Release notes
Access Decision Service (ADS) features, bug fixes, and known issues by release.
Version 1.14.0
What's new
ADS upgrade to Dropwizard 3.x
ADS now supports Dropwizard 3.x.
Classpath command
The Dropwizard 3.x. upgrade requires adding the ADS
.jarfile first in the classpath java command when deploying multiple.jarfiles.SNI host checking is enabled by default
SNI is enabled by default in Dropwizard 3.x. To avoid encountering problems when making requests over HTTPS, disable the SNI host checking as described in Disable SNI host checking.
Changes in Java support
ADS no longer supports 64-bit Java SE 8.
Full support of distributed cache DNS discovery method
The distributed cache feature now fully supports DNS cluster discovery:
A new
discoveryMethodproperty replaced the deprecatedstackproperty.An additional
dnsQueryproperty is required whendiscoveryMethodis set todns.The previously used
stackproperty and its respective valuestcpandkubernetesare still supported.
OpenTelemetry version upgrade
ADS now uses OpenTelemetry Java agent 1.32.0.
Fixed Issues
ADS endpoints no longer throw exceptions if the domain is not initialized yet
When an evaluation request was sent to the authorization endpoint or the Prometheus endpoint was called before the domain had loaded, then ADS would throw an exception and return a
500 server error.These issues have been fixed.
Prometheus endpoint
If the domain is not initialized yet, then the endpoint responds with a
Metrics temporarily unavailable - domain not initializedmessage.If the domain is initialized but no evaluation requests are received, then the endpoint responds with an
Empty data - no requests yetmessage.Authorization endpoint
If an evaluation request is sent to the authorization endpoint, but the domain is not yet initialized, then the endpoint responds with a
Domain configuration in process. Service not readymessage.
ADS no longer accepts an invalid request when missing attribute id
An issue where ADS would accept an invalid request with missing attribute id has been fixed.
ADS container no longer runs only with root user permission
ADS container was running just with root user credentials, raising security issues due to unrestricted root access to the host or Kubernetes node. This issue has been fixed and a non-root user can run the application.
Known Issues
Distributed cache sub-properties are validated even when the feature is disabled
When distributed cache is disabled (
distributedCache.enabled: false) its sub-properties (if any) will still be validated. This may cause the service to fail if properties have invalid values. In case that you disable the distributed cache feature make sure that all the distributed cache sub-properties are not set.ADS generates a warning log when a request is sent to the Prometheus endpoint while the authorization domain is not initialized yet
When a request is sent to the Prometheus endpoint before the domain is initialized, the ADS Prometheus endpoint responds successfully, indicating that metrics are not available. However, ADS generates a WARNING log message stating that ADS service is not ready yet.
This warning is not a result of any malfunctioning and can therefore be ignored; it does not need to be reported.
Version 1.13.0
What's new
ADS supports distributed caching
ADS now supports distributed cache library that support in-process cache replication. This features allows ADS to replicate data across all instances of the service. The in process caching feature is only supported for environments using Java 11 or later.
Enhanced JWT token verification
The JWT authentication is now enhanced with the use of the optional
clockSkewproperty that calibrates the validation time window.Updated Helm charts configuration
ADS Kubernetes deployment has now a more dynamic approach. You can further customize ADS installation, during runtime, using configuration files located under
adscharts/configurationandadschartsfolders and apply your changes by running a Helm upgrade command.
Fixed Issues
Readiness probe issue has been fixed Readiness probe that entered in fail state did not recover after a successful domain update in case the domain content was unchanged. This has been fixed.
XXE vulnerability to perform an SSRF attack XXE injection is blocked by ADS in general. Though a fix is delivered to fortify ADS against SSRF - Server-Side Request Forgery attacks.
Domain polling logging improvements Updates regarding the domain logging information:
Fixed message when domain is not retrievable
Updated the notification message displayed when a domain refresh is impossible due to the unavailability of the domain.
Display message when ADS successfully fetches a domain
ADS now generates log information when the service successfully retrieves a domain from a local file, regardless of whether a valid or invalid change occurs to the domain.
Tokens with multiple audiences now work as expected
In token authentication (JWT), ADS was incorrectly rejecting tokens with more than one audiences. This has been fixed.
