Releases: ory/keto
v0.7.0-alpha.0
We are proud to present you a new release of Ory Keto! It has been a while, but
we have been working hard not only on code, but also concepts and discussing
many upcoming features. To join us on this exciting journey, watch 👀 and
start ⭐ the repository.
At a first glance the release might not look too exciting from the outside, but
we had 376 changed files with 47,578 additions and 25,418 deletions. In total,
12 contributors worked on the 192 commits. The most changes were bug fixes,
internal refactoring, and improving API consistency. Expect a more reliable
Keto, that is also prepared to receive
many new exciting features.
Because the database schema changed significantly, and it is not possible to
have SQL-only migrations, there is a special migration procedure needed to
upgrade from Ory Keto v0.6. Please follow the
migration guide and, as
always, read
the changelog before
upgrading.
Breaking Changes
This patch changes the payload of the REST API. The gRPC API is not affected. The parameter subject was previously an encoded string. With this change clients have to explicitly use either subject_id or (subject_set.namespace and subject_set.object and subject_set.relation). The same is true for REST responses returned by Keto. An error with a hint will be returned if subject is still used.
Bug Fixes
-
cli: Panic when printing empty expand trees (#686) (7956dec)
-
Handle relation tuple cycles in expand and check engine (#623) (8e30119)
-
Move gRPC client module root up (#620) (3b881f6):
BREAKING: The npm package
@ory/keto-grpc-clientfrom now on includes all API versions. Because of that, the import paths changed. For migrating to the new client package, change the import path according to the following example:- import acl from '@ory/keto-grpc-client/acl_pb.js' + // from the latest version + import { acl } from '@ory/keto-grpc-client' + // or a specific one + import acl from '@ory/keto-grpc-client/ory/keto/acl/v1alpha1/acl_pb.js'
-
Partially reference upstream schemas (#674) (e49e16c), closes #662:
This change significantly improves and the config schema. Parts will now be taken from upstream to ensure a more up-to-date schema.
-
Patch REST API input validation and SDK generation (#717) (d49e098)
-
Run a whole namespace migration as one transaction (#739) (142bd47)
-
Set version during release build and register version handler (#714) (8091475)
-
Update docker-compose.yml version (#595) (7fa4dca), closes #549
Chores
- Update repository templates (f53d3eb)
Code Generation
- Pin v0.7.0-alpha.0 release commit (7962e77)
Code Refactoring
-
Ensure namespace manager reload is resource contained (#735) (5696fc6)
-
Make subject sets and subject IDs unambiguous (#729) (5a1b0ba)
-
Persistence table structure (#638) (d02b818):
This big refactoring greatly reduces operation complexity and paves the way for upcoming performance improvements.
From now on the relation tuples from all namespaces are stored in the same table, instead of having tables per namespace. A migration path will be provided separately.
Documentation
- Add migration guide to v0.7 (#758) (3335a4b)
- Add new redoc docsc (#651) (435ae00)
- Change npm org scope from @oryd to @ory (#730) (945005f)
- Fix build and gen:config (#676) (f128732)
- Fix erroneous sidebar commit (5cf2b4c)
- Fix example not following best practice (#582) (a015818)
- Fix link in migration guide (e995829)
- Fix REST API reference (#718) (f989b39)
- Update NPM links due to organisation move (#616) (6355bea)
- Update reference to Zanzibar in README (#746) (a0d8caf)
Features
-
Add gRPC client utils helpers (#657) (8b18802):
Behold! The Keto gRPC client library now has useful helpers that allow you to replace:
- deltas := make([]*acl.RelationTupleDelta, len(tuples)) - for i := range rts { - deltas[i] = &acl.RelationTupleDelta{ - Action: acl.RelationTupleDelta_INSERT, - RelationTuple: rts[i], - } - } + deltas := acl.RelationTupleToDeltas(tuples, acl.RelationTupleDelta_INSERT)
and
- &acl.Subject{Ref: &acl.Subject_Set{Set: &acl.SubjectSet{ - Namespace: "directories", - Object: "/photos", - Relation: "access", - }}} + acl.NewSubjectSet("directories", "/photos", "access")
and
- &acl.Subject{Ref: &acl.Subject_Id{ - Id: "user1", - }} + acl.NewSubjectID("user1")
Enjoy these new treats 🍫 🍭 🍦
-
Migration to single table SQL schema (#707) (00713bc):
This change adds a migration path from Keto version v0.6.x to the new persistence structure introduced by #638. Every namespace has to be migrated separately, or you can use the CLI to detect and migrate all namespaces at once. Have a look at
keto help namespace migrate legacyfor all details.
