luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

changelog++

This commit is contained in:
Michael Gaffney 2019-07-02 10:59:14 -04:00
parent 02120cfe5e
commit 395e10957d
No known key found for this signature in database
GPG Key ID: 21FE4844A1193A56
1 changed files with 66 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
CHANGELOG.md
View File

@ -22,6 +22,9 @@ IMPROVEMENTS:
via token roles [GH-6267]
* cli: `path-help` now allows `-format=json` to be specified, which will
output OpenAPI [GH-7006]
* secrets/kv: Add optional `delete_version_after` parameter, which takes a
duration and can be set on the mount and/or the metadata for a specific key
[GH-7005]
## 1.2-beta1 (June 25th, 2019)
@ -79,9 +82,9 @@ FEATURES:
* **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as
and HA storage backend.
* **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP Server,
seamlessly brokering cryptographic operations for traditional infrastructure.
seamlessly brokering cryptographic operations for traditional infrastructure.
IMPROVEMENTS:
IMPROVEMENTS:
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
* auth/jwt: `bound_claims` will now match received claims that are lists if any element
@ -103,15 +106,15 @@ IMPROVEMENTS:
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
Icon component [GH-6736]
* ui: Lazy loading parts of the application so that the total initial payload is
* ui: Lazy loading parts of the application so that the total initial payload is
smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a common prefix if there
is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]
BUG FIXES:
BUG FIXES:
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN
when parsing this value [GH-6917]
@ -131,12 +134,12 @@ BUG FIXES:
## 1.1.3 (June 5th, 2019)
IMPROVEMENTS:
IMPROVEMENTS:
* agent: Now supports proxying request query parameters [GH-6772]
* agent: Now supports proxying request query parameters [GH-6772]
* core: Mount table output now includes a UUID indicating the storage path [GH-6633]
* core: HTTP server timeout values are now configurable [GH-6666]
* replication: Improve performance of the reindex operation on secondary clusters
* replication: Improve performance of the reindex operation on secondary clusters
when mount filters are in use
* replication: Replication status API now returns the state and progress of a reindex
@ -148,7 +151,7 @@ BUG FIXES:
* auth/okta: Fix handling of group names containing slashes [GH-6665]
* cli: Add deprecated stored-shares flag back to the init command [GH-6677]
* cli: Fix a panic when the KV command would return no data [GH-6675]
* cli: Fix issue causing CLI list operations to not return proper format when
* cli: Fix issue causing CLI list operations to not return proper format when
there is an empty response [GH-6776]
* core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
* core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of
@ -223,7 +226,7 @@ SECURITY:
CHANGES:
* auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [JWT-38]
* core/acl: New ordering defines which policy wins when there are multiple
* core/acl: New ordering defines which policy wins when there are multiple
inexact matches and at least one path contains `+`. `+*` is now illegal in
policy paths. The previous behavior simply selected any matching
segment-wildcard path that matched. [GH-6532]
@ -231,21 +234,21 @@ CHANGES:
previously possible from a performance secondary. These have been resolved,
and these operations may now be run from a performance secondary.
IMPROVEMENTS:
IMPROVEMENTS:
* agent: Allow AppRole auto-auth without a secret-id [GH-6324]
* auth/gcp: Cache clients to improve performance and reduce open file usage
* auth/jwt: Bounds claims validiation will now allow matching the received
claims against a list of expected values [JWT-41]
claims against a list of expected values [JWT-41]
* secret/gcp: Cache clients to improve performance and reduce open file usage
* replication: Mounting/unmounting/remounting/mount-tuning is now supported
from a performance secondary cluster
* ui: Suport for authentication via the RADIUS auth method [GH-6488]
* ui: Navigating away from secret list view will clear any page-specific
filter that was applied [GH-6511]
* ui: Improved the display when OIDC auth errors [GH-6553]
* ui: Improved the display when OIDC auth errors [GH-6553]
BUG FIXES:
BUG FIXES:
* agent: Allow auto-auth to be used with caching without having to define any
sinks [GH-6468]
@ -284,7 +287,7 @@ BUG FIXES:
* ui: add polyfill to load UI in IE11 [GH-6567]
* ui: Fix issue where some elements would fail to work properly if using ACLs
with segment-wildcard paths (`/+/` segments) [GH-6525]
## 1.1.0 (March 18th, 2019)
CHANGES:
@ -339,7 +342,7 @@ IMPROVEMENTS:
all running goroutines' stack traces for debugging purposes [GH-6240]
* replication: The initial replication indexing process on newly initialized or upgraded
clusters now runs asynchronously
* sentinel: Add token namespace id and path, available in rules as
* sentinel: Add token namespace id and path, available in rules as
token.namespace.id and token.namespace.path
* ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms.