Version 1.12.0
What's new
ADS retries fetching its authorization domain at startup
ADS now supports changing the default behavior of attempting to retrieve a valid authorization domain only once. This can be configured using the
domainStartupproperty by setting the maximum number of retries and the polling duration for retrieving a valid domain.Kubernetes deployment improvements
Updates regarding the Kubernetes deployment:
Domain retrieval retry mechanism during startup
ADS Kubernetes deployment now supports retrying domain retrieval during startup configuration.
Log level configuration is supported in Kubernetes deployment
ADS Kubernetes deployment now supports ADS logging level configuration.
Domain polling is supported in Kubernetes deployment
ADS Kubernetes deployment now supports domain polling configuration.
Probes added to the Kubernetes deployment
ADS Kubernetes deployment supports health endpoints for Liveness, Readiness and Startup Probes.
Online documentation updates
Documentation updates regarding the following:
Vulnerabilities report instructions
ADS documentation is now updated with instructions on how to download vulnerabilities report from S3.
ASM-ADS reference section
ADS documentation is now updated with a new section about ASM-ADS integration under Additional Resources.
Snyk for vulnerabilities check
ADS 1.12.0 supports vulnerabilities scanning based on Snyk, an industry-leading security intelligence management solution that helps protect codes from open source risks.
ADS authorization domain retrieval and validation is separated from service initialization
The startup and readiness health endpoints have updated functionality. Authorization domain retrieval is separated from service initialization.
Fixed Issues
Ports are configurable on ADS Kubernetes deployment
ADS Kubernetes deployment now supports configuring the default ports.
Version 1.11.0
What's new
Attribute Connectors in Kubernetes deployment
ADS now supports using Attribute Connectors for deployments with Kubernetes (K8s).
Support for JSON Web Token (JWT) authentication
ADS now offers enhanced authentication using token based JWT. This can be configured under the authentication section in the sample deployment configuration file.
Support for startup probe
ADS now supports a startup endpoint to report service health during ADS startup, to ensure robustness in an orchestrated deployment.
Support for liveness probe
ADS now supports a liveness endpoint to report if ADS service is in healthy state when running.
Support for readiness probe
ADS now supports a readiness endpoint to report if ADS service can serve traffic when running.
- A new
reportNotReadyOnDomainRefreshErrorproperty controls whether an unsuccessful domain refresh should fail the readiness probe. - The
reportNotReadyOnDomainRefreshErrorproperty replaced the deprecatedreportUnhealthyOnDomainRefreshErrorproperty.
- A new
Fixed issues
One-way TLS works as expected
One-way TLS is now working efficiently without expecting the truststore.
Attribute cache can work with multiple attribute connector mappings
A bug about the attribute cache not being able to work properly when provided with 2 or more mappings in the same attribute connector configuration, has been fixed.
Version 1.10.2
What's new
Kubernetes deployment
ADS offers enhanced support for deployments with Kubernetes (K8s) that achieve improved stability, availability, and efficiency. K8s allows you to easily scale your application and provides self-healing capabilities to restart or replace a container when it fails or crashes. This results in high uptime and performance while reducing costs and administration requirements.
Kubernetes deployment does not support Attribute Connectors for now.
Fixed issues
Domain yaml capacity
ADS 1.10.2 now accepts domain.yaml files larger than 3 Megabyte.
Version 1.10.1
Fixed issues
Soap legacy endpoint can provide logs when error occurs
ADS legacy SOAP endpoint /asm-pdp/pdpOpens in a new tab didn't handle error messages properly. This has been fixed.
ADS metrics are now supported when a domain is rolled-back to a previous version
A domain roll-back to a previous version caused metrics to stop working. This has been fixed.
Fix includes a new tag (domain_sequence) which is a counter that represents how many domain changes the current instance of ADS has gone through since its startup.
Known issues
Domain yaml capacity
ADS 1.10.1 does not accept domain.yaml file larger than 3 Megabyte.
Version 1.10.0
What's new
Changes in Java support
ADS now supports 64-bit Java SE 8, Java SE 11 or Java SE 17.
Support for ADS publishing metrics data to ASM
ADS now supports using ASM as a metrics backend. This configuration is used to publish key metrics for the authorization performance of ADS as data for the graph displays of the Dashboard feature of ASM.
