github.com/openfga/openfga@v1.5.4-rc1/CHANGELOG.md (about) 1 # Changelog 2 All notable changes to this project will be documented in this file. 3 4 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 7 Try to keep listed changes to a concise bulleted list of simple explanations of changes. Aim for the amount of information needed so that readers can understand where they would look in the codebase to investigate the changes' implementation, or where they would look in the documentation to understand how to make use of the change in practice - better yet, link directly to the docs and provide detailed information there. Only elaborate if doing so is required to avoid breaking changes or experimental features from ruining someone's day. 8 9 ## [Unreleased] 10 11 ## [1.5.3] - 2024-04-16 12 13 [Full changelog](https://github.com/openfga/openfga/compare/v1.5.2...v1.5.3) 14 15 ### Added 16 17 * Apply tags to requests that have been intentionally throttled (https://github.com/openfga/openfga/pull/1531). This will add a new log field titled "throttled" to such requests. 18 19 ### Fixed 20 21 * Panic that occurred on Check API with some authorization models and tuples (https://github.com/openfga/openfga/pull/1517) 22 23 ### Changed 24 25 * [Modular Models (Schema 1.2)](https://openfga.dev/docs/modeling/modular-models) support is enabled by default and the experimental flag for it has been dropped (https://github.com/openfga/openfga/pull/1520) 26 * Bumped to Go 1.21.9 (https://github.com/openfga/openfga/pull/1523) 27 28 ### Security 29 30 * Patch [CVE-2024-31452](https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r) - a critical issue where Check and ListObjects APIs returns incorrect results for some models and tuples. See the CVE report for more details. 31 32 ## [1.5.2] - 2024-04-03 33 34 [Full changelog](https://github.com/openfga/openfga/compare/v1.5.1...v1.5.2) 35 36 ### Fixed 37 38 * Fix the count of datastore reads in the Check API ([#1452](https://github.com/openfga/openfga/pull/1452)) 39 * Fix the correct default used for dispatch throttling ([#1479](https://github.com/openfga/openfga/pull/1479)) 40 41 ### Security 42 43 * Bumped up the `grpc-health-probe` dependency in the published Docker image to the latest release which fixes some vulnerabilities ([#1507](https://github.com/openfga/openfga/pull/1507)) 44 45 ### Contributions 46 47 * Add homebrew release job by @chenrui333 ([#780](https://github.com/openfga/openfga/pull/780)) 48 49 ## [1.5.1] - 2024-03-19 50 51 [Full changelog](https://github.com/openfga/openfga/compare/v1.5.0...v1.5.1) 52 53 ### Added 54 55 - Include calls to ListObjects and StreamedListObjects methods in the `dispatch_count` histogram ([#1427](https://github.com/openfga/openfga/pull/1427)) 56 - Added `request_duration_ms` histogram which has `datastore_query_count` and `dispatch_count` as dimensions ([#1444](https://github.com/openfga/openfga/pull/1444)) 57 - Added new flag `OPENFGA_AUTHN_OIDC_ISSUER_ALIASES` to specify oidc issuer aliases ([#1354](https://github.com/openfga/openfga/pull/1354)) - Thanks @le-yams! 58 - Added experimental support for modular models via `OPENFGA_EXPERIMENTALS=enable-modular-models` ([#1443](https://github.com/openfga/openfga/pull/1443)). This will enable writing models that are split across multiple files. 59 - Added support for throttling dispatches ([#1440](https://github.com/openfga/openfga/pull/1440)). This will throttle Check requests that are overly complex. You can turn on this feature via OPENFGA_DISPATCH_THROTTLING_ENABLED and configured via OPENFGA_DISPATCH_THROTTLING_THRESHOLD and OPENFGA_DISPATCH_THROTTLING_FREQUENCY 60 61 ### Fixed 62 63 - Throw HTTP 400 when tuple condition is invalid instead of HTTP 500 ([#1420](https://github.com/openfga/openfga/pull/1420)) 64 - Fix model validation which threw error "no entrypoints defined" ([#1422](https://github.com/openfga/openfga/pull/1422)) 65 66 ### Deprecation :warning: 67 68 - Histogram `request_duration_by_query_count_ms` will be removed in the next release, in favour of `request_duration_ms` ([#1450](https://github.com/openfga/openfga/pull/1450)) 69 70 ### Contribution 71 72 - Thanks @lekaf974 for enhancing NewLogger with builder pattern options ([#1413](https://github.com/openfga/openfga/pull/1413)) 73 74 ## [1.5.0] - 2024-03-01 75 76 [Full changelog](https://github.com/openfga/openfga/compare/v1.4.3...v1.5.0) 77 78 ### Added 79 80 - Override option for timestamp in JSON logs ([#1330](https://github.com/openfga/openfga/pull/1330)) - thank you, @raj-saxena! 81 - OpenTelemetry tracing and attributes to check algorithm ([#1331](https://github.com/openfga/openfga/pull/1331), [#1388](https://github.com/openfga/openfga/pull/1388)) 82 - Dispatch count to check response metadata as a query complexity heuristic ([#1343](https://github.com/openfga/openfga/pull/1343)) 83 84 ### Fixed 85 86 - Cycles detected during check now deterministically return with `{allowed:false}` ([#1371](https://github.com/openfga/openfga/pull/1371), [#1372](https://github.com/openfga/openfga/pull/1372)) 87 - Fix incorrect path for gPRC health check ([#1321](https://github.com/openfga/openfga/pull/1321)) 88 89 ### Breaking Change :warning: 90 91 The `AuthorizationModelReadBackend` interface method `FindLatestAuthorizationModelID` has changed to `FindLatestAuthorizationModel` for performance improvements. [#1387](https://github.com/openfga/openfga/pull/1387) 92 93 If you implement your own data store, you will need to make the following change: 94 95 <table> 96 <tr> 97 <th>Before</th> 98 <th>After</th> 99 </tr> 100 <tr> 101 <td> 102 103 ```go 104 func (...) FindLatestAuthorizationModelID(ctx context.Context, storeID string) (string, error) { 105 //...get model ID 106 return modelID, nil 107 } 108 ``` 109 110 </td> 111 <td> 112 113 ```go 114 func (...) FindLatestAuthorizationModel(ctx context.Context, storeID string) (*openfgav1.AuthorizationModel, error) { 115 //...get model 116 return model.(*openfgav1.AuthorizationModel), nil 117 } 118 ``` 119 120 </td> 121 </tr> 122 </table> 123 124 ## [1.4.3] - 2024-01-26 125 126 [Full changelog](https://github.com/openfga/openfga/compare/v1.4.2...v1.4.3) 127 128 ### Added 129 130 * Add ability to close all server resources through `server.Stop()` ([#1318](https://github.com/openfga/openfga/pull/1318)) 131 132 ### Changed 133 134 * Increase performance by removing redundant `map.Clone()` calls in model validation ([#1281](https://github.com/openfga/openfga/pull/1281)) 135 136 ### Fixed 137 138 * Fix the sorting of contextual tuples when generating a cache key during check ([#1299](https://github.com/openfga/openfga/pull/1299)) 139 140 ### Security 141 142 * Patch [CVE-2024-23820](https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87) - a critical issue 143 where issuing many `ListObjects` API calls that hit the `--listObjects-deadline` setting can lead to an out of memory error. 144 See the CVE report for more details 145 146 ## [1.4.2] - 2024-01-10 147 148 [Full changelog](https://github.com/openfga/openfga/compare/v1.4.1...v1.4.2) 149 150 ### Fixed 151 152 * Goroutine leak in ListObjects because of a leak in ReverseExpand ([#1297](https://github.com/openfga/openfga/pull/1297)) 153 154 ## [1.4.1] - 2024-01-04 155 156 [Full changelog](https://github.com/openfga/openfga/compare/v1.4.0...v1.4.1) 157 158 ### Changed 159 * Reduce goroutine overhead in ListObjects ([#1173](https://github.com/openfga/openfga/pull/1173)) 160 161 * Added `openfga` prefix to custom exported Prometheus metrics 162 163 > ⚠️ This change may impact existing deployments of OpenFGA if you're integrating with the metrics reported by OpenFGA. 