This means, it will not be necessary to add fields on the go and JS sides in the future.
@ -387,7 +390,7 @@ SECURITY:
be read. Upgrading to this version or 1.1 will fix this issue and cause the
replicated data to be deleted from filtered secondaries. More information
was sent to customer contacts on file.
## 1.0.3 (February 12th, 2019)
CHANGES:
@ -400,10 +403,10 @@ CHANGES:
entity either by name or by id [GH-6105]
* The Vault UI's navigation and onboarding wizard now only displays items that
are permitted in a users' policy [GH-5980, GH-6094]
* An issue was fixed that caused recovery keys to not work on secondary
clusters when using a different unseal mechanism/key than the primary. This
* An issue was fixed that caused recovery keys to not work on secondary
clusters when using a different unseal mechanism/key than the primary. This
would be hit if the cluster was rekeyed or initialized after 1.0. We recommend
rekeying the recovery keys on the primary cluster if you meet the above
rekeying the recovery keys on the primary cluster if you meet the above
requirements.
FEATURES:
@ -443,7 +446,7 @@ BUG FIXES:
a performance standby very quickly, before an associated entity has been
replicated. If the entity is not found in this scenario, the request will
forward to the active node.
* replication: Fix issue where recovery keys would not work on secondary
* replication: Fix issue where recovery keys would not work on secondary
clusters if using a different unseal mechanism than the primary.
* replication: Fix a "failed to register lease" error when using performance
standbys
@ -484,9 +487,9 @@ IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
image ID [GH-5846]
* autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
* autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
[GH-5999]
* physical/foundationdb: TLS support added. [GH-5800]
* physical/foundationdb: TLS support added. [GH-5800]
BUG FIXES:
@ -510,7 +513,7 @@ BUG FIXES:
* ui (enterprise): properly display perf-standby count on the license page [GH-5971]
* ui: fix disappearing nested secrets and go to the nearest parent when deleting
a secret - [GH-5976]
* ui: fix error where deleting an item via the context menu would fail if the
* ui: fix error where deleting an item via the context menu would fail if the
item name contained dots [GH-6018]
* ui: allow saving of kv secret after an errored save attempt [GH-6022]
* ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]
@ -613,7 +616,7 @@ CHANGES:
undocumented, but were retained for backwards compatibility. They shouldn't
be used due to the possibility of those paths being logged, so at this point
they are simply being removed.
* Vault will no longer accept updates when the storage key has invalid UTF-8
* Vault will no longer accept updates when the storage key has invalid UTF-8
character encoding [GH-5819]
* Mount/Auth tuning the `options` map on backends will now upsert any provided
values, and keep any of the existing values in place if not provided. The
@ -679,7 +682,7 @@ IMPROVEMENTS:
* ui: Improved banner and popup design [GH-5672]
* ui: Added token type to auth method mount config [GH-5723]
* ui: Display additonal wrap info when unwrapping. [GH-5664]
* ui: Empty states have updated styling and link to relevant actions and
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
@ -699,7 +702,7 @@ BUG FIXES:
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
for all other operations for backwards compatibility
@ -731,7 +734,7 @@ BUG FIXES:
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
when trying to use tool/hash [GH-5714]
## 0.11.4 (October 23rd, 2018)
CHANGES:
@ -744,7 +747,7 @@ FEATURES:
* **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
remove older unused key versions
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
individual secret versions in the UI
* **Azure Existing Service Principal Support**: Credentials can now be generated
against an existing service principal
@ -798,7 +801,7 @@ IMPROVEMENTS:
BUG FIXES:
* auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
* auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
* cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473]
* secret/database/mongodb: Fix panic that could occur at high load [GH-5463]
* secret/pki: Fix CA generation not allowing OID SANs [GH-5459]
@ -823,7 +826,7 @@ FEATURES:
credentials it is using [GH-5140]
* **Storage Backend Migrator**: A new `operator migrate` command allows offline
migration of data between two storage backends
* **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for
* **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for
Auto Unseal and Seal Wrapping
BUG FIXES:
@ -836,16 +839,16 @@ BUG FIXES:
* replication: Fix DR API when using a token [GH-5398]
* identity: Ensure old group alias is removed when a new one is written [GH-5350]
* storage/alicloud: Don't call uname on package init [GH-5358]
* secrets/jwt: Fix issue where request context would be canceled too early
* secrets/jwt: Fix issue where request context would be canceled too early
* ui: fix need to have update for aws iam creds generation [GF-5294]
* ui: fix calculation of token expiry [GH-5435]
IMPROVEMENTS:
* auth/aws: The identity alias name can now configured to be either IAM unique
ID of the IAM Principal, or ARN of the caller identity [GH-5247]
* auth/cert: Add allowed_organizational_units support [GH-5252]
* cli: Format TTLs for non-secret responses [GH-5367]
* cli: Format TTLs for non-secret responses [GH-5367]
* identity: Support operating on entities and groups by their names [GH-5355]
* plugins: Add `env` parameter when registering plugins to the catalog to allow
operators to include environment variables during plugin execution. [GH-5359]
@ -853,13 +856,13 @@ IMPROVEMENTS:
* secrets/aws: Allow specifying STS role-default TTLs [GH-5138]
* secrets/pki: Add configuration support for setting NotBefore [GH-5325]
* core: Support for passing the Vault token via an Authorization Bearer header [GH-5397]
* replication: Reindex process now runs in the background and does not block other
* replication: Reindex process now runs in the background and does not block other
vault operations
* storage/zookeeper: Enable TLS based communication with Zookeeper [GH-4856]
* ui: you can now init a cluster with a seal config [GH-5428]
* ui: added the option to force promote replication clusters [GH-5438]
* replication: Allow promotion of a secondary when data is syncing with a "force" flag
## 0.11.1.1 (September 17th, 2018) (Enterprise Only)
BUG FIXES:
@ -918,11 +921,11 @@ BUG FIXES:
* secrets/pki: Fix sign-verbatim losing extra Subject attributes [GH-5245]
* secrets/pki: Remove certificates from store when tidying revoked
certificates and simplify API [GH-5231]
* ui: JSON editor will not coerce input to an object, and will now show an
* ui: JSON editor will not coerce input to an object, and will now show an
error about Vault expecting an object [GH-5271]
* ui: authentication form will now default to any methods that have been tuned
to show up for unauthenticated users [GH-5281]
## 0.11.0 (August 28th, 2018)
@ -973,7 +976,7 @@ FEATURES:
single Vault Enterprise infrastructure. Through namespaces, Vault
administrators can support tenant isolation for teams and individuals as
well as empower those individuals to self-manage their own tenant
environment.
environment.
* **Performance Standbys (Enterprise)**: Standby nodes can now service
requests that do not modify storage. This provides near-horizontal scaling
of a cluster in some workloads, and is the intra-cluster analogue of
@ -984,14 +987,14 @@ FEATURES:
grant access to Vault. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-alicloud) for
more information.
* **Azure Secrets Plugin**: There is now a plugin (pulled in to Vault) that
* **Azure Secrets Plugin**: There is now a plugin (pulled in to Vault) that
allows generating credentials to allow access to Azure. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-azure) for
more information.
* **HA Support for MySQL Storage**: MySQL storage now supports HA.
* **ACL Templating**: ACL policies can now be templated using identity Entity,
Groups, and Metadata.
* **UI Onboarding wizards**: The Vault UI can provide contextual help and
* **UI Onboarding wizards**: The Vault UI can provide contextual help and
guidance, linking out to relevant links or guides on vaultproject.io for
various workflows in Vault.
@ -1063,7 +1066,7 @@ FEATURES:
* **FoundationDB Storage**: You can now use FoundationDB for storing Vault
data.
* **UI Control Group Workflow (enterprise)**: The UI will now detect control
group responses and provides a workflow to view the status of the request
group responses and provides a workflow to view the status of the request
and to authorize requests.