Please make sure that you backup the database before running the migration command. Please note that this migration might be a bit slower than usual, as we have to pull the data from the database, transcode it in Keto, and then write it to the new table structure.
Versions of Keto >v0.7 will not include this migration script, so you will first have to migrate to v0.7 and move on f...
Contributors
Assets 20
v0.6.0-alpha.3
Resolves CRDB and build issues.
0.6.0-alpha.3 (2021-04-29)
No significant changes have been made for this release.
Changelog
917928d autogen(docs): generate and format documentation
df5705c autogen(docs): regenerate and update changelog
d766968 autogen: pin v0.6.0-alpha.3 release commit
1a08bba chore: resolve dockertest build issues
Docker images
docker pull oryd/keto:v0-sqlitedocker pull oryd/keto:v0.6-sqlitedocker pull oryd/keto:v0.6.0-sqlitedocker pull oryd/keto:v0.6.0-alpha.3-sqlitedocker pull oryd/keto:latest-sqlitedocker pull oryd/keto:v0docker pull oryd/keto:v0.6docker pull oryd/keto:v0.6.0docker pull oryd/keto:v0.6.0-alpha.3docker pull oryd/keto:latest
v0.6.0-alpha.1
We are extremely happy to announce next-gen Ory Keto which implements
Zanzibar: Google’s Consistent, Global Authorization System:
Zanzibar provides a uniform data model and configuration language for expressing
a wide range of access control policies from hundreds of client services at Google,
including Calendar, Cloud, Drive, Maps, Photos, and YouTube. Its authorization
decisions respect causal ordering of user actions and thus provide external consistency
amid changes to access control lists and object contents. Zanzibar scales to trillions
of access control lists and millions of authorization requests per second to support
services used by billions of people. It has maintained 95th-percentile latency of
less than 10 milliseconds and availability of greater than 99.999% over 3 years of
production use.
Ory Keto is the first open source planet-scale authorization system
built with cloud native technologies (Go, gRPC, newSQL) and architecture.
It is also the first open source implementation of Google Zanzibar 🎉!
Many concepts developed by Google Zanzibar are implemented in Ory Keto already.
Let's take a look!
ACLs
As of this release, Ory Keto knows how to interpret and operate on the
basic access control lists known as relation tuples. They encode
relations between objects and subjects. One simple example of such a relation
tuple could encode "user1 has access to file /foo", a more complex one
could encode "everyone who has write access on /foo has read access on /foo".
gRPC & REST APIs
Ory Keto comes with all the basic APIs as described in the Zanzibar paper.
All of them are available over gRPC and REST.
- List: query relation tuples
- Check: determine whether a subject has a relation on an object
- Expand: get a tree of all subjects who have a relation on an object
- Change: create, update, and delete relation tuples
For all details, head over to the
documentation.
State of the "Old" Keto
With this release we officially move the "old" Keto to the
legacy-0.5 branch.
We will only provide security fixes from now on. A migration path
to v0.6 is planned but not yet implemented, as the architectures
are vastly different. Please refer to
the issue.
Up Next
We are keen to bring more features and performance improvements.
The next features we will tackle are:
- Subject Set rewrites
- Native ABAC & RBAC Support
- Integration with other policy servers
- Latency reduction through aggressive caching
- Cluster mode that fans out requests over all Keto instances
So stay tuned, ⭐ this repo, 👀 releases, and
subscribe to our newsletter 📧.
0.6.0-alpha.1 (2021-04-07)
Bug Fixes
-
Add description attribute to access control policy role (#215) (831eba5)
-
Add leak_sensitive_values to config schema (2b21d2b)
-
Bump CLI (80c82d0)
-
Check engine overwrote result in some cases (#412) (3404492)
-
Check health status in status command (21c64d4)
-
Check REST API returns JSON object (#460) (501dcff), closes #406
-
Ensure nil subject is not allowed (#449) (7a0fcfc):
The nodejs gRPC client was a great fuzzer and pointed me to some nil pointer dereference panics.
