keto v0.10.0-alpha.0 Release Notes
Release Date: 2022-09-27 // almost 2 years ago-
🚀 This release ships the long-awaited Ory Permission Language (a.k.a. 👉 userset-rewrites) 🎉. You can now define global 🌍 rules for permissions, like "every user who is an owner also has read access", and many more. Best of all, you don't have to learn a new language to express these rules, but instead just 👉 use a subset of TypeScript. Therefore syntax highlighting, formatting tools, 👕 linters, unit test frameworks, ... work out of the box 📦! We will give a talk 🗣️ about how we ended up with this solution at the Ory Summit, so make sure to sign up or watch the recoding on YouTube later. Start exploring the Ory Permission Language 📄 by following our guide 📖. 🚀 This is only the most shiny ✨ feature we packed into this release, see the full 🔄 changelog for all the other fixes and features we included.
🐛 Bug Fixes
- Concurrency-safe graph utils (ea9dda9)
- Correct paths in TypeScript SDK (#1025) (8b30508)
- Do not setup /etc/nsswitch.conf on alpine (1f9fa96):
Go fixed the initial issue and does not rely on that file anymore, see https://github.com/golang/go/issues/35305
Tests now use the new httpclient to properly handle empty strings vs strings (where the value is omitted in the JSON request).
http*request** metrics contain data related only to /metrics/prometheus endpoint. This commit adds endpoints from non-monitoring routers.
fix: register read and write routers with PrometheusManager
fix: register read and write routers with PrometheusManager p2
fix: register read and write routers with PrometheusManager p3
feat: grpc request metrics
chore: add test
chore: revert gRPC metric test
chore: re-trigger ci
chore: re-trigger ci
chore: re-trigger ci
fix: lint
fix: cve
- Sdk generation (acc1546):
fix: better error handling
chore: remove old httpclient
Enable TLS and certificate checking in the gRPC client when communicating with remote hosts.
👷 Build System
Code Generation
- 🚀 Pin v0.10.0-alpha.0 release commit (52259a3):
Bumps from v0.10.0-alpha.0.pre.0
🔨 Code Refactoring
- Generalize tree structure (6a0b2fe):
This will allow reusing the tree to provide debug info on how a check decision was reached.
📚 Documentation
🔋 Features
The subject-set rewrites can now be configured through the Ory Permission Language (OPL), which is a subset of TypeScript. The OPL config is referenced in the central configuration under namespaces as such:
[...] namespaces: location: <location> [...]
The can be any valid file, directory or URI.
- 🔒 Fine-grained control over transport security (5f056b7):
This adds two new flags to the Keto CLI:
- --insecure-disable-transport-security: Use plaintext instead of TLS
- --insecure-skip-hostname-verification: Use TLS, but do not verify the certificate
By default, the Keto CLI now connects to the remote via TLS and verifies the hostname.
- OPL typescript library on npm (446fe7d)
- Simpler notation for subjects w/o relation (ec979df)
- Subject-set rewrites (6f61af8)
- 👌 Support subject sets in check (1760459)
✅ Tests
Previous changes from v0.9.0-alpha.0
-
🚀 This release ships a few changes in the API paths. Requests and responses were 🔨 not changed. However, we did A LOT of internal refactoring and improvements on the persistence layer. Some naming in the SDKs changed, it is a lot cleaner now. 🚚 One important change is that we removed the single table migrator. From now on to migrate from v0.6.0-alpha.1, please first migrate the legacy namespaces using v0.8.0-alpha.2 We also overhauled the whole persistence structure to ensure high scalability. This means that the migration might take a bit longer than usual, ✅ so please test the process first on a backup or staging environment. For all the details, check out the full changelog.
💥 Breaking Changes
🚚
keto namespace migrate ...
commands were removed. To migrate from v0.6.0-alpha.1, please first migrate the legacy namespaces using v0.8.0-alpha.2⬆️ The protobuf API was bumped to
v1alpha2
. Please upgrade your client dependency 👍 to that version.v1alpha1
is still supported for now, but might be dropped soon.🛰 Some payload keys are now (not) required anymore. The generated SDKs will likely have breaking changes.
Co-authored-by: Patrik [email protected] Co-authored-by: hperl [email protected]
/check
is now/relation-tupes/check
/expand
is now/relation-tuples/expand
/relation-tuples
is now/admin/relation-tuples
for write APIs📦 gRPC package is now called
ory.keto.relation_tuples.v1alpha2
🛠 gRPC relation-tuple-delta action enum names are prefixed with
ACTION_
🐛 Bug Fixes
- cli: Make flag registration non-racy (8415ced)
- 0️⃣ Enable telemetry by default (9dc8c7c)
- Hide relation tuples with deleted namespace (cb1a2dd)
Code Generation
- 🚀 Pin v0.9.0-alpha.0 release commit (6a13898)
🔨 Code Refactoring
This change refactors the API paths to be consistent with the rest of the Ory ecosystem. This step is required for the unified Ory SDK. Additionally, as we plan to add high level APIs, e.g. for RBAC. The check and expand API paths changed to allow adding those.
- 🔄 Change pagination to use keyset pagination (7b861c9):
The page token now is the last ID of the previous page. This enables faster queries and more stable pagination. NOTE: in case an integration modified page tokens to control pagination, this change will break the integration. Page tokens are opaque strings and should never be messed with.
📚 Documentation
- 🔦 Expose embedded OpenAPI spec (f9d20e3)
- 🛠 Fix docker compose demo setup (#872) (e89fbb0)
- 👌 Improve wording in README (#881) (fd6af60)
- 👷 Shorten CI status badge (#928) (81d880d)
- 🔖 version schema: Require version or fall back to latest (#863) (5306c93)
🔋 Features
- ➕ Add check endpoints that do not mirror status code (#853) (07d0fbd)
- ➕ Add reverse lookup indices (#875) (25af263)
- ➕ Add spec for namespace configs (3d61b1c):
Co-authored-by: hackerman [email protected]
- 🔧 Make sensitive log value redaction text configurable (#860) (b8b1d81)
- Map strings to UUIDs (#809) (#840) (add6577):
With this change Keto now maps strings to UUIDv5 on the storage layer. This change allows unlimited strings to be used while maintaining good performance. Further, it reduces the likeliness of database hot-spots. The migration that applies this mapping might take some time, so please confirm that your migration strategy works for you.
- Metric names same as for Kratos (315ff41)
- tracing: Improved tracing for persisters and requests (#878) (eb62c50)
- tracing: Switch to opentelemetry (#861) (31f38ed)
✅ Tests