Chapter 1. Red Hat 3scale API Management 2.3 On-Premises Release Notes
1.1. New Features
This 2.3 release of Red Hat 3scale API Management only includes new features for APIcast. All the other features from the 2.2 release remain unchanged.
1.1.1. Major Changes
Extended the API policy coverage by adding new APIcast out-of-the-box policies:
- URL rewriting with captures: Ability to read the arguments in a URL and rewrite the URL using them (JIRA #1139)
- RH-SSO/Keycloak role check: Verifies realm roles and client roles in the access token (JIRA #1158)
- Logging: Allows to disable access logs for individual services (JIRA #1148)
- Anonymous access: Provides default credentials for unauthenticated requests (JIRA #586)
- 3scale Batcher: Caches authorizations from the 3scale backend and also sends reports in batches for better performance (JIRA #1155)
- 3scale Referrer: Adds support for Referrer Filtering feature
Improved the features and capabilities of the existing policies:
- Added the ability to modify query parameters in the URL rewriting policy (JIRA #1139)
- Edge limiting: A flexible and powerful policy that performs different kinds of rate limiting (JIRA #411)
- Extended the header modification policy by allowing templating (JIRA #1140)
- The OAuth 2.0 Token Introspection Policy has been improved by adding the following features: caching, support for logout/token revocation, get client credentials from the OpenID Connect (OIDC) Issuer Endpoint
OAuth 2.0 Token Introspection Policy is now out of Technology Preview.
- Better OIDC capabilities for integration with 3rd party identity providers (Support JWK through OIDC Discovery)
- Prometheus metrics (JIRA #1230)
- Added support for communication via forward HTTP proxy (JIRA #221)
- OpenTracing integration in APIcast to improve observability by allowing the use of Tracers (JIRA #1159)
1.1.2. Minor Changes
- Renaming of some policies (JIRA #1232)
APICAST_ACCESS_LOG_FILEenvironment variable that allows configuring the location of the access log (JIRA #1148)
Added new environment variables that allow configuring APIcast to listen on an HTTPS port and configure necessary certificates. New environment variables:
1.2. Resolved Issues
- APIcast crashes when adding an invalid (non-existing) policy name via API.
- Do not crash when initializing unreachable/invalid DNS resolver.
- After migration to new OCP instance, APIcast images can not be build from the upstream repository.
- OIDC Signature verification function not compatible with generic OIDC provider (JIRA #583).
- Wrong error message when OIDC issuer field is configured incorrectly.
- APIcast crashes when loading some configurations including services with OIDC authentication.
1.4. Technology Preview Features
- Added a new “Conditional policy” that only executes a policy chain if a certain condition is met. There is no GUI available for this policy; it must be configured via JSON.
1.5. Known Issues
- Dashboard stream and email notifications are not filtered according to the admin member permissions (JIRA #629)
- Servers on which 3Scale API Management is installed must use the UTC time zone for correct invoice generation in postpaid mode (JIRA #534)
- Internal Server Error when accessing signup page with spam protection enabled (JIRA #908)
- 500 internal error response when accessing Service settings view (JIRA #878)
- Backend-listener fails to reconnect to backend-redis (JIRA #608)
- Wildcard router overrides unsecured routes (Resolved in OpenShift Container Platform 3.9.33)
- Ogone and Authorize.net payment gateways are not supported. Nevertheless, these options are shown in the billing settings
1.6. Deprecation Notices
- End User Plans feature will be deprecated in March 2019. This feature is replaced by the ability to define rate limits for end users using the APIcast policy for edge limiting.
Native OAuth 2.0 implementation (Authorization Code flow) for API traffic authentication is deprecated in this release. In the next release, 3scale 2.4, you will find that:
- This feature cannot be selected in the User Interface (UI).
- This feature is replaced by the OIDC integration with Red Hat Single Sign-On, which includes support for multiple OAuth 2.0 flows (see documentation).