* **Vault Agent (Beta)**: Vault Agent is a daemon that can automatically
authenticate for you across a variety of authentication methods, provide
@ -1092,7 +1095,7 @@ IMPROVEMENTS:
* secrets/ssh: Allow Vault to work with single-argument SSH flags [GH-4825]
* secrets/ssh: SSH executable path can now be configured in the CLI [GH-4937]
* storage/swift: Add additional configuration options [GH-4901]
* ui: Choose which auth methods to show to unauthenticated users via
* ui: Choose which auth methods to show to unauthenticated users via
`listing_visibility` in the auth method edit forms [GH-4854]
* ui: Authenticate users automatically by passing a wrapped token to the UI via
the new `wrapped_token` query parameter [GH-4854]
@ -1110,22 +1113,22 @@ BUG FIXES:
* core: Fix issue releasing the leader lock in some circumstances [GH-4915]
* core: Fix a panic that could happen if the server was shut down while still
starting up
* core: Fix deadlock that would occur if a leadership loss occurs at the same
* core: Fix deadlock that would occur if a leadership loss occurs at the same
time as a seal operation [GH-4932]
* core: Fix issue with auth mounts failing to renew tokens due to policies
* core: Fix issue with auth mounts failing to renew tokens due to policies
changing [GH-4960]
* auth/radius: Fix issue where some radius logins were being canceled too early
[GH-4941]
* core: Fix accidental seal of vault of we lose leadership during startup
* core: Fix accidental seal of vault of we lose leadership during startup
[GH-4924]
* core: Fix standby not being able to forward requests larger than 4MB
* core: Fix standby not being able to forward requests larger than 4MB
[GH-4844]
* core: Avoid panic while processing group memberships [GH-4841]
* identity: Fix a race condition creating aliases [GH-4965]
* plugins: Fix being unable to send very large payloads to or from plugins
[GH-4958]
* physical/azure: Long list responses would sometimes be truncated [GH-4983]
* replication: Allow replication status requests to be processed while in
* replication: Allow replication status requests to be processed while in
merkle sync
* replication: Ensure merkle reindex flushes all changes to storage immediately
* replication: Fix a case where a network interruption could cause a secondary
@ -1135,7 +1138,7 @@ BUG FIXES:
* secrets/database: Fix panic during DB creds revocation [GH-4846]
* ui: Fix usage of cubbyhole backend in the UI [GH-4851]
* ui: Fix toggle state when a secret is JSON-formatted [GH-4913]
* ui: Fix coercion of falsey values to empty string when editing secrets as
* ui: Fix coercion of falsey values to empty string when editing secrets as
JSON [GH-4977]
## 0.10.3 (June 20th, 2018)
@ -1276,7 +1279,7 @@ IMPROVEMENTS:
* auth/ldap: Obfuscate error messages pre-bind for greater security [GH-4700]
* cli: `vault login` now supports a `-no-print` flag to suppress printing
token information but still allow storing into the token helper [GH-4454]
* core/pkcs11 (enterprise): Add support for CKM_AES_CBC_PAD, CKM_RSA_PKCS, and
* core/pkcs11 (enterprise): Add support for CKM_AES_CBC_PAD, CKM_RSA_PKCS, and
CKM_RSA_PKCS_OAEP mechanisms
* core/pkcs11 (enterprise): HSM slots can now be selected by token label
instead of just slot number
@ -1304,7 +1307,7 @@ IMPROVEMENTS:
* ui: Identity interface now lists groups by name [GH-4655]
* ui: Permission denied errors still render the sidebar in the Access section
[GH-4658]
* replication: Improve performance of index page flushes and WAL garbage
* replication: Improve performance of index page flushes and WAL garbage
collecting
BUG FIXES:
@ -1415,7 +1418,7 @@ IMPROVEMENTS:
the rate of writes committed
* secret/ssh: Update dynamic key install script to use shell locking to avoid
concurrent modifications [GH-4358]
* ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
* ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines) [GH-4439]
@ -1440,16 +1443,16 @@ BUG FIXES:
interface properly [GH-4398]
* ui: Corrected the saving of mount tune ttls for auth methods [GH-4431]
* ui: Credentials generation no longer checks capabilities before making
api calls. This should fix needing "update" capabilites to read IAM
api calls. This should fix needing "update" capabilites to read IAM
credentials in the AWS secrets engine [GH-4446]
## 0.10.0 (April 10th, 2018)
SECURITY:
* Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
* Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
@ -1524,7 +1527,7 @@ FEATURES:
* HA for Google Cloud Storage: The GCS storage type now supports HA.
* UI support for identity: Add and edit entities, groups, and their associated
aliases.
* UI auth method support: Enable, disable, and configure all of the built-in
* UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
* UI (Enterprise): View and edit Sentinel policies.
@ -1557,17 +1560,17 @@ BUG FIXES:
* secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on [GH-4214]
* storage/s3: Fix panic if S3 returns no Content-Length header [GH-4222]
* ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
* ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
* ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
* ui: Fixed the link that gets rendered when a user doesn't have permissions
* ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
* replication: Fix issue with DR secondaries when using mount specified local
* replication: Fix issue with DR secondaries when using mount specified local
paths.
* cli: Fix an issue where generating a dr operation token would not output the
* cli: Fix an issue where generating a dr operation token would not output the
token [GH-4328]
## 0.9.6 (March 20th, 2018)