This adds some input validation to prevent panics. -
Ensure persister errors are handled by sqlcon (#473) (4343c4a)
-
Handle pagination and errors in the check/expand engines (#398) (5eb1a7d)
-
Ignore dist (ba816ea)
-
Ignore x/net false positives (d8b36cb)
-
Move dockerfile to where it belongs (f087843)
-
Rename /relationtuple endpoint to /relation-tuples (#519) (8eb55f6)
-
Resolve gitignore build (6f04bbb)
-
Resolve goreleaser issues (d32767f)
-
Resolve windows build issues (8bcdfbf)
-
Rewrite check engine to search starting at the object (#310) (7d99694), closes #302
-
Strict version enforcement in docker (e45b28f)
-
Update dd-trace to fix build issues (2ad489f)
-
Update docker to go 1.16 and alpine (c63096c)
-
Use errors.WithStack everywhere (#462) (5f25bce), closes #437:
Fixed all occurrences found using the search pattern
return .*, err\n. -
Use package name in pkger (6435939)
-
schema: Add trace level to logger (a5a1402)
-
Use make() to initialize slices (#250) (84f028d), closes #217
Build System
Code Refactoring
Documentation
- Add check- and expand-API guides (#493) (09a25b4)
- Add current features overview (#505) (605afa0)
- Add missing pages (#518) (43cbaa9)
- Add namespace and relation naming conventions (#510) (dd31865)
- Add performance page (#413) (6fe0639):
...
v0.5.7-alpha.1
We are proud to announce the next release of ORY Keto which includes several bugfixes! We also want to bring your attention to the current prototyping phase of ORY Keto's next version, which might just become the first open-source implementation of Google's Zanzibar paper. If you didn't know - Google Zanzibar is the system that stores and evaluates permissions for all of Google's services (including YouTube, Google Cloud, ...) on planet-scale with sub 10ms response time. Please note that the current phase is a research phase and no final decisions have been made. If you have feedback or ideas, please share them with us!
For more information, head over to keto#266!
0.5.7-alpha.1 (2020-10-12)
No significant changes have been made for this release.
Changelog
e548f15 autogen(docs): generate and format documentation
0637152 autogen: add v0.5.7-alpha.1.pre.0 to version.schema.json
2ffe880 autogen: pin v0.5.7-alpha.1 release commit
Docker images
docker pull oryd/keto:v0docker pull oryd/keto:v0.5docker pull oryd/keto:v0.5.7docker pull oryd/keto:v0.5.7-alpha.1docker pull oryd/keto:latest
v0.5.6-alpha.1
This release bumps vulnerable transient dependencies (those are not actually used in ORY Keto)
and updates several documentation pages and improves structured logging output. Additionally,
ORY Keto now uses the updated release pipeline!