Support for ADS instance identity
ADS now generates an instance identity that uniquely defines an ADS instance. By default, ADS automatically generates a random identity with constant prefix 'default'.
However, users can define these instance identities by configuring a constant identity or a randomly generated identity with a constant prefix.
ADS tags metrics with authorization domain data
ADS tags metrics with authorization domain identification data. By default, metrics are only tagged with the authorization domain id.
However, when the RetrieveByName endpoint is used to retrieve domain data in connectivity with ASM/ADM, users can also add domain tag data (namespace and domain name).
Known issues
ADS metrics are not supported when a domain is rolled-back to a previous version
When ADS is configured to collect metrics (metrics backends are enabled) and the authorization domain is rolled back to a previous domain the ADS metrics are zero.
Disabled attribute cache causes ADS initialization failure
Attribute caching configuration is optional for ADS. If attribute caching configuration is enabled, then the minimum accepted attribute cache parameter value is 1. In the ASM Attribute Connector Management UI, the attributes cache is disabled by default ("Default" = Time to live (seconds)=0, Max cache size=0). The same values apply for the "NoCache" attribute cache configuration ("NoCache" = Time to live (seconds)=0, Max cache size=0).
ADS cannot be initialized when ADS tries to retrieve a domain with zero attribute configuration settings. The issue exists only in the case when ADS is configured to retrieve its authorization domain from ASM. As a workaround the ASM users must navigate to the attribute connectors management UI in the Cache Configuration tab and update the "Default" cache settings (Time to live (seconds), Max cache size) from (0,0) to (1,1). On top the "NoCache" attribute cache configuration should not be used.
Version 1.9.0
What's new
Simplified installation of ADS
This release introduces a simplified way to install and run ADS based on Docker. The new installation process makes it even quicker and easier to get ADS up and running.
Online documentation
The documentation for ADS has been converted to an online format, and is now available at https://docs.axiomatics.comOpens in a new tab. PDFs are no longer included in the distribution. The online distribution model will improve availability and ensure that users always have easy access to the latest version of the documentation.
Support for InfluxDB for metrics data processing
ADS now supports the time series database Influxdata InfluxDB OSS 2.x as a metrics backend.
Support for authentication using client credentials
ADS can now be configured to authenticate itself against Axiomatics Services Manager (ASM), and send client credentials when requesting a domain configuration file from ASM.
Using Azure Monitor Application Insights for tracing and metrics
When Azure Monitor Application Insights is used for monitoring and analytics, the Application Insights Java agent should be used for both tracing and metrics.
noteThe option of configuring Azure Monitor as a metrics backend in ADS is no longer recommended, and its use is deprecated. This configuration option will be removed in a future release.
Version 1.8.0
What's new
Metrics data collection and processing
ADS now collects the following metrics for requests, to provide performance data that can be useful to identify patterns and understand trends:
Rate - the number of access requests ADS has served
Errors - the number of failed access requests
Duration - distribution of the amount of time each access request takes
Rate of successful evaluations - the rate of successful access requests that evaluated to Permit, Deny, Indeterminate, or Not Applicable, respectively
The sampling rate for these metrics is configurable.
This data can be accessed by metrics backends using either a (client) pull or a (server) push model. The currently supported metrics backends are Prometheus and Azure Monitor.
Separation of event types in the audit log stream
The audit logs produced by ADS contain two types of events, evaluation events and administrative events. To simplify analysis of the log data, the log stream can now be configured to separate the two types of events, for output to console and/or file. Which type of event to include in the log output is controlled by the use of different loggers, so that the output contains either evaluation events only, administrative events only, both types together, or one output item for each type.
Domain format conversion removed
The domain format conversion feature introduced in version 1.6.4 has been removed.
Customers wanting to convert legacy XML-format (or version 1) authorization domain configuration files to YAML-format (or version 2) authorization domain configuration files are instead requested to contact Customer Support, who will assist with conversion services.
Fixed issues
Environment variable substitution not working
A change to the domain validation operation caused environment variable substitution to stop working. This has been fixed.
