Skip to content

v1.39.0

Choose a tag to compare

View all tags
@koponen-styra koponen-styra released this 15 Aug 12:31
· 23 commits to main since this release
v1.39.0
3646667
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

OPA v1.3.0
Regal v0.32.0

This releases introduces Column Masking in Data Filters and a small change to the Compile API. It also features various dependency bumps.

Column Masking in Data Filters

In certain data filtering use cases, a row might be returned from the database that has a sensitive column present. We still want the application to be able to display everything it can to the user, but ideally hiding or modifying the sensitive values before display.

This is now supported by defining mask rules in your data filter policies, for example:

package filters

# METADATA
# scope: document
# description: Return all rows, for sake of the example.
# custom:
# unknowns: ["input.tickets"]
# mask_rule: data.filters.masks
default include := true

# Mask all ticket descriptions by default.
default masks.tickets.description.replace.value := "<description>"

# Allow viewing the description if the user is an admin.
masks.tickets.description.replace.value := {} if {
 "admin" in data.roles[input.tenant][input.user]
}

See the docs for all details.

Column masks are also returned by rego.compile(), and supported in filter.helper().

/v1/compile/{path}

The Compile API in Enterprise OPA now mirrors the Data API more closely: The rule to be used for translation into SQL clauses or UCAST expressions is part of the request path.

See the Data Filters Compilation API docs for all details. Users of our TypeScript SDK don't need to adapt anything, the changes have been made in the latest releases.

Assets 8
Loading