69 lines
2.8 KiB
Plaintext
69 lines
2.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Upgrading to Vault 1.1.1 - Guides
|
|
description: |-
|
|
This page contains the list of deprecations and important or breaking changes
|
|
for Vault 1.1.1. Please read it carefully.
|
|
---
|
|
|
|
# Overview
|
|
|
|
This page contains the list of deprecations and important or breaking changes
|
|
for Vault 1.1.0 compared to 1.1.1. Please read it carefully.
|
|
|
|
## Known issues
|
|
|
|
### Issue with some KVv2 mounts
|
|
|
|
There is a known issue that could cause the upgrade to 1.1.1 to fail under
|
|
certain circumstances. This issue occurs when a KV version 2 mount exists but
|
|
contains no data. This will be fixed in 1.1.2. Additionally a work around does
|
|
exist: prior to upgrading ensure all KV v2 mounts have at least one key written
|
|
to it.
|
|
|
|
### Change in LDAP group CN handling
|
|
|
|
A bug fix to allow group CNs to be found from an LDAP server in lowercase `cn`
|
|
as well as uppercase `CN` had an unintended consequence. If prior to that a
|
|
group used `cn`, as in `cn=foo,ou=bar` then the group that would need to be put
|
|
into place in the LDAP plugin to match against policies is `cn=foo,ou=bar`
|
|
since the CN would not be correctly found. After the change, the CN was
|
|
correctly found, but this would result in the group name being parsed as `foo`
|
|
and would not match groups using the full DN. In 1.1.5+, there is a boolean
|
|
config setting `use_pre111_group_cn_behavior` to allow reverting to the old
|
|
matching behavior; we also attempt to upgrade exiting configs to have that
|
|
defaulted to true.
|
|
|
|
### Long WAL replay
|
|
|
|
-> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
|
|
|
|
During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
|
|
require an automatically-triggered reindex, either if upgrading from a pre-0.8
|
|
version of Vault or if a previously-issued reindex operation has failed in the
|
|
past. In these reindex scenarios, the secondary cluster will perform a complete
|
|
WAL replay, which can take a long time and is a partially blocking operation.
|
|
|
|
This is fixed in [Vault
|
|
1.1.3](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#113-june-5th-2019),
|
|
and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
|
|
We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
|
|
running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
|
|
|
|
## JWT/OIDC plugin
|
|
|
|
Logins of role_type "oidc" via the /login path are no longer allowed.
|
|
|
|
## ACL wildcards
|
|
|
|
New ordering defines which policy wins when there are multiple inexact matches
|
|
and at least one path contains `+`. `+*` is now illegal in policy paths. The
|
|
previous behavior simply selected any matching segment-wildcard path that
|
|
matched.
|
|
|
|
## Replication
|
|
|
|
Due to technical limitations, mounting and unmounting was not previously
|
|
possible from a performance secondary. These have been resolved, and these
|
|
operations may now be run from a performance secondary.
|