164 165 Custom metrics reported by the OpenFGA server are now prefixed with `openfga_`. For example, `request_duration_by_query_count_ms ` is now exported as `openfga_request_duration_by_query_count_ms`. 166 167 ### Added 168 * Support for cancellation/timeouts when evaluating Conditions ([#1237](https://github.com/openfga/openfga/pull/1237)) 169 * Tracing span info for Condition evaluation ([#1251](https://github.com/openfga/openfga/pull/1251)) 170 171 ### Fixed 172 * Resolve rewrites involving exclusion (e.g. `but not`) more deterministically in Check ([#1239](https://github.com/openfga/openfga/pull/1239)) 173 174 * Record span errors correctly in Check, ListObjects, and StreamedListObjects ([#1231](https://github.com/openfga/openfga/pull/1231)) 175 176 * Log request validation errors correctly ([#1236](https://github.com/openfga/openfga/pull/1236)) 177 178 ## [1.4.0] - 2023-12-11 179 180 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.10...v1.4.0) 181 182 ### Changed 183 * Enable support for Conditional Relationship Tuples by default. ([#1220](https://github.com/openfga/openfga/pull/1220)) 184 185 * Added stricter gRPC server max message size constraints ([#1222](https://github.com/openfga/openfga/pull/1222)) 186 187 We changed the default gRPC max message size (4MB) to a stricter 512KB to protect the server from excessively large request `context` fields. This shouldn't impact existing clients since our calculated max message size should be much smaller than 512KB given our other input constraints. 188 189 ## [1.3.10] - 2023-12-08 190 191 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.9...v1.3.10) 192 193 ### Changed 194 * Bumped up to Go 1.21.5 ([#1219](https://github.com/openfga/openfga/pull/1219)) 195 196 ### Fixed 197 * Reorder protobuf fields for persisted Assertions ([#1217](https://github.com/openfga/openfga/pull/1217)) 198 199 Assertions written on or after v1.3.8 should be re-written to resolve some binary encoding issues that were introduced. 200 201 * Handle floating point conversion errors in conditions ([#1200](https://github.com/openfga/openfga/pull/1200)) 202 203 ## [1.3.9] - 2023-12-05 204 205 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.8...v1.3.9) 206 207 ### Fixed 208 * Avoid panic when processing a nil set of writes ([#1208](https://github.com/openfga/openfga/pull/1208)) - thanks @stgraber! 209 210 * Decoding of null conditions in SQL storage implementations ([#1212](https://github.com/openfga/openfga/pull/1212)) 211 212 ## [1.3.8] - 2023-12-04 213 214 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.7...v1.3.8) 215 216 ### Added 217 * Experimental support for ABAC Conditional Relationships. 218 219 To enable experimental support for ABAC Conditional Relationships you can pass the `enable-conditions` experimental flag. For example, `openfga run --experimentals=enable-conditions`. The upcoming `v1.4.0` release will introduce official support for this new feature. For more information please see our [official blog post](https://openfga.dev/blog/conditional-tuples-announcement). The `v1.4.0` release will have more official documentation on [openfga.dev](https://openfga.dev/). 220 221 > ⚠️ If you enable experimental support for ABAC and introduce models and/or relationship tuples into the system and then choose to rollback to a prior release, then you may experience unintended side-effects. Care should be taken! 222 > 223 > Read on for more information. 224 225 If you introduce a model with a condition defined in a relation's type restriction(s) and then rollback to a prior OpenFGA release, then the model will be treated as though the conditioned type restriction did not exist. 226 227 ``` 228 model 229 schema 1.1 230 231 type user 232 233 type document 234 relations 235 define viewer: [user with somecondition] 236 237 condition somecondition(x: int) { 238 x < 100 239 } 240 ``` 241 and then you rollback to `v1.3.7` or earlier, then the model above will be treated equivalently to 242 ``` 243 model 244 schema 1.1 245 246 type user 247 248 type document 249 relations 250 define viewer: [user] 251 ``` 252 253 Likewise, if you write a relationship tuple with a condition and then rollback to a prior release, then the tuple will be treated as an unconditioned tuple. 254 255 ``` 256 - document:1#viewer@user:jon, {condition: "somecondition"} 257 ``` 258 will be treated equivalently to `document:1#viewer@user:jon` in `v1.3.7` or earlier. That is, `Check(document:1#viewer@user:jon)` would return `{allowed: true}` even though at the tuple was introduced it was conditioned. 259 260 * Minimum datastore schema revision check in the server's health check ([#1166](https://github.com/openfga/openfga/pull/1166)) 261 262 Each OpenFGA release from here forward will explicitly reference a minimum datastore schema version that is required to run that specific release of OpenFGA. If OpenFGA operators have not migrated up to that revision then the server's health checks will fail. 263 264 * Username/password configuration overrides for the `openfga migrate` entrypoint ([#1133](https://github.com/openfga/openfga/pull/1133)). Thanks for the contribution @martin31821! 265 266 Similar to the server's main entrypoint `openfga run`, you can now override the datastore username and password with environment variables. when running the `openfga migrate` utility. 267 268 * Healthcheck definitions in Dockerfile ([#1134](https://github.com/openfga/openfga/pull/1134)). Thanks @Siddhant-K-code! 269 270 ### Changed 271 * Database iterators yielded by the RelationshipTupleReader storage interface now accept a `context` parameter which allows iteration to be promptly terminated ([#1055](https://github.com/openfga/openfga/pull/1055)) 272 273 We have noticed improvements in query performance by adding this because once a resolution path has been found we more quickly cancel any further evaluation by terminating the iterators promptly. 274 275 * Improved tuple validation peformance with precomputation of TTUs ([#1171](https://github.com/openfga/openfga/pull/1171)) 276 277 * Refactored the commands in the `pkg/server/commands` package to uniformly use the Options builder pattern ([#1142](https://github.com/openfga/openfga/pull/1142)). Thanks for the contribution @ilaleksin! 278 279 * Upgraded to Go `1.21.4` ([#1143](https://github.com/openfga/openfga/pull/1143)). Thanks @tranngoclam! 280 281 ### Fixed 282 * If two requests were made with the same request body and contextual tuples but the order of the contextual tuples differed, then the cache key that is produced is now the same.([#1187](https://github.com/openfga/openfga/pull/1187)) 283 284 285 * Use `NoOp` TracerProvider if tracing is disabled ([#1139](https://github.com/openfga/openfga/pull/1139) and [#1196](https://github.com/openfga/openfga/pull/1196)) 286 287 ## [1.3.7] - 2023-11-06 288 289 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.6...v1.3.7) 290 291 ### Security 292 * Bumped up the `grpc-health-probe` dependency to the latest release which fixed some vulnerabilities. 293 294 ## [1.3.6] - 2023-11-06 295 296 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.5...v1.3.6) 297 298 ### Added 299 * Provenance manifests generation (`openfga.intoto.jsonl``) for verification of release artifacts with SLSA attestations. 