v5.5.0

Row-level access control, ip and uuid datatypes, column alias management in UI

Notable new features

Row-level access control

• Data can now be filtered for users based on the contents of the row and users' assigned roles.
• Each filter is implemented as a row policy.
• RBAC roles control which users are affected by which row policies.
• Learn more in Row-Level Access Control

Column alias management for data tables

You can now create and manage column aliases directly from the UI. Tabs are fully synchronized to preserve input when switching.

• Column alias list
• In the UI data/tables/{table_id}/column-management/: View existing aliases with columns for Alias and Expression
• Create new alias
• In the UI /data/tables/{table_id}/column-management/new-column-alias/
  • Alias form: Add a name and expression
  • Analyze expression:
  • Select optional columns to preview with the alias
  • See generated SQL, copy it, and set row limits
  • Run a test query to preview results
• Edit alias
• In the UI /data/tables/{table_id}/column-management/{alias_id}/: Edit or delete existing aliases

Support for new ip and uuid datatypes

IP addresses and UUIDs may now be used as a first-class datatype in transforms, ingest, and queries.

• The ip datatype supports both IPv4 and IPv6 addresses. Here's an example of field definitions in a transform:

{
  "name": "ipv4_field",
  "datatype": {
    "type": "ip",
    "default": "127.0.0.1"
  }
}

{
  "name": "ipv6_field",
  "datatype": {
    "type": "ip",
    "default": "fe80::22bb:2ebd:da90:3439"
  }
}

- The uuid datatype supports standard 128-bit UUIDs. Here's an example of a field definition in a transform:

{
  "name": "uuid_field",
  "datatype": {
    "type": "uuid",
    "default": "88a7bdff-ce1f-4ce6-ae6f-f506937e315c"
  }
}

Upgrade instructions

⚠️ Do not skip release versions.

Skipping versions during upgrades may result in system instability. You must upgrade sequentially through each release version.

Example: Upgrade from 5.4 → 5.5 → 5.6, not 5.4 → 5.6

1. Apply the new Hydrolix operator

If you have a self-managed installation, apply the new operator directly with the kubectl command examples below. If you're using Hydrolix-supplied tools to manage your installation, follow the procedure prescribed by those tools.

### GKE

kubectl apply -f "https://www.hydrolix.io/operator/v5.5.0/operator-resources?namespace=${HDX_KUBERNETES_NAMESPACE}&gcp-storage-sa=${GCP_STORAGE_SA}"

### EKS

kubectl apply -f "https://www.hydrolix.io/operator/v5.5.0/operator-resources?namespace=${HDX_KUBERNETES_NAMESPACE}&aws-storage-role=${AWS_STORAGE_ROLE}"

### LKE and AKS

kubectl apply -f "https://www.hydrolix.io/operator/v5.5.0/operator-resources?namespace=${HDX_KUBERNETES_NAMESPACE}"

1. Monitor the upgrade process

Kubernetes jobs named init-cluster and init-turbine-api will automatically run to upgrade your entire installation to match the new operator's version number. This will take a few minutes, during which time you can observe your pods' restarts with your favorite Kubernetes monitor tool.

Ensure both the init-cluster and init-turbine-api jobs have completed successfully and that the turbine-api pod has restarted without errors. After that, view the UI and use the API of your new installation as a final check.

If the turbine-api pod doesn't restart properly or other functionality is missing, check the logs of the init-cluster and init-turbine-api jobs for details about failures. This can be done using the k9s utility or with the kubectl command:

% kubectl logs -l app=init-cluster
% kubectl logs -l app=init-turbine-api

If you still need help, contact Hydrolix support.

Changelog

Updates

These changes include version upgrades and internal dependency bumps.

Cluster Operations

• Upgraded gunicorn from 20.0.4 -> 20.1.0 to prevent cluster problems. See more information about the bugfix here: https://github.com/benoitc/gunicorn/issues/1913
• Upgraded kopf and update operator RBAC from v0.0.0-20220102113305-2298ace6d09d to v0.0.0-20250630131328-58d95d85e994.
• Upgraded HTTP Proxy to version 0.4.0.
• Switched from pycryptodome to pycryptodomex version 3.23.0 to eliminate a security vulnerability.

