Skip to content

v6.0.0

Latest
Latest

Choose a tag to compare

View all tags
@gknopf-aranya gknopf-aranya released this 01 Apr 19:36
· 7 commits to main since this release
v6.0.0
2478b2e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlighted Features

This release introduces rank-based authorization for custom roles, refactors the sync transport layer for extensibility, and includes significant sync and runtime performance improvements.

  • Rank-based authorization — The custom roles system now uses numerical ranks to determine authorization. Objects (devices, roles, labels) must outrank the objects they operate on. New APIs: rank, change_rank, role_perms, permission_to_str. Several existing APIs changed signatures — see Breaking Changes below. (#651, #768)
  • Sync transport traits and performance — The syncer has been refactored to use transport traits, decoupling sync logic from the QUIC implementation and enabling connection reuse and better scheduling. Significant sync performance improvements. (#717)
  • Scale testing infrastructure — New ring convergence tests and a scale testing harness exercise multi-node sync with up to 100 nodes. (#711)
  • RPC trace correlation — Client-to-daemon RPC calls now carry a trace ID for end-to-end observability and debugging. (#731)
  • Policy language result type — The policy language now supports a result type for explicit error handling in policy code, replacing patterns that relied on runtime exceptions. Relevant to custom policy development. (aranya-core #498)
  • Label query API — New team_label C API function to query a label by ID, with AranyaLabel opaque type and accessors (label_get_id, label_get_name, label_get_author). label() now returns Result<Label> instead of Result<Option<Label>>, with a new DoesNotExist error variant for resource-not-found errors across the API. (#771)

Coming Soon

  • mTLS sync authentication — Migration from PSKs to mTLS certificates for authenticating QUIC sync connections, allowing users to leverage existing PKI infrastructure.
  • Onboarding process improvements — Admins and operators can onboard devices via an onboarding service asynchronously, removing the requirement for both devices to be online at the same time. Only a passphrase needs to be exchanged, reducing the amount of data shared during onboarding.

Security Patches

  • Updated aws-lc-rs to fix 4 security vulnerabilities. (#758)

Breaking Changes

  • Rank-based authorization API changes (#651):
    • setup_default_roles — removed owning_role parameter, added check-size-first pattern
    • add_device / add_device_to_team — added required rank parameter
    • create_labelmanaging_role_id replaced with rank
    • create_roleowning_role replaced with rank
    • Permission enum — added ChangeRank, ChangeRolePerms; removed ChangeRoleManagementPerms, ChangeRoleManagingRole, ChangeLabelManagingRole
    • Removed: DEFAULT_ROLES_LEN, DefaultRoles, RolesExt, RoleManagementPermission, role_owners, add_role_owner, remove_role_owner, assign_role_management_permission, revoke_role_management_permission, add_label_managing_role
  • RevokeLabelFromDevice now validates device generation — Stale label revocations after a device is removed and re-added are now correctly rejected. (#746)
  • label() returns Result<Label> instead of Result<Option<Label>> — Callers that handled Ok(None) should now handle Err(Error::DoesNotExist). (#771)

What's Changed

Full Changelog: v5.0.0...v6.0.0

Contributors

djohnson-spideroak, jdygert-spok, and 3 other contributors
Assets 15
Loading