Open Policy Agent - v0.56.0

This release contains a mix of new features, bugfixes and a new builtin function.

Support for General References in Rule Heads (Experimental)

A new experimental feature in OPA is support for general refs in rule heads. Where a general ref is a reference with variables at arbitrary locations.

package example

import future.keywords

# Converting a flat list of users to a mapping by "role" and then "id".
users_by_role[role][id] := user if {
    some user in data.users
    id :=
    role := user.role

# Explicit "admin" key override to the above mapping.
users_by_role.admin[id] := user if {
    some user in data.admins
    id :=

# Leaf entries can be multi-value.
users_by_country[country] contains if {
    some user in data.users
    country :=

General refs are currently not supported by the OPA planner, making this feature unsupported for Wasm and IR.

Note: this feature is disabled by default, and needs to be enabled by setting the EXPERIMENTAL_GENERAL_RULE_REFS environment variable (once the feature is complete - supports Wasm and IR - this requirement will be dropped).

Authored by @johanfylling.

New Built-In Function: numbers.range_step

Similar to the numbers.range built-in function, numbers.range_step returns an array of numbers in a given range. The new built-in function also allows you to control the step between each entry.

See the documentation on the new built-in
for all the details.

Authored by @sspaink.

New Ecosystem page on The Website

The OPA Ecosystem of related integrations has been refreshed and moved to a more prominent location on the website.

If you're interested to add any new integrations you've been working on, please see the docs here (updates to existing integrations are very welcome too!).

Runtime, Tooling, SDK

  • ast: Update strict error check message for unused args (#6125) authored by @ashutosh-narkar
  • ast: Remove unnecessary nil check (#6155) authored by @Juneezee
  • cmd: Make opa test -z fail with failing tests (#6126) authored by @fdaguin
  • cmd: Fix opa test --ignore when used together with --bundle (#6185) authored by @joaobrandt
  • cmd: Adding --fail-non-empty flag to opa exec (#6153) authored by @Ronnie-personal
  • download: Add opa_no_oci flag to build without containerd (#6159) authored by @slonka
  • download: Remove not required basedir for oci bundles & add test to verify signature verification (#6145) authored by @gitu
  • fmt: Trim trailing whitespace in comments (#6161) authored by @anderseknert
  • fmt: Remove dedup comment function in opa fmt (#6165) authored by @anderseknert
  • runtime: Always read .tar.gz file provided in argument as a bundle (#5879) authored by @yogisinha
  • server/authorizer: Inline readBody (#6156) authored by @srenatus
  • test: Bind test server to localhost interface (#6162) authored by @anderseknert

Topdown and Rego

  • ast: Including "child" rules when fetching rules by ref (#6182) authored by @johanfylling
  • ast: Making partial object key rules contribute to dynamic portion of object type (#6138) authored by @johanfylling
  • rego: Expose PrepareOption, add BuiltinFuncs (#6188) authored by @srenatus
  • topdown: Support force cache even when server doesn't set the Date header (#6175) authored by @c2zwdjnlcg
  • topdown: Partial-eval for partial object/set ref head rules (#6094) authored by @johanfylling


  • Updates to Documentation and Website (authored by: @anderseknert, @ashutosh-narkar, @atkrad, @charlieegan3, @hmoazzem, @johndbro1, @Pushkarm029, @srenatus and @testwill)
  • Dependency updates; notably:
  • golang: from 1.20.6 to 1.21 (authored by @ashutosh-narkar amd @srenatus)
  • from 0.12.0 to 0.14.0
  • from 1.56.2 to 1.57.0
  • from 2.2.1 to 2.3.0
  • Replace ghodss/yaml with (#6195) authored by @mrueg

Breaking changes

Since its introduction in 0.34.0, the --exit-zero-on-skipped option always made the opa test command return an exit code 0. When used, it now returns the exit code 0 only if no failed tests were found.

Test runs on existing projects using --exit-zero-on-skipped will fail if any failed tests were inhibited by this behavior.


Aug. 31, 2023, 2:40 p.m.
Register or login to:
  • 🔍View and search all Open Policy Agent releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google