300 301 ### Changed 302 * Removed the experimental flag `check-query-cache`. If you wish to enable the Check query cache you no longer need the experimental flag. 303 304 305 ## [1.3.5] - 2023-10-27 306 307 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.4...v1.3.5) 308 309 ### Added 310 311 * Export metrics from MySQL and Postgres ([#1023](https://github.com/openfga/openfga/pull/1023)) 312 313 To export datastore metrics, set `OPENFGA_METRICS_ENABLED=true` and `OPENFGA_DATASTORE_METRICS_ENABLED=true`. 314 315 ### Fixed 316 317 * Return all results when `OPENFGA_LIST_OBJECTS_MAX_RESULTS=0` ([#1067](https://github.com/openfga/openfga/pull/1067)) 318 * Promptly return if max results are met before deadline in ListObjects ([#1064](https://github.com/openfga/openfga/pull/1064)) 319 * Fix sort order on ReadChanges ([#1079](https://github.com/openfga/openfga/pull/1079)) 320 321 ### Changed 322 323 * Write Authorization Models in a single database row ([#1030](https://github.com/openfga/openfga/pull/1030)) 324 325 :warning: In order to avoid downtime, we recommend upgrading to at least v1.3.3 _before_ upgrading to v1.3.5. 326 327 This is the second of a series of releases that will progressively introduce changes via code and database migrations that will allow authorization models to be stored in a single database row. 328 329 See [here for more details](https://github.com/openfga/openfga/issues/1025). 330 331 ## [1.3.4] - 2023-10-17 332 333 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.3...v1.3.4) 334 335 ### Fixed 336 337 * Incorrect string in model validation error message ([#1057](https://github.com/openfga/openfga/pull/1057)) 338 * Incorrect results can be returned by Check API when passing in contextual tuples and the `check-query-cache` experimental flag is turned on ([#1059](https://github.com/openfga/openfga/pull/1059)) 339 340 ### Changed 341 342 * Bumped up to Go 1.21.3 ([#1060](https://github.com/openfga/openfga/pull/1060)) 343 344 ### Security 345 346 * Patches [CVE-2023-45810](https://github.com/openfga/openfga/security/advisories/GHSA-hr4f-6jh8-f2vq). See the CVE for more details 347 348 ## [1.3.3] - 2023-10-04 349 350 [Full changelog](https://github.com/openfga/openfga/compare/v1.3.2...v1.3.3) 351 352 ### Added 353 354 * Configurable size limit for Authorization Models ([#1032](https://github.com/openfga/openfga/pull/1032)) 355 356 We've introduced a new size limit for authorization models, provided a consistent behavior across datastores, which defaults to `256KB`. This can be configured by using the `--max-authorization-model-size-in-bytes` flag. 357 358 ### Fixed 359 360 * Reduce use of GOB in encoded cache key ([#1029](https://github.com/openfga/openfga/pull/1029)) 361 362 ### Changed 363 364 * Move standalone server config defaults ([#1036](https://github.com/openfga/openfga/pull/1036)) 365 366 * Persist Authorization Models serialized protobuf in the database ([#1028](https://github.com/openfga/openfga/pull/1028)) 367 368 In the next series of releases will progressively introduce changes via code and database migrations that will allow authorization models to be stored in a single database row. 369 370 See [here for more details](https://github.com/openfga/openfga/issues/1025). 371 372 373 ## [1.3.2] - 2023-08-25 374 ### Added 375 * Support TLS for OTLP trace endpoint ([#885](https://github.com/openfga/openfga/pull/885)) - thanks @matoous 376 * Configurable limits to database reads per ListObjects query ([#967](https://github.com/openfga/openfga/pull/967)) 377 * Datastore query count labels to traces and query latency histogram in ListObjects ([#959](https://github.com/openfga/openfga/pull/959)) 378 * GitHub workflow to check Markdown links ([#1016](https://github.com/openfga/openfga/pull/1016)) - thanks @sanketrai1 379 380 ### Fixed 381 * Change response code to internal error for concurrency conflicts ([#1011](https://github.com/openfga/openfga/pull/1011)) 382 383 ### Changed 384 * Use slices and maps packages from go1.21 ([#969](https://github.com/openfga/openfga/pull/969)) - thanks @tranngoclam 385 * Moved request validations to RPC handlers so library integrations benefit ([#975](https://github.com/openfga/openfga/pull/975), [#998](https://github.com/openfga/openfga/pull/998)) 386 * Refactored internal usages of ConnectedObjects to ReverseExpand ([#968](https://github.com/openfga/openfga/pull/968)) 387 * Expose validation middleware ([#1005](https://github.com/openfga/openfga/pull/1005)) 388 * Upgrade grpc validator middleware to the latest v2 package ([#1019](https://github.com/openfga/openfga/pull/1019)) - thanks @tranngoclam 389 390 ### Security 391 * Patches [CVE-2023-43645](https://github.com/openfga/openfga/security/advisories/GHSA-2hm9-h873-pgqh) - see the CVE for more details 392 393 **[BREAKING]** If your model contained cycles or a relation definition that has the relation itself in its evaluation path, then Checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. You will need to update your models to remove the cycles. 394 395 ## [1.3.1] - 2023-08-23 396 397 ### Added 398 * Count datastore queries involved in Check resolution metadata ([#880](https://github.com/openfga/openfga/pull/880)) 399 400 OpenFGA request logs and traces will now include a field `datastore_query_count` that shows how many queries were involved in a single Check resolution. 401 402 * Histogram metric to report the `datastore_query_count` per Check ([#924](https://github.com/openfga/openfga/pull/932)) 403 404 This new metric can be used to report percentiles of the number of database queries required to resolve Check requests. 405 406 * Check request duration histogram labeled by method and datastore query count ([#950](https://github.com/openfga/openfga/pull/950)) 407 408 The `request_duration_by_query_count_ms` metric reports the total request duration (in ms) labelled by the RPC method and ranges of observations for the `datastore_query_count`. This metrics allows operators of an OpenFGA server to report request duration percentiles for Check requests based on the number of database queries that were required to resolve the query. 409 410 * Optimize Check to avoid database lookups in some scenarios ([#932](https://github.com/openfga/openfga/pull/932)) 411 412 * CachedCheckResolver for caching Check subproblems ([#891](https://github.com/openfga/openfga/pull/891)) 413 414 This experimental feature adds new caching capabilities to the OpenFGA server. It is an "opt-in" feature and thus must be enabled. To enable this feature you must specify the experimental flag `check-query-cache` and set the `--check-query-cache-enabled=true` flag. 415 416 ```shell 417 openfga run --experimentals check-query-cache --check-query-cache-enabled=true 418 ``` 419 420 * Server request logs now include the `user-agent` ([#943](https://github.com/openfga/openfga/pull/943)) 421 422 ### Changed 423 * Default Check and ListObjects concurrency read limits ([#916](https://github.com/openfga/openfga/pull/916)) 424 425 In our last release [v1.3.0](https://github.com/openfga/openfga/releases/tag/v1.3.0) we modified the default behavior of Check and ListObjects such that it limits/restricts the degree of concurrency that is allowed for a single request. This change was unintended. This release reverts the default behavior back to unbounded concurrency limits (the prior default). The change mostly affects those using OpenFGA as a library. 