0.5.6-alpha.1 (2020-05-28)
Bug Fixes
- Update install script (21e1bf0)
Changelog
c2bffb1 autogen(docs): generate and format documentation
49143a4 autogen(docs): regenerate and update changelog
b15fa00 autogen(docs): regenerate and update changelog
ed0da08 chore: pin v0.5.6-alpha.1 release commit
596812a chore: pin v0.5.6-alpha.1 release commit
21e1bf0 fix: update install script
Docker images
docker pull oryd/keto:v0docker pull oryd/keto:v0.5docker pull oryd/keto:v0.5.6docker pull oryd/keto:v0.5.6-alpha.1docker pull oryd/keto:latest
v0.5.4-alpha.1
Changelog
4007295 autogen(docs): generate and format documentation
a86cf4b autogen(docs): generate and format documentation
f0974e0 autogen(docs): regenerate and update changelog
bd71f2d autogen(docs): regenerate and update changelog
19859b0 autogen(docs): regenerate and update changelog
1287f87 chore: rename github banner
579099e chore: update docusaurus template (#174)
8fd77ed chore: update docusaurus template (#175)
6a2df26 chore: update docusaurus template (#176)
7e83fee fix: resolve panic when executing migrations (#178)
Docker images
docker pull oryd/keto:v0docker pull oryd/keto:v0.5docker pull oryd/keto:v0.5.4docker pull oryd/keto:v0.5.4-alpha.1docker pull oryd/keto:latest
v0.5.3-alpha.3
Changelog
e465e04 autogen(docs): generate and format documentation
11d9666 autogen(docs): generate and format documentation
475d34e autogen(docs): generate and format documentation
a5aad22 autogen(docs): generate and format documentation
2516f00 autogen(docs): generate and format documentation
2104342 autogen(docs): generate and format documentation
769cef9 autogen(docs): regenerate and update changelog
28babf4 autogen(docs): regenerate and update changelog
f22cc5c autogen(docs): regenerate and update changelog
b1c96f8 autogen(docs): regenerate and update changelog
5c6c26c autogen(docs): regenerate and update changelog
60ccb9f autogen(docs): regenerate and update changelog
f4da8f6 autogen(docs): regenerate and update changelog
b8ab93c chore: remove newline
d2dbc56 chore: trigger ci
fc28131 chore: update docusaurus template (#173)
c3d02b5 ci: bump changlog orb
13edb5d ci: bump docs orb
4bd85c1 ci: bump orbs
c4fe639 ci: bump orbs
d662df9 ci: bump ory/sdk orb
927c4ed docs: Regenerate and update changelog
806f68c docs: Regenerate and update changelog
9048dd8 docs: Regenerate and update changelog
8905ee7 docs: Regenerate and update changelog
dda79b1 docs: Regenerate and update changelog
203c1cc docs: Regenerate and update changelog
28ddd3e docs: Regenerate and update changelog
8875a95 docs: Regenerate and update changelog
29a38a8 docs: Updates issue and pull request templates (#168)
99b7d5d docs: Updates issue and pull request templates (#169)
7a9876b docs: Updates issue and pull request templates (#171)
312480d refactor: move docs to this repository (#172)
Docker images
docker pull oryd/keto:v0docker pull oryd/keto:v0.5docker pull oryd/keto:v0.5.3docker pull oryd/keto:v0.5.3-alpha.3docker pull oryd/keto:latest
v0.5.3-alpha.2
Changelog
e465e04 autogen(docs): generate and format documentation
11d9666 autogen(docs): generate and format documentation
475d34e autogen(docs): generate and format documentation
a5aad22 autogen(docs): generate and format documentation
2516f00 autogen(docs): generate and format documentation
2104342 autogen(docs): generate and format documentation
769cef9 autogen(docs): regenerate and update changelog
28babf4 autogen(docs): regenerate and update changelog
f22cc5c autogen(docs): regenerate and update changelog
b1c96f8 autogen(docs): regenerate and update changelog
5c6c26c autogen(docs): regenerate and update changelog
60ccb9f autogen(docs): regenerate and update changelog
f4da8f6 autogen(docs): regenerate and update changelog
b8ab93c chore: remove newline
d2dbc56 chore: trigger ci
fc28131 chore: update docusaurus template (#173)
c3d02b5 ci: bump changlog orb
13edb5d ci: bump docs orb
4bd85c1 ci: bump orbs
c4fe639 ci: bump orbs
d662df9 ci: bump ory/sdk orb
927c4ed docs: Regenerate and update changelog
806f68c docs: Regenerate and update changelog
9048dd8 docs: Regenerate and update changelog
8905ee7 docs: Regenerate and update changelog
dda79b1 docs: Regenerate and update changelog
203c1cc docs: Regenerate and update changelog
28ddd3e docs: Regenerate and update changelog
8875a95 docs: Regenerate and update changelog
29a38a8 docs: Updates issue and pull request templates (#168)
99b7d5d docs: Updates issue and pull request templates (#169)
7a9876b docs: Updates issue and pull request templates (#171)
312480d refactor: move docs to this repository (#172)
Docker images
docker pull oryd/keto:v0docker pull oryd/keto:v0.5docker pull oryd/keto:v0.5.3docker pull oryd/keto:v0.5.3-alpha.2docker pull oryd/keto:latest