Intake and Merge

• Updated Goja dependency from v0.0.0-20220102113305-2298ace6d09d to v0.0.0-20250630131328-58d95d85e994.
• Updated the following crates: fake to version 4.3.0 and rand to version 0.9.1
• Upgraded the golang.org/x/oauth2 library from version 0.23 to 0.27 to resolve a high-severity vulnerability (CVE-2025-22868). The issue allowed attackers to send malformed tokens that could cause excessive memory consumption during parsing.
  Related advisory: GHSA-6v2p-p543-phr9
• Updated go runtime from version 1.23.0 to 1.23.3 to address a segfault during autoingest.

UI

• Upgraded form-data library to Upgrades 2.5.4, 3.0.4, 4.0.4 or above to prevent Math.random()-related security vulnerability.

Improvements

Config API

• Added /download endpoint to DictionaryFile resource that downloads the dictionary file using the same permissions as view_dictionaryfile
• Implemented service account token generation within the config API. This allows more fine-grained control over token generation, TTLs, and revocations.
• Updated the /defaults Config API endpoint to return updated default settings values. Updated schema for multiple endpoints for more clarity on the 'settings' field. Changed the batch job default max_minutes_per_partitions from 360 to 60.
• Support for new ip and uuid datatypes has been added. See Support for new ip and uuid datatypes for more information.
• Enabled storing HDX Deployment ID (deployment_id) on multi-tenant Project resources.
• API query string parameter values for the /project endpoint are no longer converted to lowercase, preserving case-sensitivity.

Cluster Operations

• Hydrolix now includes both cluster-level and project-level deployment IDs in all usage reports, logs, and monitoring data.
• This ensures traceability across usage.meter, hydro.logs, and alerting pipelines.

• Deployment ID sources:

  • HDX_DEPLOYMENT_ID: cluster-wide, env var or CLI flag
  • project.hdx_deployment_id: per project, config data

• Improved initialization logic to ensure the hydro.logs transform includes the deployment_id column, allowing logs to be filtered by deployment.

• Added a service to guarantee a transform contains specific output_columns.
• Updated init_ci to use this service to ensure deployment_id is present.
• Refactored transform business logic into TransformSerializer for reuse and clarity.
• Creates or updates the transform and settings only if deployment_id is missing.
• Leaves other transform settings untouched.

• Raises clear errors if a conflicting datatype for the column exists.

• Include Hydrolix deployment ID in logs and metrics emitted by a cluster. The deployment ID is propogated to various workloads by the operator. If the operator can't obtain a deployment ID, it defaults to propagating the namespace.

• When Grafana is enabled in-cluster, the operator creates a default Hydrolix datasource in Grafana, replacing the default ClickHouse datasource.

• Added two metrics: fqdn_cert_expiry, which indicates the fqdn cert expiry time in seconds, and fqdn_tls_cert_expiry_diff, which indicates if the fqdn cert and the tls.crt in traefik-tls secret differ (which should not be the case).

• Introduced multiple enhancements to the hdx-scaler autoscaler to support more responsive and stable scaling:

• Separate cooldowns: cool_up_seconds and cool_down_seconds now control scale-up and scale-down cooldowns independently.
• Range-based scaling: metric_min and metric_max define bounds for a metric; autoscaling adjusts pod count relative to that range.
• Scaling throttles: New scale_up_throttle and scale_down_throttle options limit how quickly scale adjustments are made (as a percentage).

• Tolerance window: tolerance_up and tolerance_down define a dead zone around the target where no scaling is triggered.

• Added an interactive help window to the hdx-scaler terminal UI. Improves usability for users managing scaling settings from the TUI.

• Press h to open the help panel, which explains available configuration fields.

• Press ESC or q to close it.

• The hdx-scaler service now exposes detailed Prometheus metrics to improve the observability of autoscaling behavior.

