Releases: openfga/openfga
v1.2.0
Added
- Optimizations for ListObjects and StreamedListObjects for models involving intersection (
and) and exclusion (but not) (#797)
Changed
v1.2.0-rc3
This is the third release candidate that improves ListObjects performance for models involving intersection and/or exclusion (and or but not). (#797). The changes herein include the security patch fix that was introduced for CVE-2023-35933, so if you're using v1.2.0-rc1 or v1.2.0-rc2, then please upgrade.
To test out the new experimental support for optimized ListObjects you can run OpenFGA with --experimentals optimized-list-objects. A docker image of this release candidate is available openfga/openfga:v1.2.0-rc3.
v1.1.1
Added
- Official Homebrew installation instructions (#781) - thanks @chenrui333
- The
--verboseflag has been added to theopenfga migratecommand (#776) - The
openfga validate-modelsCLI command has been introduced to validate all models across all stores (#817)
Changed
- Updated the version of the
grpc-health-probebinary included in OpenFGA builds (#784) - Cache inflight requests when looking up the latest authorization model (#820)
Fixed
- Validation of models with non-zero entrypoints (#802)
- Remove unintended newlines in model validation error messages (#816) - thanks @Galzzly
Security
- Patches CVE-2023-35933 - additional model validations are now applied to models that can lead to the vulnerability. See the CVE report for more details, and don't hesitate to reach out if you have questions.
Contributors
Assets 21
v1.2.0-rc2
This is the second release candidate that improves ListObjects performance for models involving intersection and/or exclusion (and or but not). (#797)
To test out the new experimental support for optimized ListObjects you can run OpenFGA with --experimentals optimized-list-objects. A docker image of this release candidate is available openfga/openfga:v1.2.0-rc2.
Changed
- Concurrently evaluate objects that require further evaluation instead of serially.
v1.2.0-rc1
Added
-
optimized-list-objectsexperimental flag to improve ListObjects performance for models involving intersection and/or exclusion (andorbut not). (#797)To test out the new experimental support for optimized ListObjects you can run OpenFGA with
--experimentals optimized-list-objects. A docker image of this release candidate is availableopenfga/openfga:v1.2.0-rc1.
v1.1.0
Added
- Streaming ListObjects has no limit in number of results returned (#733)
Fixed
- Avoid DB connection churning in unoptimized ListObjects (#711)
- Ensure ListObjects respects configurable ListObjectsDeadline (#704)
- In Write, throw 400 instead of 500 error if auth model ID not found (#725)
- Performance improvements when loading the authorization model (#726)
- Ensure Check evaluates deterministically on the eval boundary case (#732)
Changed
- [BREAKING] The flags to turn on writing and evaluation of
v1.0models have been dropped (#763)
v1.0.1
v1.0.0
v0.4.3
Added
-
Release artifacts are now signed and include a Software Bill of Materials (SBOM) (#683)
The SBOM (Software Bill of Materials) is included in each Github release using Syft and is exported in SPDX format.
Developers will be able to verify the signature of the release artifacts with the following workflow(s):
wget https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt cosign verify-blob \ --certificate-identity 'https://github.com/openfga/openfga/.github/workflows/release.yml@refs/tags/<tag>' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ --cert https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt.pem \ --signature https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt.sig \ ./checksums.txt
If the
checksums.txtvalidation succeeds, it means the checksums included in the release were not tampered with, so we can use it to verify the hashes of other files using thesha256sumutility. You can then download any file you want from the release, and verify it with, for example:wget https://github.com/openfga/openfga/releases/download/<tag>/openfga_<version>_linux_amd64.tar.gz.sbom wget https://github.com/openfga/openfga/releases/download/<tag>/openfga_<version>_linux_amd64.tar.gz sha256sum --ignore-missing -c checksums.txt
And both should say "OK".
You can then inspect the .sbom file to see the entire dependency tree of the binary.
Developers can also verify the Docker image signature. Cosign actually embeds the signature in the image manifest, so we only need the public key used to sign it in order to verify its authenticity:
cosign verify -key cosign.pub openfga/openfga:<tag>
-
openfga migratenow accepts reading configuration from a config file and environment variables like theopenfga runcommand (#655) - thanks @suttod! -
The
--trace-service-namecommand-line flag has been added to allow for customizing the service name in traces (#652) - thanks @jmiettinen
Fixed
- Postgres and MySQL implementations have been fixed to avoid ordering relationship tuple queries by
ulidwhen it is not needed. This can improve read query performance on larger OpenFGA stores (#677) - Synchronize concurrent access to in-memory storage iterators (#587)
- Improve error logging in the
openfga migratecommand (#663) - Fix middleware ordering so that
requestidmiddleware is registered earlier(#662)
Changed
-
Bumped up to Go version 1.20 (#664)
-
Default model schema versions to 1.1 (#669)
In preparation for sunsetting support for models with schema version 1.0, the WriteAuthorizationModel API will now interpret any model provided to it as a 1.1 model if the
schema_versionfield is omitted in the request. This shouldn't affect default behavior since 1.0 model support is enabled by default.