lakeFS Enterprise v1.86.0¶
Changelog¶
Important note: this version adds auth inverse secondary indices (user→group and accessKey→user). Deployments with local RBAC data require a one-time KV migration: before rolling out the new binary, refrain from auth admin operations (creating or modifying users, groups, memberships, or credentials) and run
lakefs migrate up; complete the rolling upgrade, then resume auth admin operations. No downtime is required — the previous version can keep serving requests throughout the migration as long as auth admin operations are paused until the upgrade completes. Large deployments can pre-populate the indices offline beforehand withlakefs migrate task run auth-inverse-indices(--dry-runreports pending writes without changing data). If the same access key is owned by more than one user (possible in stores created before access keys became globally unique),migrate upaborts and lists the conflicting keys and their owners; delete or rotate the duplicates, then re-run. Deployments that delegate authentication externally (no local users, groups, or credentials in the KV store) need no action — the server advances the schema version on start.
What's new:
- Iceberg REST Catalog: support multi-storage (
blockstores) configurations; repositories on unsupported blockstores get a clear "unsupported storage" response in the Tables view - Hooks: new native Delta Lake exporter (
delta_exporter_v2) with parquet checkpoint, deletion vector, and change data feed support - WebUI: render Word (
.docx) documents in the object viewer - RBAC:
fs:ListBranchesaccepts per-branch ARNs to scope listings to a subset of branches - Branch-level
Allow/Denyforfs:ListBranchesare now enforced per branch — audit existing policies before upgrading - S3 gateway: bucket-root listings (e.g.
aws s3 ls s3://repo) now requirefs:ListBranches; a policy granting onlyfs:ListObjectsnow gets403 AccessDeniedon them, and listings emit alist_branchesstats event rather thanlist_objects - RBAC: performance improvements to policy resolution and group membership lookups
- Reliability: lakeFS HTTP clients abort stalled reads with an idle-read timeout
lakefs --versionand the startup banner now identify the binary as lakeFS Enterprise- Spark commit-protocol client artifacts are now published to Maven Central
Bugs Fixed:
- Fix: concurrency crash in the prefetched-auth negative cache
- Fix: lakeFS failed to run on some ARM machines
Assets¶
checksums.txt | 1.8 kB | 2026-06-11 | |
lakefs-enterprise_1.86.0_Darwin_arm64.tar.gz | sha256:3a53033e2e2f8c69bcad507cfff1adee2c114c30456c96813e6a0627b0982276 | 74.7 MB | 2026-06-11 |
lakefs-enterprise_1.86.0_Darwin_x86_64.tar.gz | sha256:9a69ed038f4ae27efd7dcd69660d9d8e261b76abf1b3eb9f2dc7ad704eedd1ed | 79.8 MB | 2026-06-11 |
lakefs-enterprise_1.86.0_Linux_arm64.tar.gz | sha256:465fcd9bc22cac043f58672a1ca44ead7327683dde4c07ef5f8df6dbf86be9e9 | 71.0 MB | 2026-06-11 |
lakefs-enterprise_1.86.0_Linux_x86_64.tar.gz | sha256:9e9e1507d7e4dfef32abd4700a79db98ff66928e601d9af6367dcc27669dbabf | 78.2 MB | 2026-06-11 |
lakefs-enterprise_1.86.0_Windows_arm64.zip | sha256:9dec1e118090cac25998eca63607be3671eda211c672104de46156831f8b333a | 71.4 MB | 2026-06-11 |
lakefs-enterprise_1.86.0_Windows_x86_64.zip | sha256:93be8a440275ef81088bc0099cf488e16b37b75c0684580647dd658c306d8829 | 79.8 MB | 2026-06-11 |
Docker¶
Verify the signature (optional)¶
Requires Cosign:
cosign verify treeverse/lakefs-enterprise:1.86.0 \
--certificate-identity-regexp='^https://github\.com/treeverse/lakeFS\-Enterprise/\.github/workflows/' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
Expected output
Verification for index.docker.io/treeverse/lakefs-enterprise:1.86.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates