API7 Enterprise Release Notes

Version 3.2.14.4

Release Date: 2024-08-14

New Features

Override Upstream Timeout for Each Route

API7 Gateway offers granular control over request handling by enabling the configuration of distinct upstream timeouts for individual routes, to override the timeout configuration at the upstream side.

User Permission Boundary

Permissions boundaries define the maximum allowable permissions for a user, acting as a safeguard against excessive privilege escalation.

Security

• Upgraded frontend dependency.
• Ensured single device login - new login will revoke previous active sessions.
• Prohibited importing old license.
• Upgraded OpenResty version to fix security vulnerabilities.

Improvements

• Added service description in service hub list and published services list.
• Added "Connecting" status for service registry to avoid misunderstanding.
• Optimized custom plugin: Code Obfuscation and Encrypted Storage.
• Displayed a notification when using a test environment license.
• Implemented card-based UI for plugin management and modification.
• Supported configuration of custom plugin metadata.
• Minimized the image size of API7 Enterprise.

Bug Fixes

• Fixed the issue of empty values for service runtime configuration parameters (e.g., host, path prefix) being lost when publishing a service version to a gateway group.
• Eliminated unnecessary audit log generation for dry-run license uploads.
• Resolved issue with incorrect route creation and modification timestamps.
• Resolved plugin metadata schema validation errors.
• Improved service search accuracy.
• Resolved issue with plugin loss during service template publishing.

Version 3.2.14.3

Release Date: 2024-08-06

Bug Fix

• Supported referencing $env in SSL Certificates.
• Resolved UI instability when labels contained periods.
• Removed source code from frontend build artifacts.

Version 3.2.14.2

Release Date: 2024-07-30

Bug Fixes

• Resolved UI error for viewing Ingress Controller routes on the Dashboard.
• Fixed missing default Helm release name when installing gateway instance on Kubernetes.
• Enhanced Microsoft Entra ID (Azure AD) integration through ID token utilization.
• Fixed the issue that plugin inconsistencies may occur between service templates and published gateway groups.

Version 3.2.14.1

Release Date: 2024-07-22

Improvements

Import OpenAPI to Create Service on Gateway Group

Simply import your OpenAPI specification directly into a gateway group to have your new service and all its routes ready.

Unveiling Granular Access Control with API7 Portal

Leverage custom roles and permission policies for granular control over access to API Products.

Security

• Control plane address must be HTTPs.
• Removed the use of ngx.req.get_post_args(0), use the default value instead to avoid potential attacks.
• Regenerate Ingress Controller deployment scripts now requires second confirmation.

Managing Published Service Basics without Versioning

Service name/description/labels now can be modified without publishing a new version.

First Route Creation During Service Setup

Allowing you to define the initial route right from the start. This eliminates the need for a separate step and simplifies your workflow.

Bug Fixes

• Merged datadog plugin fix(https://github.com/apache/apisix/pull/11354) to API7 Enterprise.
• Fixed the issue of DP being invisible on the console.
• Fixed an issue: service registry status was always displayed as "disconnected" after changing the Prometheus data reporting method from remote-write to scrape.
• Fixed issue: Data plane encountered errors after deploying a custom plugin through the Dashboard.
• Fixed UI issue: you can not modify upstream of published service on a Ingress Controller gateway group.
• Wrong notification: When switching to Nodes, even if health checks are enabled, the prompt for users to enable health checks still exists.
• Fixed issue: When uploading a custom plugin, if there is a parsing error, the plugin name displayed in the error message does not match the actual file name.

Version 3.2.14.0

Release Date: 2024-07-08

New Features

Brand New Access Control

info

This is a breaking change. Roles from older versions can not be kept.

API7 Enterprise moves beyond traditional role-based permissions, adopting a permission policy architecture for granular access control through reusable policies assigned to roles. See roles and permission policies

Improvements

Configure Priority for Routes

In specific scenarios, you can configure same routes within two different services. With priority determining which route handles the request. The route with a higher assigned priority will be used first.

Harden mTLS Certificate Security

Improved following issues:

• Overly Long Certificate: The certificate string is too long and should be shortened.
• Unnecessary Tokens: The certificate contains unnecessary tokens that should be removed.
• Shared CA: Using the same Certificate Authority (CA) for multiple certificates is insecure.
• Mismatched Certificate Handling: When a certificate mismatch occurs, the handshake should immediately fail, rejecting the client's request instead of proceeding with further validation.

Include New Parameter lua_shared_dict in API7 Helm Chart

Introduced new parameter to Helm chart.

