/relation-tuples for write APIs

    ๐Ÿ“ฆ gRPC package is now called ory.keto.relation_tuples.v1alpha2

    ๐Ÿ›  gRPC relation-tuple-delta action enum names are prefixed with ACTION_

    ๐Ÿ› Bug Fixes

    • cli: Make flag registration non-racy (8415ced)
    • 0๏ธโƒฃ Enable telemetry by default (9dc8c7c)
    • Hide relation tuples with deleted namespace (cb1a2dd)

    Code Generation

    • ๐Ÿš€ Pin v0.9.0-alpha.0 release commit (6a13898)

    ๐Ÿ”จ Code Refactoring

    This change refactors the API paths to be consistent with the rest of the Ory ecosystem. This step is required for the unified Ory SDK. Additionally, as we plan to add high level APIs, e.g. for RBAC. The check and expand API paths changed to allow adding those.

    • ๐Ÿ”„ Change pagination to use keyset pagination (7b861c9):

    The page token now is the last ID of the previous page. This enables faster queries and more stable pagination. NOTE: in case an integration modified page tokens to control pagination, this change will break the integration. Page tokens are opaque strings and should never be messed with.

    ๐Ÿ“š Documentation

    • ๐Ÿ”ฆ Expose embedded OpenAPI spec (f9d20e3)
    • ๐Ÿ›  Fix docker compose demo setup (#872) (e89fbb0)
    • ๐Ÿ‘Œ Improve wording in README (#881) (fd6af60)
    • ๐Ÿ‘ท Shorten CI status badge (#928) (81d880d)
    • ๐Ÿ”– version schema: Require version or fall back to latest (#863) (5306c93)

    ๐Ÿ”‹ Features

    • โž• Add check endpoints that do not mirror status code (#853) (07d0fbd)
    • โž• Add reverse lookup indices (#875) (25af263)
    • โž• Add spec for namespace configs (3d61b1c):

    Co-authored-by: hackerman [email protected]

    With this change Keto now maps strings to UUIDv5 on the storage layer. This change allows unlimited strings to be used while maintaining good performance. Further, it reduces the likeliness of database hot-spots. The migration that applies this mapping might take some time, so please confirm that your migration strategy works for you.

    • Metric names same as for Kratos (315ff41)
    • tracing: Improved tracing for persisters and requests (#878) (eb62c50)
    • tracing: Switch to opentelemetry (#861) (31f38ed)

    โœ… Tests

    • โœ‚ Remove double dockertest cleanup (0bfb10e)
    • โœ… Use isolated databases to parallelize all tests (bc09032)