open-vault/CHANGELOG.md

126 lines
5.7 KiB
Markdown
Raw Normal View History

2015-07-01 23:53:00 +00:00
## 0.2.0 (unreleased)
FEATURES:
* **Key Rotation Support**: The `rotate` command can be used to rotate the
master encryption key used to write data to the storage (physical) backend. [GH-277]
* **Rekey Support**: Rekey can be used to rotate the master key and change
the configuration of the unseal keys (number of shares, threshold required). [GH-277]
* **New secret backend: `pki`**: Enable Vault to be a certificate authority and generate
signed TLS certificates. [GH-310]
* **New secret backend: `cassandra`**: Generate dynamic credentials for Cassandra [GH-363]
* **New storage backend: `etcd`**: store physical data in etcd [GH-259] [GH-297]
* **New storage backend: `s3`**: store physical data in S3. Does not support HA. [GH-242]
* **New storage backend: `MySQL`**: store physical data in MySQL. Does not support HA. [GH-324]
2015-07-06 16:51:50 +00:00
* `transit` secret backend supports derived keys for per-transaction unique keys [GH-399]
2015-05-13 17:35:20 +00:00
IMPROVEMENTS:
2015-07-01 23:53:00 +00:00
* cli/auth: Enable `cert` method [GH-380]
* cli/auth: read input from stdin [GH-250]
* cli/read: Ability to read a single field from a secret [GH-257]
* cli/write: Adding a force flag when no input required
* core: allow time duration format in place of seconds for some inputs
* core: audit log provides more useful information [GH-360]
* core: graceful shutdown for faster HA failover
2015-07-06 17:20:55 +00:00
* core: **change policy format** to use explicit globbing [GH-400]
2015-07-06 17:19:59 +00:00
Any existing policy in Vault is automatically upgraded to avoid issues.
All policy files must be updated for future writes. Adding the explicit glob
character `*` to the path specification is all that is required.
* core: policy merging to give deny highest precedence [GH-400]
2015-07-01 23:53:00 +00:00
* credential/cert: Record the common name in the metadata [GH-342]
* credential/ldap: Allow TLS verification to be disabled [GH-372]
* credential/ldap: More flexible names allowed [GH-245] [GH-379] [GH-367]
* http: response codes improved to reflect error [GH-366]
* http: the `sys/health` endpoint supports `?standbyok` to return 200 on standby [GH-389]
2015-07-01 23:53:00 +00:00
* secret/app-id: Support deleting AppID and UserIDs [GH-200]
* secret/consul: Fine grained lease control [GH-261]
* secret/transit: Decouple raw key from key management endpoint [GH-355]
* secret/transit: Upsert named key when encrypt is used [GH-355]
* storage/zk: Support for HA configuration [GH-252]
2015-05-13 17:35:20 +00:00
2015-06-16 17:00:38 +00:00
BUG FIXES:
2015-07-01 23:53:00 +00:00
* command/*: commands accepting `k=v` allow blank values
* core: Allow building on FreeBSD [GH-365]
* core: Fixed various panics when audit logging enabled
* core: Lease renewal does not create redundant lease
* core: fixed leases with negative duration [GH-354]
* core: token renewal does not create child token
* credential/app-id: Salt the paths in storage backend to avoid information leak
* credential/cert: Fixing client certificate not being requested
* credential/cert: Fixing panic when no certificate match found [GH-361]
* http: Accept PUT as POST for sys/auth
* http: Accept PUT as POST for sys/mounts [GH-349]
* http: Return 503 when sealed [GH-225]
* secret/postgres: Username length is capped to exceeding limit
* server: Do not panic if backend not configured [GH-222]
* server: Explicitly check value of tls_diable [GH-201]
* storage/zk: Fixed issues with version conflicts [GH-190]
MISC:
* cli/path-help: renamed from `help` to avoid confusion
2015-06-16 17:00:38 +00:00
2015-05-11 18:29:07 +00:00
## 0.1.2 (May 11, 2015)
2015-05-02 20:37:26 +00:00
2015-05-11 17:14:36 +00:00
FEATURES:
* **New physical backend: `zookeeper`**: store physical data in Zookeeper.