Version 1.7.0
What's new
Tracing using OpenTelemetry
Tracing can now be enabled in ADS, providing the option to track key events that relate to access requests. The tracing functionality in ADS is based on OpenTelemetry (OT), relying on the OpenTelemetry Java agent to orchestrate the feature, but any agent that conforms to or implements the OpenTelemetry API version 1.3 could be used. For visualization and monitoring assistance, the tracing information produced by ADS can be published to other tools, for example, Jaeger or Prometheus.
For each request, the following spans are defined in the trace:
A span for the whole request.
A span per call to an attribute connector. Spans are also produced when a call to fetch an attribute may result in fetching it from the cache or involving an operation from the attribute connector itself.
If the access request includes a W3C trace context, ADS does not define a new trace. Instead, all spans are created within that context. If the access request contains a header with a correlation information, that information is attached to the span associated with the single request.
Logging enhanced with tracing information in MDC
Log entries emitted by ADS can be enhanced with trace and span identifiers as attributes in the Mapped Diagnostic Context (MDC). However, this requires that the OpenTelemetry Java agent that ADS relies on for the tracing functionality is enabled. When that is the case, the OpenTelemetry Java agent will inject information about the current span into the MDC copy of each logging event.
Support for conditional requests when polling a domain name using HTTP(S)
ADS now supports conditional requests when polling a domain name from an authorization domain server using GET on an HTTP(S) endpoint. This means that ADS will recognize an "ETag" header if present in the response from the server, and consequently include an "If-None-Match" header field in its future requests, as well as correctly handle the "304 (Not Modified)" status code and header information the authorization domain server will use in its response if the representation has not changed since the previous request.
The implementation is compliant with IETF RFC 7232, §3.2, which delineates the name and semantics of the header information that clients must use for an "If-None-Match" header field, and IETF RFC 7232, §4.1, which describes the definition of the "304 (Not Modified)" status code and header information.
Version information published by ADS
Users can now access version information published by ADS in two ways: By looking at the log, as ADS will log information about the application and the operating system during start-up, or by querying an administration endpoint. The information presented is the same for both methods. Refer to the ADS User's Guide for more information.
Check command will detect mismatch between declared and provided attributes
The check command functionality has been extended with another validation item. It will now also detect any mismatch between declared and provided attributes in the domain configuration.
Configuration to stop ADS from starting if a declared attribute is not provided
There is an optional property, failOnDeclaredAttributeNotProvided, that can be used to configure ADS not to start or reconfigure with a domain that does not provide an attribute that has been declared in the configuration.
Concise format default for audit logging output
A concise format is now the default for the audit logging output. To improve processing efficiency, information not essential to auditing is excluded from the evaluation events. If the full, or verbose, logging information is required, this can be set via an audit mode property in the deployment configuration file.
Fixed issues
XACML function string-regexp-match conforms to the specification
Previously, the string-regexp-match function returned incorrect results for some regular expressions that use the alternation operator. This has been fixed and the function now conforms to the XACML 3.0 specification.
MDP requests not failing fast if one access decision fails
When the authorization engine receives an MDP (Multiple Decision Profile) request, the execution is parallelized.
Previously, if an individual access decision failed, perhaps by an exception raised by an attribute connector, the engine did not abort the execution or fail fast, allowing other parallel processes to continue to execute. This could result in unnecessary resource use.
This has been fixed. Now, if one individual access decision fails, the engine fails fast and cancels all active parallel processes so as to not consume unnecessary resources.
Known issues
Running an ADS command may create audit log output
Running an ADS command may create audit log output depending on the configuration that is being used. This is because running any command starts a JVM with the full functionality of the current configuration enabled. This is unavoidable due to the design of the commands. As a consequence, it is not possible to avoid producing audit logs for operations that are triggered by running a command, if audit logging is enabled in the configuration.
Warning of illegal reflective access operation when running ADS on Java 11
Running ADS on Java 11 may trigger warnings concerning illegal reflective access operations. These warnings are not a consequence of any malfunctioning, and can therefore be ignored and do not need to be reported.
Domain conversion command may produce invalid domains
Running the authorization domain format conversion command may result in invalid domain configuration files. Use of the command is deprecated and the functionality will be removed in a later release of ADS.