426 427 * Bumped up to Go 1.21 ([#952](https://github.com/openfga/openfga/pull/952)) 428 429 ### Security 430 * Patches [CVE-2023-40579](https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp) - see the CVE for more details 431 432 ## [1.3.0] - 2023-08-01 433 434 [Full changelog](https://github.com/openfga/openfga/compare/v1.2.0...v1.3.0) 435 436 ### Added 437 * Bounded concurrency limiter for Check and ListObjects queries ([#860](https://github.com/openfga/openfga/pull/860), [#887](https://github.com/openfga/openfga/pull/887)) 438 New server configurations can be provided to limit/bound the amount of concurrency that is allowed during query evaluation. These settings can help reduce the impact/burden that a single query (e.g. Check, ListObjects, etc..) can have on the underlying database and OpenFGA server. 439 440 * `--maxConcurrentReadsForListObjects` - The maximum allowed number of concurrent reads in a single ListObjects query. 441 442 * `--maxConcurrentReadsForCheck` - The maximum allowed number of concurrent reads in a single Check query. 443 444 * `--resolveNodeBreadthLimit` - Defines how many nodes on a given level can be evaluated concurrently in a Check resolution tree. 445 446 * Jaeger persistent storage for traces in `docker-compose.yaml` ([#888](https://github.com/openfga/openfga/pull/888)) - thanks @Azanul 447 448 ### Fixed 449 * Disable default debug level-logging in `retryablehttp` client ([#882](https://github.com/openfga/openfga/pull/882)) - thanks @KlausVii 450 451 ### Changed 452 * [BREAKING] Imports for OpenFGA protobuf API dependencies ([#898](https://github.com/openfga/openfga/pull/898)) 453 * **Problem** - Previously we depended on [Buf remote generated packages](https://buf.build/docs/bsr/remote-packages/overview), but they recently deprecated protobuf imports served from the `go.buf.build` domain (see [Migrate from remote generation alpha](https://buf.build/docs/migration-guides/migrate-remote-generation-alpha)). OpenFGA builds are currently broken as a result of this. 454 * **Change** - We switched our protobuf API dependency from `go.buf.build/openfga/go/openfga/api/openfga/v1` to `github.com/openfga/api/proto/openfga/v1`. So we no longer use Buf remote generated packages in favor of packages we managed in the [`openfga/api`](https://github.com/openfga/api) repository. This fixes existing build issues. 455 * **Impact** - Developers using the OpenFGA as a library or the gRPC API must change their protobuf dependency from `go.buf.build/openfga/go/openfga/api/openfga/v1` to `github.com/openfga/api/proto/openfga/v1`. A global find/replace and package dependency update should fix it. Here's a diff demonstrating the changes for a Go app, for example: 456 457 ```go 458 import ( 459 ... 460 - openfgav1 "go.buf.build/openfga/go/openfga/api/openfga/v1" 461 + openfgav1 "github.com/openfga/api/proto/openfga/v1" 462 ) 463 ``` 464 465 * Refactor the `Server` constructor to use the options builder pattern ([#833](https://github.com/openfga/openfga/pull/833)) 466 467 ```go 468 import ( 469 openfga "github.com/openfga/openfga/pkg/server" 470 ) 471 472 s := openfga.New( 473 &server.Dependencies{...}, 474 &server.Config{...}, 475 ) 476 ``` 477 becomes 478 ```go 479 import ( 480 openfga "github.com/openfga/openfga/pkg/server" 481 ) 482 483 var opts []openfga.OpenFGAServiceV1Option 484 s := openfga.MustNewServerWithOpts(opts...) 485 ``` 486 ## [1.2.0] - 2023-06-30 487 488 [Full changelog](https://github.com/openfga/openfga/compare/v1.1.1...v1.2.0) 489 490 ### Added 491 * Optimizations for [ListObjects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) and [StreamedListObjects](https://openfga.dev/api/service#/Relationship%20Queries/StreamedListObjects) for models involving intersection (`and`) and exclusion (`but not`) ([#797](https://github.com/openfga/openfga/pull/797)) 492 493 ### Changed 494 * Cache model validation results on first model load ([#831](https://github.com/openfga/openfga/pull/831)) 495 * Cache inflight requests when looking up any authorization model ([#831](https://github.com/openfga/openfga/pull/831)) 496 * Update postgres max connections in docker compose file ([#829](https://github.com/openfga/openfga/pull/829)) 497 498 ## [1.1.1] - 2023-06-26 499 500 [Full changelog](https://github.com/openfga/openfga/compare/v1.1.0...v1.1.1) 501 502 ### Added 503 * Official Homebrew installation instructions ([#781](https://github.com/openfga/openfga/pull/781)) - thanks @chenrui333 504 * The `--verbose` flag has been added to the `openfga migrate` command ([#776](https://github.com/openfga/openfga/pull/776)) 505 * The `openfga validate-models` CLI command has been introduced to validate all models across all stores ([#817](https://github.com/openfga/openfga/pull/817)) 506 507 ### Changed 508 * Updated the version of the `grpc-health-probe` binary included in OpenFGA builds ([#784](https://github.com/openfga/openfga/pull/784)) 509 * Cache inflight requests when looking up the latest authorization model ([#820](https://github.com/openfga/openfga/pull/820)) 510 511 ### Fixed 512 * Validation of models with non-zero entrypoints ([#802](https://github.com/openfga/openfga/pull/802)) 513 * Remove unintended newlines in model validation error messages ([#816](https://github.com/openfga/openfga/pull/816)) - thanks @Galzzly 514 515 ### Security 516 * Patches [CVE-2023-35933](https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j) - additional model validations are now applied to models that can lead to the vulnerability. See the CVE report for more details, and don't hesitate to reach out if you have questions. 517 518 ## [1.1.0] - 2023-05-15 519 520 [Full changelog](https://github.com/openfga/openfga/compare/v1.0.1...v1.1.0) 521 522 ## Added 523 * Streaming ListObjects has no limit in number of results returned ([#733](https://github.com/openfga/openfga/pull/733)) 524 * Add Homebrew release stage to goreleaser's release process ([#716](https://github.com/openfga/openfga/pull/716)) 525 526 ## Fixed 527 * Avoid DB connection churning in unoptimized ListObjects ([#711](https://github.com/openfga/openfga/pull/711)) 528 * Ensure ListObjects respects configurable ListObjectsDeadline ([#704](https://github.com/openfga/openfga/pull/704)) 529 * In Write, throw 400 instead of 500 error if auth model ID not found ([#725](https://github.com/openfga/openfga/pull/725)) 530 * Performance improvements when loading the authorization model ([#726](https://github.com/openfga/openfga/pull/726)) 531 * Ensure Check evaluates deterministically on the eval boundary case ([#732](https://github.com/openfga/openfga/pull/732)) 532 533 ## Changed 534 * [BREAKING] The flags to turn on writing and evaluation of `v1.0` models have been dropped ([#763](https://github.com/openfga/openfga/pull/763)) 535 536 ## [1.0.1] - 2023-04-18 537 538 [Full changelog](https://github.com/openfga/openfga/compare/v1.0.0...v1.0.1) 539 540 ## Fixed 541 * Correct permission and location for gRPC health probe in Docker image (#697) 542 543 ## [1.0.0] - 2023-04-14 544 545 [Full changelog](https://github.com/openfga/openfga/compare/v0.4.3...v1.0.0) 546 547 ## Ready for Production with Postgres 548 OpenFGA with Postgres is now considered stable and ready for production usage. 549 550 ## Fixed 551 * MySQL migration script errors during downgrade (#664) 552 553 ## [0.4.3] - 2023-04-12 554 555 [Full changelog](https://github.com/openfga/openfga/compare/v0.4.2...v0.4.3) 556 557 ## Added 558 * Release artifacts are now signed and include a Software Bill of Materials (SBOM) ([#683](https://github.com/openfga/openfga/pull/683)) 559 560 The SBOM (Software Bill of Materials) is included in each GitHub release using [Syft](https://github.com/anchore/syft) and is exported in [SPDX](https://spdx.dev) format. 