HA not supported yet.
* **New credential backend: `ldap`**: authenticate using LDAP credentials.
2015-05-11 17:14:36 +00:00
2015-05-11 17:06:36 +00:00
IMPROVEMENTS:
2015-05-02 20:37:26 +00:00
2015-05-11 17:06:36 +00:00
* core: Auth backends can store internal data about auth creds
2015-05-11 17:46:03 +00:00
* audit: display name for auth is shown in logs [GH-176]
2015-05-11 18:01:48 +00:00
* command/*: `-insecure` has been renamed to `-tls-skip-verify` [GH-130]
2015-05-11 17:31:47 +00:00
* command/*: `VAULT_TOKEN` overrides local stored auth [GH-162]
2015-05-11 17:09:21 +00:00
* command/server: environment variables are copy-pastable
2015-05-11 17:46:03 +00:00
* credential/app-id: hash of app and user ID are in metadata [GH-176]
* http: HTTP API accepts `X-Vault-Token` as auth header [GH-124]
2015-05-11 17:09:21 +00:00
* logical/*: Generate help output even if no synopsis specified
2015-05-11 17:06:36 +00:00
BUG FIXES:
* core: login endpoints should never return secrets
* core: Internal data should never be returned from core endpoints
2015-05-11 17:09:21 +00:00
* core: defer barrier initialization to as late as possible to avoid
error cases during init that corrupt data (no data loss)
* core: guard against invalid init config earlier
2015-05-11 17:10:56 +00:00
* audit/file: create file if it doesn't exist [GH-148]
2015-05-11 18:28:22 +00:00
* command/*: ignore directories when traversing CA paths [GH-181]
2015-05-11 17:28:11 +00:00
* credential/*: all policy mapping keys are case insensitive [GH-163]
2015-05-11 17:09:21 +00:00
* physical/consul: Fixing path for locking so HA works in every case
2015-05-02 20:37:26 +00:00
2015-05-02 20:29:32 +00:00
## 0.1.1 (May 2, 2015)
2015-04-28 21:45:38 +00:00
2015-05-02 20:34:01 +00:00
SECURITY CHANGES:
2015-05-02 20:34:39 +00:00
* physical/file: create the storge with 0600 permissions [GH-102]
2015-05-02 20:34:01 +00:00
* token/disk: write the token to disk with 0600 perms
2015-04-28 22:12:20 +00:00
IMPROVEMENTS:
2015-04-29 01:56:44 +00:00
* core: Very verbose error if mlock fails [GH-59]
* command/*: On error with TLS oversized record, show more human-friendly
error message. [GH-123]
2015-05-02 20:12:09 +00:00
* command/read: `lease_renewable` is now outputed along with the secret
to show whether it is renewable or not
2015-04-28 22:12:20 +00:00
* command/server: Add configuration option to disable mlock
* command/server: Disable mlock for dev mode so it works on more systems
2015-04-28 21:54:14 +00:00
BUG FIXES:
2015-04-28 21:45:38 +00:00
2015-04-28 21:54:14 +00:00
* core: if token helper isn't absolute, prepend with path to Vault
executable, not "vault" (which requires PATH) [GH-60]
* core: Any "mapping" routes allow hyphens in keys [GH-119]
* core: Validate `advertise_addr` is a valid URL with scheme [GH-106]
2015-05-02 20:21:51 +00:00
* command/auth: Using an invalid token won't crash [GH-75]
* credential/app-id: app and user IDs can have hyphens in keys [GH-119]
2015-04-29 16:59:05 +00:00
* helper/password: import proper DLL for Windows to ask password [GH-83]
2015-04-28 21:45:38 +00:00
2015-04-28 16:12:09 +00:00
## 0.1.0 (April 28, 2015)
* Initial release