These metrics include:

• hdxscaler_total_scalers: The total number of autoscalers running
• hdxscaler_ratio: The calculated ratio based on abs(normalized metric - normalized target) if using Metric Range mode or target metric / observed metric if using Metric Target mode
• hdxscaler_current_replicas: The current number of replicas
• hdxscaler_target_count: The number of targets the measured value is being averaged from
• hdxscaler_measured_value: The measured average value of the target group metrics
• hdxscaler_desired_replicas: The calculated number of replicas to scale to before applying any bounds checks, sensitizing, or throttling
• hdxscaler_bounded_replicas: What desired replicas are set to after applying all bounds checks, sensitizing, and throttling
• hdxscaler_normalized_metric: What the measured value is normalized to if using Metric Range as the scaling mode
• hdxscaler_normalized_target: What the target value is normalized to if using Metric Range as the scaling mode
• hdxscaler_delta: The difference between the normalized metric and normalized target, used in Metric Range mode
• hdxscaler_sensitivity_calc: The value calculated by the sensitizer, used in Metric Range scaling mode to calculated the desired replicas
• hdxscaler_throttle_up_calc: If scaling up, the max number of pods to scale up to, will be used instead of desired replicas if smaller
• hdxscaler_throttle_down_calc: If scaling down, the number of pods to scale down by, will be used if larger than desired replicas

Each metric (except hdxscaler_total_scalers) has the following labels:

• deployment: the Deployment being scaled
• alias: if that deployment has an alias, i.e. intake-head, alias="stream-head"
• app: the service or pool name being scraped for metrics to watch

• title: The name for this autoscaler which includes deployment name and metric / metric labels that are being used for scale calculations

• HDX Scaler now supports loading its config from a Kubernetes ConfigMap using the CONFIG_MODE=k8s environment variable.

• Faster config changes
• Default remains unchanged

• Improves deployment stability

• HDX Scaler now ignores services when the scale_off:true tunable is set. This prevents accidental restarts of pods that should be scaled off.

• To fully shut down the cluster, HDX Scaler must be scaled to zero manually.

• HDX Scaler now supports loading its config from a Kubernetes ConfigMap using the CONFIG_MODE=k8s environment variable.

• Faster config changes
• Default remains unchanged

• Improves deployment stability

• HDX Scaler now ignores services when the scale_off:true tunable is set. This prevents accidental restarts of pods that should be scaled off.

• To fully shut down the cluster, HDX Scaler must be scaled to zero manually.

• Added regular expressions (regex) for header and query-based dynamic ingest routing. To enable regex matching, prefix the value with regex|. See the example below:

routing:
  headers:
    x-hdx-table: regex|staging-project-(alpha|beta|gamma)
    x-hdx-transform: shared-staging-transform
  query_params:
    table: regex|customer_[0-9]+
    transform: tenant-transform

• Quesma can now be exposed externally to operate with an existing Kibana deployment using the enable_public_access tunable. See Enable public access to Quesma for more information.

• Gunicorn will now scale up async workers in accordance with the number of CPUs available to the hdx-traefik-auth container, saving administrators time when adding or removing resources from Traefik. This behavior is overrideable using the hdx_traefik_auth_workers tunable.

• Improved how email is handled during cluster creation and password resets, especially for customer-deployed environments.

• Cluster creation emails are now only sent to ADMIN_EMAIL (if set). If not set, no email is sent.
• Prevented all emails (invites, access codes, password resets) from being sent to CI_USER_EMAIL (e.g. hdx@hydrolix.net or $OWNER@hydrolix.net).
• Invite logic now matches password reset logic for email suppression.

• Added support for custom SMTP configuration to allow customer-managed delivery.

• Added support for updating the patch-level of third party software in internal images. Added patch_date tunable.

Intake and Merge

• Added support to the Vector software inside the cluster allowing specification of Bearer tokens to accompany messages sent to logs_sink_remote endpoints. This facilitates the use of service accounts to send logs to remote endpoints.
• Support for new ip and uuid datatypes has been added. See Support for new ip and uuid datatypes for more information.
• Removed the Serialize derivation from objects in the common crate, reducing redundancy in the code.
• Added a new kafka_sasl_plain credential type for use with Kafka ingest. The kafka-peer can now authenticate with SASL_SSL using username and password credentials.