561 562 Developers will be able to verify the signature of the release artifacts with the following workflow(s): 563 564 ```shell 565 wget https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt 566 567 cosign verify-blob \ 568 --certificate-identity 'https://github.com/openfga/openfga/.github/workflows/release.yml@refs/tags/<tag>' \ 569 --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ 570 --cert https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt.pem \ 571 --signature https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt.sig \ 572 ./checksums.txt 573 ``` 574 575 If the `checksums.txt` validation succeeds, it means the checksums included in the release were not tampered with, so we can use it to verify the hashes of other files using the `sha256sum` utility. You can then download any file you want from the release, and verify it with, for example: 576 577 ```shell 578 wget https://github.com/openfga/openfga/releases/download/<tag>/openfga_<version>_linux_amd64.tar.gz.sbom 579 wget https://github.com/openfga/openfga/releases/download/<tag>/openfga_<version>_linux_amd64.tar.gz 580 581 sha256sum --ignore-missing -c checksums.txt 582 ``` 583 584 And both should say "OK". 585 586 You can then inspect the .sbom file to see the entire dependency tree of the binary. 587 588 Developers can also verify the Docker image signature. Cosign actually embeds the signature in the image manifest, so we only need the public key used to sign it in order to verify its authenticity: 589 590 ```shell 591 cosign verify -key cosign.pub openfga/openfga:<tag> 592 ``` 593 594 * `openfga migrate` now accepts reading configuration from a config file and environment variables like the `openfga run` command ([#655](https://github.com/openfga/openfga/pull/655)) - thanks @suttod! 595 596 * The `--trace-service-name` command-line flag has been added to allow for customizing the service name in traces ([#652](https://github.com/openfga/openfga/pull/652)) - thanks @jmiettinen 597 598 ## Fixed 599 * Postgres and MySQL implementations have been fixed to avoid ordering relationship tuple queries by `ulid` when it is not needed. This can improve read query performance on larger OpenFGA stores ([#677](https://github.com/openfga/openfga/pull/677)) 600 * Synchronize concurrent access to in-memory storage iterators ([#587](https://github.com/openfga/openfga/pull/587)) 601 * Improve error logging in the `openfga migrate` command ([#663](https://github.com/openfga/openfga/pull/663)) 602 * Fix middleware ordering so that `requestid` middleware is registered earlier ([#662](https://github.com/openfga/openfga/pull/662)) 603 604 ## Changed 605 * Bumped up to Go version 1.20 ([#664](https://github.com/openfga/openfga/pull/664)) 606 * Default model schema versions to 1.1 ([#669](https://github.com/openfga/openfga/pull/669)) 607 608 In preparation for sunsetting support for models with schema version 1.0, the [WriteAuthorizationModel API](https://openfga.dev/api/service#/Authorization%20Models/WriteAuthorizationModel) will now interpret any model provided to it as a 1.1 model if the `schema_version` field is omitted in the request. This shouldn't affect default behavior since 1.0 model support is enabled by default. 609 610 ## [0.4.2] - 2023-03-17 611 612 [Full changelog](https://github.com/openfga/openfga/compare/v0.4.1...v0.4.2) 613 614 ### Fixed 615 * Correct migration path for mysql in `openfga migrate` ([#644](https://github.com/openfga/openfga/pull/664)) 616 617 ## [0.4.1] - 2023-03-16 618 619 [Full changelog](https://github.com/openfga/openfga/compare/v0.4.0...v0.4.1) 620 621 622 The `v0.4.1` release includes everything in `v0.4.0` which includes breaking changes, please read the [`v0.4.0` changelog entry](#040---2023-03-15) for more details. 623 624 ### Fixed 625 626 * Fix ListObjects not returning objects a user has access to in some cases (openfga/openfga#637) 627 628 ## [0.4.0] - 2023-03-15 629 630 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.7...v0.4.0) 631 632 > Note: the 0.4.0 release was held due to issues discovered after the release was cut. 633 634 ### Removed 635 636 * [BREAKING] Disable schema 1.0 support, except if appropriate flags are set (openfga/openfga#613) 637 * As of this release, OpenFGA no longer allows writing or evaluating schema `v1.0` models by default. If you need support for it for now, you can use the: 638 * `OPENFGA_ALLOW_WRITING_1_0_MODELS`: set to `true` to allow `WriteAuthorizationModel` to accept schema `v1.0` models. 639 * `OPENFGA_ALLOW_EVALUATING_1_0_MODELS`: set to `true` to allow `Check`, `Expand`, `ListObjects`, `Write` and `WriteAssertions` that target schema `v1.0` models. 640 * `ReadAuthorizationModel`, `ReadAuthorizationModels` and `ReadAssertions` are unaffected and will continue to work regardless of the target model schema version. 641 * Note that these flags will be removed and support fully dropped in a future release. Read the [Schema v1.0 Deprecation Timeline](https://openfga.dev/docs/modeling/migrating/migrating-schema-1-1#deprecation-timeline) for more details. 642 643 ### Added 644 * Add OpenFGA version command to the CLI ([#625](https://github.com/openfga/openfga/pull/625)) 645 * Add `timeout` flag to `migrate` command ([#634](https://github.com/openfga/openfga/pull/634)) 646 647 ### Fixed 648 649 * Improve the speed of Check for 1.1 models by using type restrictions (([#545](https://github.com/openfga/openfga/pull/545), ([#596](https://github.com/openfga/openfga/pull/596)) 650 * Various important fixes to the experimental ListObjects endpoint 651 * Improve readUsersets query by dropping unnecessary sorting ([#631](https://github.com/openfga/openfga/pull/631),([#633](https://github.com/openfga/openfga/pull/633)) 652 * Fix null pointer exception if computed userset does not exist ([#572](https://github.com/openfga/openfga/pull/572)) 653 * Fix race condition in memory store ([#585](https://github.com/openfga/openfga/pull/585)) 654 * Ensure no objects returned that would not have been allowed in Checks ([#577](https://github.com/openfga/openfga/pull/577)) 655 * Reverse expansion with indirect computed userset relationship ([#611](https://github.com/openfga/openfga/pull/611)) 656 * Improved tests ([#582](https://github.com/openfga/openfga/pull/582), [#599](https://github.com/openfga/openfga/pull/599), [#601](https://github.com/openfga/openfga/pull/601), [#620](https://github.com/openfga/openfga/pull/620)) 657 * Tuning of OTEL parameters ([#570](https://github.com/openfga/openfga/pull/570)) 658 * Fix tracing in Check API ([#627](https://github.com/openfga/openfga/pull/627)) 659 * Use chainguard images in Dockerfile ([#628](https://github.com/openfga/openfga/pull/628)) 660 661 662 ## [0.3.7] - 2023-02-21 663 664 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.6...v0.3.7) 665 666 ### Fixed 667 * Contextual tuple propagation in the unoptimized ListObjects implementation ([#565](https://github.com/openfga/openfga/pull/565)) 668 669 ## [0.3.6] - 2023-02-16 670 671 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.5...v0.3.6) 672 673 Re-release of `v0.3.5` because the go module proxy cached a prior commit of the `v0.3.5` tag. 674 675 ## [0.3.5] - 2023-02-14 676 677 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.4...v0.3.5) 678 679 ### Added 680 * [`grpc-health-probe`](https://github.com/grpc-ecosystem/grpc-health-probe) for Health Checks ([#520](https://github.com/openfga/openfga/pull/520)) 681 682 OpenFGA containers now include an embedded `grpc_health_probe` binary that can be used to probe the Health Check endpoints of OpenFGA servers. Take a look at the [docker-compose.yaml](https://github.com/openfga/openfga/blob/main/docker-compose.yaml) file for an example. 