Bug Fixes

• Upgrading from older version may cause missing upstream data or 404 errors.
• UI error encountered during service request URL update.
• Fixed Developer Portal library issue.
• Fixed HTTP logger plugin memory leak.
• Frontend and backend password policies are inconsistent.
• The data-mask plugin reports an error when the GET request does not match any route.
• The status field of the ApisixUpstream CRD is recorded incorrectly
• Data Plane supports configuring the reporting interval for monitoring data.
• Fixed warning logs after configuring plugin metadata.
• Fixed plugin reload issue.
• Reduced the number of PostgreSQL connections.
• Optimized frontend resource consumption.
• Removed trailing dot in FQDN.
• Plugin Metadata should be able to be deleted.

Version 3.2.11.8

Release Date: 2024-06-26

Bug Fixes

• Reduced API latency by minimizing etcd calls.
• Kine database connection pool configuration can function normally.

Version 3.2.11.7

Release Date: 2024-06-24

Bug Fixes

• Improve API performance.
• Data Plane supports disabling telemetry data collection and configuring reporting intervals.
• Custom plugins can function even without a schema definition.

Version 3.2.11.6

Release Date: 2024-06-24

Bug Fixes

• Large data sets no longer cause etcd range API error.

Version 3.2.13.0

Release Date: 2024-06-19

Admin API Breaking Changes

1. The service template API has been migrated to the "/api/services/template" path prefix.

• Service template APIs
• Route template APIs

2. The original "/apisix/admin/services" endpoint now requires the gateway_group_id parameter.

• Service APIs on the gateway group
• Route APIs on the gateway group

New Features

Create/Update Service on Gateway Group without Publishing

If version control is not your requirement, you can now directly create services on the gateway group. These services become active immediately, eliminating the need for a separate publishing step. This simplifies the deployment process and saves you time.

However, it is important to consider the trade-off involved. By bypassing the publishing stage, you also lose the ability to easily roll back to a previous version or track the version changes.

See the latest starter tutorial for details: Launch your first API.

Integrate with Ingress Controller(UI Support)

API7 Gateway officially introduces Ingress Controllers, a new type of gateway group. While the dashboard offers convenient management for creating and viewing your Ingress Controller, configuration modifications require to declarative way for any configuration changes.

Improvement

Search for Gateway Group Name and Filter by Labels

Makes it easier to find the specific gateway group you are looking for within the gateway group list.

Secure Sensitive Data in Configuration File

The database's DSN configuration (including access address, username, and password) can be configured through environment variables and Helm chart.

Support Prometheus Authentication

Prometheus remote write now supports Basic Auth/mTLS.

Support Secret Feature for SSL Variables

Secure ssl.certs and ssl.keys with encrypted secrets.

Bug Fixes

• The ctx.var variable will be updated promptly after setting headers.
• Duplicate SSL certificates cannot be uploaded.

Version 3.2.11.5

Release Date: 2024-06-18

Bug Fixes

• The ssl_verify configuration now works fine for the Login Option OIDC and LDAP protocols.

Version 3.2.11.4

Release Date: 2024-06-07

Bug Fixes

• Protect sensitive fields within the login options related to API.

Version 3.2.12.0

Release Date: 2024-05-24

Admin API Breaking Changes

1. The "service status" field has been changed from "0: enabled, 1: disabled" to "0: disabled, 1: enabled".

• Publish a service
• Update service runtime configurations by ID
• Get all published services in Gateway Group

2. The "ID" field has been removed from the consumer API. Queries and deletions are now performed using "gateway group ID" and "username".

• Consumers APIs

3. SSL-related APIs now require the "gateway group ID" parameter.

• SSL APIs

New Features

Stream Route

API7 Gateway extends beyond API management. It can also handle Layer 4 (L4) traffic, like database or Kafka connections. Add a stream service and several stream routes to Proxy Transport Layer (L4) Traffic.

Custom Role (UI Support)

Design your own custom roles with granular permission control. See Add Custom Role.

Ingress Controller (Beta, API Support Only)

Integrate with Ingress Controller.

Improvement

Optimize Left Navigation Menu

• Users will now see the gateway group menu as the primary landing page.
• Change the Service menu item to Service Hub.

Bug Fixes

• Avoid duplicate API keys when using key-auth plugin.
• Enable allowlist and denylist at the same time in ua-restriction plugin.
• Reset the password without expiring the access token.
• Labels can be up to 64 characters long and include spaces.
• Validate the configuration of loggly plugin successfully.
• Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.
• The meaning of API7 Gateway service status is consistent with the corresponding field in Apache APISIX.

Version 3.2.11.3

Release Date: 2024-05-20

Bug Fixes

• etcd watch can pass SNI correctly.
• API7 Enterprise will attempt to create a database automatically. If permission issues arise, it will launch using a pre-configured database provided by the user, preventing installation failure.

Version 3.2.11.2

Release Date: 2024-05-20

Bug Fixes

• Labels can be up to 64 characters long and include spaces.
• Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.

