Release Notes#

2.1 Released 2023-03-28

Auditing#

New Audit Events#

Starting in 2.1, ESS supports auditing of read resource operations (i.e., GET and HEAD operations on resources). Specifically, successful read resource operations generate resource read audit events.

By default, the feature is disabled. To enable, see INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED.

See also Audit Events.

Changes to Audit Messages#

Starting in version 2.1, CRUD events contain an additional object (with type value StorageCreator) that identifies the Pod owner (i.e., the agent designated as the owner during Pod provision). CRUD events consist of:

  • resource lifecycle audit events (resource-updated, resource-created, resource-deleted) and

  • resource read audit events (resource-read), added in 2.1.

For more information, see Audit Events.

Storage#

Prune/Hard Deletes#

Starting in 2.1, ESS includes a Prune feature to perform hard delete (i.e., permanently delete):

  • soft-deleted resources (i.e., files marked as deleted) and

  • orphan data (i.e., data that are no longer referenced by metadata).

For more information, see:

Storage Metrics#

Starting in 2.1, ESS includes a Storage Metrics feature to gather the following metrics:

  • The total number of Pods

  • The number of Pods that have been “Created” (where the provision has been confirmed)

  • The number of Pods that have been “Deleted”(marked for deletion; i.e., soft-deleted).

For more information, see:

Pod Provision List Endpoint#

Starting in 2.1, Pod Provisioning Service includes a list endpoint that custom start applications can use to list a user’s Pods.

For more information, see List Pods for a User.

Authorization#

Default Access Policy Client Configuration#

Starting in 2.1, ESS adds a new optional Authorization Service setting: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST.

Inherited Access Requests/Grants on Containers#

Starting in version 2.1:

  • An access request for a Container, by default, also applies to the Container’s descendants, unless explicitly specified otherwise in the request (See inherit: false).

  • An access grant for a Container, by default, also applies to the Container’s descendants, unless explicitly specified otherwise in the grant (See inherit: false).

In the previous version, access request/grant applied only to the explicitly stated resource or resources in the access request/grant, regardless of whether the resource is a Container, an Resource Description Framework (RDF) Resource, or a Non-RDF Resource.

For more information, see /issue Endpoint.

Access Grant Service and UMA Tokens#

Starting in 2.1, Access Grant Service adds UMA authorization flow support for its endpoints.

UMA Service Configuration#

Starting in 2.1, ESS adds the following optional UMA Service settings:

General Enhancements/Improvements#

  • ESS’ Application Registration issues client_id values of type UUID. Starting in 2.1, ESS can support reference to that value as either a UUID string or as an URN (Uniform Resource Name).

3rd Party Dependencies Updates#

Starting in 2.1, various 3rd party dependencies used by ESS have been updated. Key dependency upgrades include:

Java 17#

Starting in 2.1, ESS has upgraded to Java 17.

Kustomize 5#

Starting in 2.1, ESS has upgraded to Kustomize 5, which includes various breaking changes and deprecations. See kubernetes-sigs/kustomize for details.

PostgreSQL 15#

Starting in ESS 2.1, the image reference to PostgreSQL, in Inrupt’s non-production overlay (i.e., the standalone overlay), has been upgraded from version 14 to 15. Customers who are using Inrupt’s standalone overlay need to reset their state or upgrade Postgres.

This change does NOT affect those deployments that use the production overlay (i.e., the scalable-cloud overlay). Customers using the scalable-cloud overlay use their own stateful services and are not impacted by the change.