683 684 * Improvements to telemetry: logging, tracing, and metrics ([#468](https://github.com/openfga/openfga/pull/468), [#514](https://github.com/openfga/openfga/pull/514), [#517](https://github.com/openfga/openfga/pull/517), [#522](https://github.com/openfga/openfga/pull/522)) 685 686 * We have added Prometheus as the standard metrics provided for OpenFGA and provide a way to launch Grafana to view the metrics locally. See [docker-compose.yaml](https://github.com/openfga/openfga/blob/main/docker-compose.yaml) for more information. 687 688 * We've improved the attributes of various trace spans and made sure that trace span names align with the functions they decorate. 689 690 * Our logging has been enhanced with more logged fields including request level logging which includes a `request_id` and `store_id` field in the log message. 691 692 These features will allow operators of OpenFGA to improve their monitoring and observability processes. 693 694 * Nightly releases ([#508](https://github.com/openfga/openfga/pull/508)) - thanks @Siddhant-K-code! 695 696 You should now be able to run nightly releases of OpenFGA using `docker pull openfga/openfga:nightly` 697 698 ### Fixed 699 * Undefined computed relations on tuplesets now behave properly ([#532](https://github.com/openfga/openfga/pull/532)) 700 701 If you had a model involving two different computed relations on the same tupleset, then it's possible you may have received an internal server error if one of the computed relations was undefined. For example, 702 ``` 703 type document 704 relations 705 define parent as self 706 define viewer as x from parent or y from parent 707 708 type folder 709 relations 710 define x as self 711 712 type org 713 relations 714 define y as self 715 ``` 716 Given the tuple `{ user: "org:contoso", relation: "parent", object: "document:1" }`, then `Check({ user: "jon", relation: "viewer", object: "document:1" })` would return an error prior to this fix because the `x` computed relation on the `document#parent` tupleset relation is not defined for the `org` object type. 717 718 * Eliminate duplicate objects in ListObjects response ([#528](https://github.com/openfga/openfga/pull/528)) 719 720 ## [0.3.4] - 2023-02-02 721 722 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.3...v0.3.4) 723 724 ### Fixed 725 726 * Fixed the environment variable mapping ([#498](https://github.com/openfga/openfga/pull/498)). For the full list of environment variables see [.config-schema.json](https://github.com/openfga/openfga/blob/main/.config-schema.json). 727 * Fix for stack overflow error in ListObjects ([#506](https://github.com/openfga/openfga/pull/506)). Thank you for reporting the issue @wonderbeyond! 728 729 ### Added 730 731 * Added OpenTelemetry tracing ([#499](https://github.com/openfga/openfga/pull/499)) 732 733 ### Removed 734 735 * The ReadTuples endpoint has been removed ([#495](https://github.com/openfga/openfga/pull/495)). Please use [Read](https://openfga.dev/api/service#/Relationship%20Tuples/Read) with no tuple key instead (e.g. `POST /stores/<store_id>/read` with `{}` as the body). 736 737 ## [0.3.3] - 2023-01-31 738 739 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.2...v0.3.3) 740 741 ### Added 742 743 * Environment variable names have been updated ([#472](https://github.com/openfga/openfga/pull/472)). 744 745 For example, `OPENFGA_MAX_TUPLES_PER_WRITE` instead of `OPENFGA_MAXTUPLESPERWRITE`. 746 747 For the full list please see [.config-schema.json](https://github.com/openfga/openfga/blob/main/.config-schema.json). 748 749 The old form still works but is considered deprecated and should not be used anymore. 750 751 * Optimized ListObjects is now on by default ([#489](https://github.com/openfga/openfga/pull/489)) (`--experimentals="list-objects-optimized"` is no longer needed) 752 753 * Avoid connection churn in our datastore implementations ([#474](https://github.com/openfga/openfga/pull/474)) 754 755 * The default values for `OPENFGA_DATASTORE_MAX_OPEN_CONNS` and `OPENFGA_DATASTORE_MAX_IDLE_CONNS` have been set to 30 and 10 respectively ([#492](https://github.com/openfga/openfga/pull/492)) 756 757 ### Fixed 758 759 * ListObjects should no longer return duplicates ([#475](https://github.com/openfga/openfga/pull/475)) 760 761 ## [0.3.2] - 2023-01-18 762 763 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.1...v0.3.2) 764 765 766 ### Added 767 * OpenTelemetry metrics integration with an `otlp` exporter ([#360](https://github.com/openfga/openfga/pull/360)) - thanks @AlexandreBrg! 768 769 To export OpenTelemetry metrics from an OpenFGA instance you can now provide the `otel-metrics` experimental flag along with the `--otel-telemetry-endpoint` and `--otel-telemetry-protocol` flags. For example, 770 771 ``` 772 ./openfga run --experimentals=otel-metrics --otel-telemetry-endpoint=127.0.0.1:4317 --otel-telemetry-protocol=http 773 ``` 774 775 For more information see the official documentation on [Experimental Features](https://openfga.dev/docs/getting-started/setup-openfga/docker#experimental-features) and [Telemetry](https://openfga.dev/docs/getting-started/setup-openfga/docker#telemetry). 776 777 * Type-bound public access support in the optimized ListObjects implementation (when the `list-objects-optimized` experimental feature is enabled) ([#444](https://github.com/openfga/openfga/pull/444)) 778 779 ### Fixed 780 * Tuple validations for models with schema version 1.1 ([#446](https://github.com/openfga/openfga/pull/446), [#457](https://github.com/openfga/openfga/pull/457)) 781 * Evaluate rewrites on nested usersets in the optimized ListObjects implementation ([#432](https://github.com/openfga/openfga/pull/432)) 782 783 ## [0.3.1] - 2022-12-19 784 785 [Full changelog](https://github.com/openfga/openfga/compare/v0.3.0...v0.3.1) 786 787 ### Added 788 * Datastore configuration flags to control connection pool settings 789 `--datastore-max-open-conns` 790 `--datastore-max-idle-conns` 791 `--datastore-conn-max-idle-time` 792 `--datastore-conn-max-lifetime` 793 These flags can be used to fine-tune database connections for your specific deployment of OpenFGA. 794 795 * Log level configuration flags 796 `--log-level` (can be one of ['none', 'debug', 'info', 'warn', 'error', 'panic', 'fatal']) 797 798 * Support for Experimental Feature flags 799 A new flag `--experimentals` has been added to enable certain experimental features in OpenFGA. For more information see [Experimental Features](https://openfga.dev/docs/getting-started/setup-openfga/docker#experimental-features). 800 801 ### Security 802 * Patches [CVE-2022-23542](https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m) - relationship reads now respect type restrictions from prior models ([#422](https://github.com/openfga/openfga/pull/422)). 803 804 ## [0.3.0] - 2022-12-12 805 806 [Full changelog](https://github.com/openfga/openfga/compare/v0.2.5...v0.3.0) 807 808 This release comes with a few big changes: 809 810 ### Support for [v1.1 JSON Schema](https://github.com/openfga/rfcs/blob/feat/add-type-restrictions-to-json-syntax/20220831-add-type-restrictions-to-json-syntax.md) 811 812 - You can now write your models in the [new DSL](https://github.com/openfga/rfcs/blob/type-restriction-dsl/20221012-add-type-restrictions-to-dsl-syntax.md) 813 which the Playground and the [syntax transformer](https://github.com/openfga/syntax-transformer) can convert to the 814 JSON syntax. Schema v1.1 allows for adding type restrictions to each assignable relation, and it can be used to 815 indicate cases such as "The folder's parent must be a folder" (and so not a user or a document). 