OpenFGA
v1.17.0Securityv1.17.0 hardens cache key generation against hash-flooding attacks and adds configurable OpenTelemetry trace sampling, including parent-based propagation.
securityUpgrade to get hash-flooding protection in cache keys
The old string-concatenation cache key approach was vulnerable to hash-flooding attacks and key collisions. The new TLV encoding with per-process hash seeding closes both issues. There are no config changes required — just upgrade. If you run OpenFGA in a multi-tenant or public-facing setup, this is a meaningful security improvement that warrants prioritizing the upgrade.
enhancementConfigure parent-based trace sampling if OpenFGA runs behind an API gateway or service mesh
Previously, OpenFGA couldn't honor upstream sampling decisions, meaning traces could be captured inconsistently across your stack. Set `OPENFGA_TRACE_SAMPLER=parentbased_always_on` (or `parentbased_traceidratio`) so OpenFGA respects the sampling decision made by the calling service. This is especially useful when OpenFGA is a downstream dependency in a larger traced system — it reduces trace noise and aligns sampling with your existing observability strategy.
主な変更 (5)
- Cache key generation switched from string concatenation to TLV binary encoding, eliminating collision risk
- Per-process hash seeding added to cache keys to prevent hash-flooding attacks
- New configurable trace sampler via `trace.sampler` / `OPENFGA_TRACE_SAMPLER` / `OTEL_TRACES_SAMPLER`
- Supports all standard OTel sampling strategies including parent-based variants
- Default trace sampler is `traceidratio`, preserving previous behavior