Query

• Replaced the use of min_timestamp and max_timestamp in catalog queries to use a more specific SQL condition. This prevents contradictory conditions from fetching any partitions. (For example, WHERE primary < timestamp AND primary > timestamp should return no results)
• Fixed incorrect table name in log messages like the following: db='{db_name}' Storage='TurbineStorage' removed (TurbineStorage being incorrect)
• Columns in the GROUP BY clause in summary table SQL may now be removed from the summary table SQL. This allows a high-cardinality column to be removed from a summary table without dropping and re-creating the summary table.
• Support for new ip and uuid datatypes has been added. See Support for new ip and uuid datatypes for more information.

Security

• Set a HYDROLIX_TOKEN cookie using API using the attributes secure, httponly, and samesite. Use /users/current API endpoint to determine expired tokens and clear cookies.
• Support for row-level access control. See Notable new features for details.

UI

• Support for row-level access control. See Notable new features for details.
• The UI's browser tab title is now set to the cluster hostname to ease the managment of multiple clusters.
• Added a "Column Management" sidebar to the UI in Advanced Options. This feature is only available for non-summary tables.
• View and edit current and past column names
• Optionally set an alias as the current display name
• Add new aliases to existing columns

Bug Fixes

Config API

• The add_names endpoint now adds column names, rather than returning an HTTP 500 error.
• Pools-related RBAC permissions are now checked properly so only authorized users can edit resource pools in the API and UI.

Intake and Merge

• Added the ability to split merge target bounds into smaller chunks. This is an attempt to address an issue with slow merges for late-arriving data in Era 3.
• The active field in transform is now optional.
• Support for new ip and uuid datatypes has been added.
• The new merge controller used to expect strings for the min and max settings for field limits. It now expects integers.
• The merge controller now properly handles null or empty shard_key columns in the catalog.
• Reattached the duplicate_partitions metric, which was unintentionally disconnected when the AdaptivePartitionSource abstraction was introduced. The metric now tracks duplicate partitions during sourcing and consistently updates in telemetry.
• Changed a misleading WARNING message in intake-head to INFO during rejector startup. This reduces noise in logs and prevents confusion during troubleshooting.
  No functional changes or documentation impact.
• Added a safeguard to prevent a rare buffer overrun panic in the custom CSV reader used by intake-head.
• The panic was triggered by an out-of-bounds write during CSV ingestion, likely due to a misaligned buffer size and input row length.
• A pre-write check was added to grow the destination buffer as needed.
• The patch does not fix the root cause of the excessive buffer size, but avoids the crash and allows the ingestion to recover gracefully.
• Also improved support for custom-sized buffer requests by configuring bufio.Scanner to handle larger token lengths as needed.

Cluster Operations

• hdx-scaler now recognizes its configuration settings.
• Fixed the install for hdx-scaler, putting it in /usr/local/bin/ where it's on the system $PATH.
• The new cluster login invitation e-mail now give the user the correct URL to log into the cluster.
• The ACME init job no longer performs a separate, unneeded DNS resolution check before attempting certificate issuance. This resolves issues where DNS records existed but pods couldn’t see them due to stale cache.
• Removed the standalone DNS check from the init-acme container.
• Consolidated route verification into the start-lego script using HTTP-based validation.
• Mounted the acme-account secret in init-acme to enable reuse of existing account data.
• Restructured the ACME logic to be more modular and resilient for both job and cronjob execution.

UI

• Fixed a bug with disappearing data in the Transform SQL field.
• Updated the total volume, compression ratio and compression percent calculations for table details used in UI analysis to correctly use raw_size instead of mem_size.
• The Hydrolix UI no longer relies on HYDROLIX_USER_ID and HYDROLIX_ORGANIZATION_ID cookies. Instead, session continuity uses only HYDROLIX_TOKEN,
  with user details from the authenticated /current endpoint.
  This fixes an issue where the UI would fail to load properly if only the session token cookie was present.
• Error messages for bad requests to alter/batch jobs are more descriptive.
• Pages that don't use API pagination now show full lists of items.