Version 1.6.4
What's new
Runtime updating of domain configurations
There is now an optional property, domainRefreshInterval, that can be used to configure ADS to update the domain configuration during runtime by polling its source at regular intervals. This allows for updating of policies or attribute connectors without having to stop and redeploy ADS.
noteThe refresh feature only reloads the domain if it has been modified. When that happens, ADS clears the attribute cache and creates new instances of the attribute connectors.
Authorization domain format conversion
A conversion command has been added that will convert an XML-format authorization domain configuration file to a YAML-format authorization domain configuration file.
ADS can send user credentials for retrieval of domains
ADS can now present user credentials when requesting a domain configuration file from remote locations that support Basic Authentication.
Connection pooling enabled by default for LDAP
Previously, connection pooling was only enabled for unencrypted connections, that is plain text connections. Now connection pooling is enabled by default for both LDAP and LDAPS connections.
As part of the update, the property com.sun.jndi.ldap.connect.pool.protocol has been superseded by the property com.axiomatics.jndi.ldap.connect.pool.protocol. Existing configurations using this property should be updated to reflect this.
Attribute connectors no longer included in ADS distribution
Standard attribute connectors for connection to SQL and LDAP data sources are no longer included in the ADS distribution. Instead, each attribute connector must be downloaded and installed separately.
License expiration warning configurable
A configuration property has been added to let you override the default 30 day duration for when the warning of an impending license expiration is triggered.
Fixed issues
Invalid PolicyIdentifierList field in response
Previously, the PolicyIdentifierList field that may appear in XACML JSON profile 1.1 responses was invalid. This has been fixed. The values of the PolicyIdentifierList field in an XACML JSON profile 1.1 response now comply with the JSON Profile of XACML 3.0 Version 1.1 specification.
Version 1.5.0
What's new
Support for metadata in the domain document
ADS now supports storing metadata in the domain document for tooling and domain management workflow processes.
Sensitive data provided through environment variables
ADS now allows for sensitive data in attribute connector configurations, such as user names and passwords, to be provided through environment variables.
Fixed issues
Number of connections opened when using connection pooling
On startup, ADS incorrectly opened twice the number of database connections per instance as the value specified by the minimumSize key of the connectionPool property. This has been fixed.
Non-UTC time zones in a request incorrectly reported in the audit log
Time attribute values with non-UTC time zones received in a request were incorrectly reported in the audit log; the values were converted to UTC time and lost the supplied time-zone information. This has been fixed, the time-zone information is now retained in the audit log. The issue did not affect the authorization responses, just the way the requests were reported in the audit log.
Loss of non-UTC time-zone information when using a JSON format request
Time attribute values with non-UTC time zones received in a JSON request were converted to UTC time and lost the supplied time-zone information. Depending on the policy, this could affect correctness of the authorization response. The issue has been fixed, the time-zone information is now retained during the authorization process. The problem did not affect XML format requests.
Version 1.4.0
What's new
New authorization domain document format
This release introduces a new YAML document format for the representation of authorization domains. The new document format has a number of benefits, for example:
The document is human-readable, which makes it easy to analyze and maintain.
Specialized software tools are not required to create the document; editing can be done using a regular text editor.
The document structure follows a concise syntax, and it is easy to embed other text-format data inline in the domain configuration.
The format is well-suited to source control.
ADS starts with Table or SQL attribute connector even if database is down
ADS would not start if a Table or SQL attribute connector was used in the policy and the source database was down during the start-up of the application. The initialization functionality has been changed so that transient database connection issues will not cause ADS to fail on start-up.
Fixed issues
ADS could fail to start due to dependency conflicts with attribute connectors
ADS could fail to start when the ADS application .jar file is not the first one in the classpath when used along with attribute connector .jar files. This has been fixed.
Version 1.3.0
What's new
Support for legacy PDP SOAP endpoint
To make migration easier, clients using the legacy PDP SOAP endpoint can now point directly to ADS.
License file retrieval from classpath
Support for license file retrieval from the classpath has been added.
Fixed issues
ADS failed to start with ARQ capabilities enabled in domain configuration
ADS failed to start when the deployment configuration file pointed to a legacy domain configuration that was exported with the ARQ RAW or ARQ SQL capabilities enabled. This has been fixed.