Version 3.2.11.1

Release Date: 2024-05-08

New Features

SSO Role Mapping

This automated role mapping eliminates the need for manual role assignment by Super Admins. Users who satisfy the defined key-value mapping rules will be automatically assigned the corresponding roles upon login. For details, see Set Role Mapping.

SCIM Provisioning

Streamline your identity management with SCIM Provisioning. It automatically synchronizes user data from your Identity Provider, ensuring consistent and effortless user management. For details, see Sync User Data from IdP.

Custom Role (Beta, API Support Only)

Design your own custom roles with granular permission control. UI support coming soon.

Improvement

Upgrade to OpenSSL 3

Improved Security, Performance, and Availability.

Plugin Global Rules Ordering

To streamline the management of global rules, API7 Enterprise merges multiple rules into a single rule, ensuring that plugin configurations are unique within each rule.

Bug Fixes

Settings Modal Add HTTP Protocol Detection

Not properly detecting whether HTTP or HTTPS is required, leading to errors when deploying gateway instances using the given script.

Error Uploading SSL Certificate

An issue exists where uploading an SSL certificate intended for gateway group A may inadvertently assign it to gateway group B.

Support Host Level Dynamic Setting of TLS Protocol Version

Incorporated the fix from the resolved Apache APISIX issue.

Version 3.2.10.1

Release Date: 2024-04-28

New Features

Support MySQL 5.7

API7 Enterprise now supports MySQL 5.7.

Version 3.2.10.0

Release Date: 2024-04-22

Breaking Changes

Bind Token with User

Tokens are bound to specific users and share the same permissions. When the user is deleted, the associated token will also be deleted.

Version 3.2.9.5

Release Date: 2024-04-16

New Features

Upstream mTLS(API Support Only)

API7 Enterprise now supports mutual TLS (mTLS) authentication between the gateway and upstream services. mTLS is a form of communication security that requires both parties to present certificates to each other. This ensures that both parties are who they claim to be and that the data transmitted between them is encrypted. UI support coming soon.

Version 3.2.9.4

Release Date: 2024-04-07

Bug Fixes

Assessment of CPU Core Limitations

Resolved the issue that occurs when the maximum number of CPU cores is reached.

Version 3.2.9.3

Release Date: 2024-04-03

New Features

Integrate with Vault (Beta)

You can store sensitive data securely in your Vault. Admin API support is available; UI support coming soon.

Version 3.2.9.2

Release Date: 2024-04-01

New Features

Support SAML SSO Login

API7 Enterprise supports Single Sign-On (SSO) with SAML implementations. For details about how to configure SAML SSO login method, see configure SSO with SAML.

New Plugin: Data Mask

The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries. Learn more about Data Mask.

Feature Enhancements

Skip Path Prefix

You can opt to skip the path prefix when sending requests to the upstream. This adjustment is imperceptible to users and may be useful when using different path prefixes to identify APIs sent to different gateway groups.

Better Health Check Configuration UI

Introduced a user-friendly and intuitive UI for your health check configuration in upstreams.

Upgraded Encryption Algorithm

Upgraded from AES128 to AES256 algorithm.

Performance Improvement

Eliminated the impact caused by disabling plugins.

Version 3.2.9.1

Release Date: 2024-03-19

New Features

Support Add Custom Plugin

API7 Enterprise now allows you to build custom plugins to add extra functionalities and manage API traffic with custom flow. See how to Add Custom Plugin

Support OIDC SSO Login

API7 Enterprise supports Single Sign-On (SSO) with OIDC implementations. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Use Service Labels as API Provider Scope

By assigning service labels as the scope for an API Provider, you can grant them access to all services with a specific label. It will help reduce the workload of the Super Admin. Typically, services can be grouped using a 'Department' label. Thus, users from that department will be able to access all services belonging to that department.

Version 3.2.8.1

Release Date: 2024-02-08

New Features

Support Nacos Service Discovery

API7 Enterprise uses service discovery to automatically detect available upstream services, keeping their addresses in a database (called a service registry). Therefore, an API gateway can always fetch the latest list of upstream addresses through the service registry, ensuring all requests are forwarded to healthy upstream nodes.

In this release, API7 Enterprise supports integrating with Nacos service discovery, which can be used to publish services and synchronize services between gateway groups.

Support LDAP SSO Login

API7 Enterprise supports Single Sign-On (SSO) with LDAP implementations. Integrating API7 Enterprise with LDAP enables you to log your LDAP users into API7 Enterprise as part of API7 Enterprise' SSO infrastructure. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Support Adding Gateway Instances using Kubernetes

A gateway instance is a single proxy that handles traffic. In this release, API7 Enterprise supports adding gateway instances to a gateway group using Kubernetes. For details, see add gateway instances.