816 - This change also comes with breaking changes to how `*` and `<type>:*` are treated: 817 - `<type>:*` is interpreted differently according to the model version. v1.0 will interpret it as a object of type 818 `<type>` and id `*`, whereas v1.1 will interpret is as all objects of type `<type>`. 819 - `*` is still supported in v1.0 models, but not supported in v1.1 models. A validation error will be thrown when 820 used in checks or writes and it will be ignored when evaluating. 821 - Additionally, the change to v1.1 models allows us to provide more consistent validation when writing the model 822 instead of when issuing checks. 823 824 :warning: Note that with this release **models with schema version 1.0 are now considered deprecated**, with the plan to 825 drop support for them over the next couple of months, please migrate to version 1.1 when you can. Read more about 826 [migrating to the new syntax](https://openfga.dev/docs/modeling/migrating/migrating-schema-1-1). 827 828 ### ListObjects changes 829 830 The response has changed to include the object type, for example: 831 ```json 832 { "object_ids": [ "a", "b", "c" ] } 833 ``` 834 to 835 ```json 836 { "objects": [ "document:a", "document:b", "document:c" ] } 837 ``` 838 839 We have also improved validation and fixed support for Contextual Tuples that were causing inaccurate responses to be 840 returned. 841 842 ### ReadTuples deprecation 843 844 :warning:This endpoint is now marked as deprecated, and support for it will be dropped shortly. Please use Read with 845 no tuple key instead. 846 847 848 ## [0.2.5] - 2022-11-07 849 ### Security 850 * Patches [CVE-2022-39352](https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w) 851 852 ### Added 853 * Multi-platform container build manifests to releases ([#323](https://github.com/openfga/openfga/pull/323)) 854 855 ### Fixed 856 * Read RPC returns correct error when authorization model id is not found ([#312](https://github.com/openfga/openfga/pull/312)) 857 * Throw error if `http.upstreamTimeout` config is less than `listObjectsDeadline` ([#315](https://github.com/openfga/openfga/pull/315)) 858 859 ## [0.2.4] - 2022-10-24 860 ### Security 861 * Patches [CVE-2022-39340](https://github.com/openfga/openfga/security/advisories/GHSA-95x7-mh78-7w2r), [CVE-2022-39341](https://github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5), and [CVE-2022-39342](https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f) 862 863 ### Fixed 864 * TLS certificate config path mappings ([#285](https://github.com/openfga/openfga/pull/285)) 865 * Error message when a `user` field is invalid ([#278](https://github.com/openfga/openfga/pull/278)) 866 * host:port mapping with unspecified host ([#275](https://github.com/openfga/openfga/pull/275)) 867 * Wait for connection to postgres before starting ([#270](https://github.com/openfga/openfga/pull/270)) 868 869 870 ### Added 871 * Update Go to 1.19 872 873 ## [0.2.3] - 2022-10-05 874 ### Added 875 * Support for MySQL storage backend ([#210](https://github.com/openfga/openfga/pull/210)). Thank you @MidasLamb! 876 * Allow specification of type restrictions in authorization models ([#223](https://github.com/openfga/openfga/pull/223)). Note: Type restriction is not enforced yet, this just allows storing them. 877 * Tuple validation against type restrictions in Write API ([#232](https://github.com/openfga/openfga/pull/232)) 878 * Upgraded the Postgres storage backend to use pgx v5 ([#225](https://github.com/openfga/openfga/pull/225)) 879 880 ### Fixed 881 * Close database connections after migration ([#252](https://github.com/openfga/openfga/pull/252)) 882 * Race condition in streaming ListObjects ([#255](https://github.com/openfga/openfga/pull/255), [#256](https://github.com/openfga/openfga/pull/256)) 883 884 885 ## [0.2.2] - 2022-09-15 886 ### Fixed 887 * Reject direct writes if only indirect relationship allowed ([#114](https://github.com/openfga/openfga/pull/114)). Thanks @dblclik! 888 * Log internal errors at the grpc layer ([#222](https://github.com/openfga/openfga/pull/222)) 889 * Authorization model validation ([#224](https://github.com/openfga/openfga/pull/224)) 890 * Bug in `migrate` command ([#236](https://github.com/openfga/openfga/pull/236)) 891 * Skip malformed tuples involving tuple to userset definitions ([#234](https://github.com/openfga/openfga/pull/234)) 892 893 ## [0.2.1] - 2022-08-30 894 ### Added 895 * Support Check API calls on userset types of users ([#146](https://github.com/openfga/openfga/pull/146)) 896 * Add backoff when connecting to Postgres ([#188](https://github.com/openfga/openfga/pull/188)) 897 898 ### Fixed 899 * Improve logging of internal server errors ([#193](https://github.com/openfga/openfga/pull/193)) 900 * Use Postgres in the sample Docker Compose file ([#195](https://github.com/openfga/openfga/pull/195)) 901 * Emit authorization errors ([#144](https://github.com/openfga/openfga/pull/144)) 902 * Telemetry in Check and ListObjects APIs ([#177](https://github.com/openfga/openfga/pull/177)) 903 * ListObjects API: respect the value of ListObjectsMaxResults ([#181](https://github.com/openfga/openfga/pull/181)) 904 905 906 ## [0.2.0] - 2022-08-12 907 ### Added 908 * [ListObjects API](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) 909 910 The ListObjects API provides a way to list all of the objects (of a particular type) that a user has a relationship with. It provides a solution to the [Search with Permissions (Option 3)](https://openfga.dev/docs/interacting/search-with-permissions#option-3-build-a-list-of-ids-then-search) use case for access-aware filtering on smaller object collections. It implements the [ListObjects RFC](https://github.com/openfga/rfcs/blob/main/20220714-listObjects-api.md). 911 912 This addition brings with it two new server configuration options `--listObjects-deadline` and `--listObjects-max-results`. These configurations help protect the server from excessively long lived and large responses. 913 914 > ⚠️ If `--listObjects-deadline` or `--listObjects-max-results` are provided, the endpoint may only return a subset of the data. If you provide the deadline but returning all of the results would take longer than the deadline, then you may not get all of the results. If you limit the max results to 1, then you'll get at most 1 result. 915 916 * Support for presharedkey authentication in the Playground ([#141](https://github.com/openfga/openfga/pull/141)) 917 918 The embedded Playground now works if you run OpenFGA using one or more preshared keys for authentication. OIDC authentication remains unsupported for the Playground at this time. 919 920 921 ## [0.1.7] - 2022-07-29 922 ### Added 923 * `migrate` CLI command ([#56](https://github.com/openfga/openfga/pull/56)) 924 925 The `migrate` command has been added to the OpenFGA CLI to assist with bootstrapping and managing database schema migrations. See the usage for more info. 926 927 ``` 928 ➜ openfga migrate -h 929 The migrate command is used to migrate the database schema needed for OpenFGA. 