You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is now possible to read values from any Rego rule in the evaluated Rego document of an OPA policy and reuse those values in other evaluators and phases of the Auth Pipeline
Enable the additional rules by setting spec.authorization.opa.allValues: true in the AuthConfig
[Breaking change] The resolved object returned by the OPA authorization evaluators is no longer a simple boolean value, but now an actual object { "allow": boolean, ...other rules }
Auto-refresh of Rego policies pulled from external registry (#231)
Set authconfigs.spec.authorization.opa.externalRegistry.ttl (in seconds) to enable auto-refresh of authorization policies pulled from external registries
In-memory caching of objects returned by any evaluator of an AuthConfig (#239, #247)
Available for any evaluator really, but especially useful for:
Caching of metadata fetched from external sources
Caching of previously introspected OAuth2 opaque tokens
Caching of complex Rego policies (e.g. involving sending requests to external services)
The cache key can be defined as dynamic values resolved from the Authorization JSON (e.g. using the request path, user ID, etc)
The TTL of each evaluator cache can be set individually for each configuration (default to 60 seconds)
The size of each cache table can be limited by configuration at the level of the Authorino instance (FIFO eviction policy will apply)
Support for 'host' lookup key passed as context extension (#229)
So you can leverage more of Envoy external authorization protocol to enable use cases such as
Path-based AuthConfig lookup: multiple APIs behind the same base domain and routed by the path prefix, for different AuthConfigs
Wildcard subdomain AuthConfig lookup: single API serving for wildcard subdomains and enforcing always a same AuthConfig
Possibility to set dynamic response messages on denied requests (#241, #246) and new option to customize the body of the HTTP response as well (#248, #251, #255)
The status of the AuthConfig CRs now waits until the config is fully updated in the cache to be marked as 'Ready'
This prevents AuthConfigs that are not ready to receive traffic (e.g. due to still fetching JWKs and Rego policies from external sources) to misleadingly be marked as 'Ready' before time
[Breaking change] Filter API keys by namespace (#214)
Now by default Authorino will only watch for API key Kubernete Secrets in the same namespace of the AuthConfig
Scope can be changed back to cluster-wide by setting spec.identity.apiKey.allNamespaces: true
Observability metrics for the gRPC (ext-authz) and HTTP (wristband) servers (#225)