Known issues
Legacy PDP SOAP endpoint limitation
There is the possibility of a log warning unrelated to Access Decision Service. If ADS is configured to use Basic authentication, and the legacy PDP SOAP endpoint is used, a request to ADS sent without user credentials will cause ADS to return HTTP error code 500 (Server error). In this case, ADS logs at WARN level has a stacktrace about a NullPointerException. This log message can be ignored, it is due to a third-party library and has no relevance for the functionality of Access Decision Service.
Version 1.2.0
What's new
JSON Profile of XACML 3.0 Version 1.1 conformance
This release of Access Decision Service conforms with the JSON Profile of XACML 3.0 Version 1.1.
REST Profile of XACML 3.0 Version 1.1 conformance
This release of Access Decision Service conforms with the REST Profile of XACML 3.0 Version 1.1.
Legacy PDP support
To make migration easier, clients using the legacy PDP REST endpoint can now point directly to ADS.
configStrategy property removed
The property configStrategy has been removed. If this property is present in the deployment configuration file used to run ADS, the application will not start. The sample deployment configuration file supplied with ADS has been updated to reflect this change.
Known issues
ADS may fail to start due to order of jar files
ADS may fail to start when the ADS application .jar file is not the first one in the classpath argument. Suggested workaround: When starting ADS, make sure the ADS application .jar file comes first in the classpath argument, followed by the other dependencies. This will be fixed in a future release.
Version 1.1.3
What's new
Extended Java support
Oracle 64-bit Java 11 and OpenJDK 64-bit Java 11 are now supported.
Authorization domain limitation removed
A previous limitation, that only authorization domain configuration files exported from ASM using the GUI would be be accepted, has been removed. Updates to the Developer Resources now makes it possible to use authorization domain configuration files retrieved programmatically using the Admin API.
Transaction ID correlation
There is an optional header, x-xacml-transaction-id, that can be used for correlation purposes. If audit logging is enabled in the deployment configuration file, the value of the x-xacml-transaction-id that is supplied in the header will appear in the audit log as a transaction ID element.
Concurrent evaluation of Multiple Decision Profile requests
Concurrent, or multi-threaded, evaluation of Multiple Decision Profile requests is now a configurable property.
File retrieval support
The license property in the deployment.yml file supports the following ways of retrieving files:
file:dir/file.xml - relative file on file system via URL
file:/dir/file.xml - absolute file on file system via URL
dir/file.xml - relative file on file system
/dir/file.xml - absolute file on file system
http://<host:port>/<path/to/file> - URL to the file
https://<host:port>/<path/to/file> - URL to the file
The authorization domain property in the deployment.yml file supports the following ways of retrieving files:
classpath:/file.xml - file on classpath
file:dir/file.xml - relative file on file system via URL
file:/dir/file.xml - absolute file on file system via URL
dir/file.xml - relative file on file system
/dir/file.xml - absolute file on file system
http://<host:port>/<path/to/file> - URL to the file
https://<host:port>/<path/to/file> - URL to the file
Version 1.0.0
What's new
File retrieval support
The authorization domain property in the deployment.yml file supports the following ways of retrieving files:
classpath:/file.xml - file on classpath
file:dir/file.xml - relative file on file system via URL
file:/dir/file.xml - absolute file on file system via URL
dir/file.xml - relative file on file system
/dir/file.xml - absolute file on file system
Attribute Connectors packaged separately
There are no default attribute connectors in ADS version 1.0.0. The LDAP, SQL, and Table Attribute Connectors are packaged as independent entities in a separate subfolder of the software deliverable. The attribute connectors must be extracted and installed separately for use.
Authorization endpoint
The authorization endpoint for ADS is /authorize.
Deprecated endpoints
The /asm-pdp/authorize endpoint is deprecated in ADS v1.0 and only available to provide compatibility with legacy PDP installations.
Known issues
Authorization domains must be created using the ASM GUI
Authorization domain configuration files exported from Axiomatics Services Manager (ASM) using the Admin API cannot be used to configure the Access Decision Service. Only authorization configuration files exported from ASM using the GUI will be accepted.
Transaction ID not available
In the PDP web application included in the current Axiomatics Policy Server (APS) release, the client could specify a transaction ID together with the request.
The transaction ID would then be written to the audit log of the PDP. This functionality is not available in ADS 1.0.0 and the transaction ID will be ignored. The functionality will be available in a later version of ADS.