930 931 Usage: 932 openfga migrate [flags] 933 934 Flags: 935 --datastore-engine string (required) the database engine to run the migrations for 936 --datastore-uri string (required) the connection uri of the database to run the migrations against (e.g. 'postgres://postgres:password@localhost:5432/postgres') 937 -h, --help help for migrate 938 --version uint the version to migrate to (if omitted the latest schema will be used) 939 ``` 940 941 ## [0.1.6] - 2022-07-27 942 ### Fixed 943 * Issue with embedded Playground assets found in the `v0.1.5` released docker image ([#129](https://github.com/openfga/openfga/pull/129)) 944 945 ## [0.1.5] - 2022-07-27 946 ### Added 947 * Support for defining server configuration in `config.yaml`, CLI flags, or env variables ([#63](https://github.com/openfga/openfga/pull/63), [#92](https://github.com/openfga/openfga/pull/92), [#100](https://github.com/openfga/openfga/pull/100)) 948 949 `v0.1.5` introduces multiple ways to support a variety of server configuration strategies. You can configure the server with CLI flags, env variables, or a `config.yaml` file. 950 951 Server config will be loaded in the following order of precedence: 952 953 * CLI flags (e.g. `--datastore-engine`) 954 * env variables (e.g. `OPENFGA_DATASTORE_ENGINE`) 955 * `config.yaml` 956 957 If a `config.yaml` file is provided, the OpenFGA server will look for it in `"/etc/openfga"`, `"$HOME/.openfga"`, or `"."` (the current working directory), in that order. 958 959 * Support for grpc health checks ([#86](https://github.com/openfga/openfga/pull/86)) 960 961 `v0.1.5` introduces support for the [GRPC Health Checking Protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). The server's health can be checked with the grpc or HTTP health check endpoints (the `/healthz` endpoint is just a proxy to the grpc health check RPC). 962 963 For example, 964 ``` 965 grpcurl -plaintext \ 966 -d '{"service":"openfga.v1.OpenFGAService"}' \ 967 localhost:8081 grpc.health.v1.Health/Check 968 ``` 969 or, if the HTTP server is enabled, with the `/healthz` endpoint: 970 ``` 971 curl --request GET -d '{"service":"openfga.v1.OpenFGAService"}' http://localhost:8080/healthz 972 ``` 973 974 * Profiling support (pprof) ([#111](https://github.com/openfga/openfga/pull/111)) 975 976 You can now profile the OpenFGA server while it's running using the [pprof](https://github.com/google/pprof/blob/main/doc/README.md) profiler. To enable the pprof profiler set `profiler.enabled=true`. It is served on the `/debug/pprof` endpoint and port `3001` by default. 977 978 * Configuration to enable/disable the HTTP server ([#84](https://github.com/openfga/openfga/pull/84)) 979 980 You can now enable/disable the HTTP server by setting `http.enabled=true/false`. It is enabled by default. 981 982 ### Changed 983 * Env variables have a new mappings. 984 985 Please refer to the [`.config-schema.json`](https://github.com/openfga/openfga/blob/main/.config-schema.json) file for a description of the new configurations or `openfga run -h` for the CLI flags. Env variables are mapped by prefixing `OPENFGA` and converting dot notation into underscores (e.g. `datastore.uri` becomes `OPENFGA_DATASTORE_URI`). 986 987 ### Fixed 988 * goroutine leaks in Check resolution. ([#113](https://github.com/openfga/openfga/pull/113)) 989 990 ## [0.1.4] - 2022-06-27 991 ### Added 992 * OpenFGA Playground support ([#68](https://github.com/openfga/openfga/pull/68)) 993 * CORS policy configuration ([#65](https://github.com/openfga/openfga/pull/65)) 994 995 ## [0.1.2] - 2022-06-20 996 ### Added 997 * Request validation middleware 998 * Postgres startup script 999 1000 ## [0.1.1] - 2022-06-16 1001 ### Added 1002 * TLS support for both the grpc and HTTP servers 1003 * Configurable logging formats including `text` and `json` formats 1004 * OpenFGA CLI with a preliminary `run` command to run the server 1005 1006 ## [0.1.0] - 2022-06-08 1007 ### Added 1008 * Initial working implementation of OpenFGA APIs (Check, Expand, Write, Read, Authorization Models, etc..) 1009 * Postgres storage adapter implementation 1010 * Memory storage adapter implementation 1011 * Early support for preshared key or OIDC authentication methods 1012 1013 [Unreleased]: https://github.com/openfga/openfga/compare/v1.5.3...HEAD 1014 [1.5.3]: https://github.com/openfga/openfga/releases/tag/v1.5.3 1015 [1.5.2]: https://github.com/openfga/openfga/releases/tag/v1.5.2 1016 [1.5.1]: https://github.com/openfga/openfga/releases/tag/v1.5.1 1017 [1.5.0]: https://github.com/openfga/openfga/releases/tag/v1.5.0 1018 [1.4.3]: https://github.com/openfga/openfga/releases/tag/v1.4.3 1019 [1.4.2]: https://github.com/openfga/openfga/releases/tag/v1.4.2 1020 [1.4.1]: https://github.com/openfga/openfga/releases/tag/v1.4.1 1021 [1.4.0]: https://github.com/openfga/openfga/releases/tag/v1.4.0 1022 [1.3.10]: https://github.com/openfga/openfga/releases/tag/v1.3.10 1023 [1.3.9]: https://github.com/openfga/openfga/releases/tag/v1.3.9 1024 [1.3.8]: https://github.com/openfga/openfga/releases/tag/v1.3.8 1025 [1.3.7]: https://github.com/openfga/openfga/releases/tag/v1.3.7 1026 [1.3.6]: https://github.com/openfga/openfga/releases/tag/v1.3.6 1027 [1.3.5]: https://github.com/openfga/openfga/releases/tag/v1.3.5 1028 [1.3.4]: https://github.com/openfga/openfga/releases/tag/v1.3.4 1029 [1.3.3]: https://github.com/openfga/openfga/releases/tag/v1.3.3 1030 [1.3.2]: https://github.com/openfga/openfga/releases/tag/v1.3.2 1031 [1.3.1]: https://github.com/openfga/openfga/releases/tag/v1.3.1 1032 [1.3.0]: https://github.com/openfga/openfga/releases/tag/v1.3.0 1033 [1.2.0]: https://github.com/openfga/openfga/releases/tag/v1.2.0 1034 [1.1.1]: https://github.com/openfga/openfga/releases/tag/v1.1.1 1035 [1.1.0]: https://github.com/openfga/openfga/releases/tag/v1.1.0 1036 [1.0.1]: https://github.com/openfga/openfga/releases/tag/v1.0.1 1037 [1.0.0]: https://github.com/openfga/openfga/releases/tag/v1.0.0 1038 [0.4.3]: https://github.com/openfga/openfga/releases/tag/v0.4.3 1039 [0.4.2]: https://github.com/openfga/openfga/releases/tag/v0.4.2 1040 [0.4.1]: https://github.com/openfga/openfga/releases/tag/v0.4.1 1041 [0.4.0]: https://github.com/openfga/openfga/releases/tag/v0.4.0 1042 [0.3.7]: https://github.com/openfga/openfga/releases/tag/v0.3.7 1043 [0.3.6]: https://github.com/openfga/openfga/releases/tag/v0.3.6 1044 [0.3.5]: https://github.com/openfga/openfga/releases/tag/v0.3.5 1045 [0.3.4]: https://github.com/openfga/openfga/releases/tag/v0.3.4 1046 [0.3.3]: https://github.com/openfga/openfga/releases/tag/v0.3.3 1047 [0.3.2]: https://github.com/openfga/openfga/releases/tag/v0.3.2 1048 [0.3.1]: https://github.com/openfga/openfga/releases/tag/v0.3.1 1049 [0.3.0]: https://github.com/openfga/openfga/releases/tag/v0.3.0 1050 [0.2.5]: https://github.com/openfga/openfga/releases/tag/v0.2.5 1051 [0.2.4]: https://github.com/openfga/openfga/releases/tag/v0.2.4 1052 [0.2.3]: https://github.com/openfga/openfga/releases/tag/v0.2.3 1053 [0.2.2]: https://github.com/openfga/openfga/releases/tag/v0.2.2 1054 [0.2.1]: https://github.com/openfga/openfga/releases/tag/v0.2.1 1055 [0.2.0]: https://github.com/openfga/openfga/releases/tag/v0.2.0 1056 [0.1.7]: https://github.com/openfga/openfga/releases/tag/v0.1.7 1057 [0.1.6]: https://github.com/openfga/openfga/releases/tag/v0.1.6 1058 [0.1.5]: https://github.com/openfga/openfga/releases/tag/v0.1.5 1059 [0.1.4]: https://github.com/openfga/openfga/releases/tag/v0.1.4 1060 [0.1.2]: https://github.com/openfga/openfga/releases/tag/v0.1.2 1061 [0.1.1]: https://github.com/openfga/openfga/releases/tag/v0.1.1 1062 [0.1.0]: https://github.com/openfga/openfga/releases/tag/v0.1.0