Releases: snowplow/iglu-server
0.12.1
Security patch release mitigating CVE-2024-1597 w/o a known exploit.
Changelog
Bump postgresql to 42.5.5 (#154)
0.12.0
This release adds the ability to send HSTS headers. Also the license has changed from Apache 2.0 to Snowplow Limited Use License.
The HSTS header ensures that websites or services are not accessed via HTTP when HTTPS (the more secure protocol) is available.
This is most relevant for URLs that users might type into their browser — if they start with http:// by mistake, there is a risk that a prepared attacker impersonates the site and steals user data. Because users don’t typically access Iglu Server endpoints directly, there is no significant attack vector. However, it’s a good security practice to use HSTS, and it helps pass automated security checks on the infrastructure.
If your Iglu Server is behind a reverse proxy like Nginx, then you would have already been able to configure the HSTS header there. But if you are using something like an AWS or GCP load balancer, it can be convenient to send this header from the app itself, to be passed through by the load balancer.
The configuration looks like this:
repoServer.hsts {
enable = true
maxAge = 365 days
}
This setting is off by default. Otherwise it could be problematic for users not exposing HTTPS endpoints.
You can find the relevant configuration properties in the docs for Iglu Server.
Finally, note that as per our earlier announcement, Iglu Server is now released under the Snowplow Limited Use License Agreement, and you will need to explicitly accept it if you upgrade from an earlier version. See here for how to do that.
0.11.0
This version solves a few problems with the superseding schema feature. Also, it disallows non-sequential versions.
The changes on superseding schema feature
Recently, we've added the superseding schema feature to Iglu Server. More information about it can be found here.
However, we've realized that superseding version information can't be propagated from one server to another such as dev server to prod server because Iglu Server only returns $supersededBy field. Therefore, starting with this version, Iglu Server returns $supersedes field as well. $supersedes field's value will be the exact value given to the schema during upload. With this way, if multiple sequential schemas are transferred from one Iglu Server to another, superseding version information will be transferred exactly as well. Keep in mind that this change requires a new field in the iglu_schemas table. However, it will be added automatically. You don't have to do anything manually. More information about this change can be found in this issue.
Also, in this version, we've fixed a bug that causes to update the superseding version information of different vendors/names if their superseding schema versions are same.
Disallow non-sequential versions
Starting with this version, schemas with a non-sequential version won't be allowed. As an example, if iglu server already holds versions 1-0-0 and 1-1-0 of a schema, then it will reject an attempt to publish schema version 1-0-1.
Changelog
0.10.1
0.10.0
This version allows to set and get the new schema field $supersededBy. This new field will be used by Enrich for superseding schema feature.
How to add superseding information to schema?
There are two ways to add superseding information: $supersedes and $supersededBy.
$supersedes field states that schema version defined in the self part supersedes the schema versions listed under $supersedes field. It is used like following:
{
"$schema": "http://iglucentral.com/schemas/com.snowplowanalytics.self-desc/schema/jsonschema/1-0-0#",
"$supersedes": ["1-0-0", "1-0-1"],
"self": {
"vendor": "com.acme",
"name": "example",
"format": "jsonschema",
"version": "1-0-2"
},
"type": "object",
"properties": {}
}
Above schema specifies that version 1-0-2 supersedes 1-0-0 and 1-0-1. After uploading this schema to Iglu Server, superseding information will be stored.
It is also possible to submit superseding information to Iglu Server with $supersededBy field. In this case, we submit superseding information to Iglu Server in reverse way. It is used like following:
{
"$schema": "http://iglucentral.com/schemas/com.snowplowanalytics.self-desc/schema/jsonschema/1-0-0#",
"$supersededBy": "1-0-1",
"self": {
"vendor": "com.acme",
"name": "example",
"format": "jsonschema",
"version": "1-0-0"
},
"type": "object",
"properties": {}
}
Above schema specifies that version 1-0-0 is superseded by 1-0-1. After uploading this schema to Iglu Server, superseding information will be stored.
After superseding information is submitted, superseded schema will contain $supersededBy field when it is retrieved regardless of the way used while submitting the schema.
Changelog
0.9.1
Version 0.9.0
This release amends the validation endpoint, so it now warns against schemas with invalid names. See #119
Changelog
- Remove the --help default docker command (#107)
- Update copyright to 2023 (#127)
- Bump jackson-databind to 2.14.1 (#126)
- Bump postgresql driver to 42.5.1 (#125)
- Bump swagger-ui to 4.15.5 (#124)
- Bump circe to 0.14.3 (#123)
- Bump http4s to 0.21.34 (#122)
- Bump iglu-scala-core to 1.1.2 (#121)
- Validation service report error on invalid schema names (#119)
0.8.7
Starting from this release an additional Docker image based on distroless will also be released, alongside the usual one.
It will bring in fewer dependencies, resulting in being more lightweight but also less prone to vulnerabilities.
These assets will have -distroless suffix on DockerHub.
This release also makes it possible to use POST for the webhooks calls when a schema is published or updated.
CHANGELOG
0.8.6
Version 0.8.5
This patch release fixes a problem that we made schema validation far too strict in version 0.8.0. The new release finds a better balance:
- Rejects schemas that are completely un-usable by the Iglu system
- Allows schemas that are technically valid, but might contain unknown additional properties. The validation endpoint raises warnings for such schemas.