From 395e10957d62b1024e4187f999423859959ca7f7 Mon Sep 17 00:00:00 2001 From: Michael Gaffney Date: Tue, 2 Jul 2019 10:59:14 -0400 Subject: [PATCH] changelog++ --- CHANGELOG.md | 129 ++++++++++++++++++++++++++------------------------- 1 file changed, 66 insertions(+), 63 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index abac51a8e..f14e47226 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,9 @@ IMPROVEMENTS: via token roles [GH-6267] * cli: `path-help` now allows `-format=json` to be specified, which will output OpenAPI [GH-7006] + * secrets/kv: Add optional `delete_version_after` parameter, which takes a + duration and can be set on the mount and/or the metadata for a specific key + [GH-7005] ## 1.2-beta1 (June 25th, 2019) @@ -79,9 +82,9 @@ FEATURES: * **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as and HA storage backend. * **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP Server, - seamlessly brokering cryptographic operations for traditional infrastructure. + seamlessly brokering cryptographic operations for traditional infrastructure. -IMPROVEMENTS: +IMPROVEMENTS: * auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43] * auth/jwt: `bound_claims` will now match received claims that are lists if any element @@ -103,15 +106,15 @@ IMPROVEMENTS: * ui: KV v1 and v2 will now gracefully degrade allowing a write without read workflow in the UI [GH-6570] * ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling - of the Confirm Action component [GH-6741], and using a new set of glyphs for our + of the Confirm Action component [GH-6741], and using a new set of glyphs for our Icon component [GH-6736] - * ui: Lazy loading parts of the application so that the total initial payload is + * ui: Lazy loading parts of the application so that the total initial payload is smaller [GH-6718] * ui: Tabbing to auto-complete in filters will first complete a common prefix if there is one [GH-6759] * ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768] - -BUG FIXES: + +BUG FIXES: * auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN when parsing this value [GH-6917] @@ -131,12 +134,12 @@ BUG FIXES: ## 1.1.3 (June 5th, 2019) -IMPROVEMENTS: +IMPROVEMENTS: - * agent: Now supports proxying request query parameters [GH-6772] + * agent: Now supports proxying request query parameters [GH-6772] * core: Mount table output now includes a UUID indicating the storage path [GH-6633] * core: HTTP server timeout values are now configurable [GH-6666] - * replication: Improve performance of the reindex operation on secondary clusters + * replication: Improve performance of the reindex operation on secondary clusters when mount filters are in use * replication: Replication status API now returns the state and progress of a reindex @@ -148,7 +151,7 @@ BUG FIXES: * auth/okta: Fix handling of group names containing slashes [GH-6665] * cli: Add deprecated stored-shares flag back to the init command [GH-6677] * cli: Fix a panic when the KV command would return no data [GH-6675] - * cli: Fix issue causing CLI list operations to not return proper format when + * cli: Fix issue causing CLI list operations to not return proper format when there is an empty response [GH-6776] * core: Correctly honor non-HMAC request keys when auditing requests [GH-6653] * core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of @@ -223,7 +226,7 @@ SECURITY: CHANGES: * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [JWT-38] - * core/acl: New ordering defines which policy wins when there are multiple + * core/acl: New ordering defines which policy wins when there are multiple inexact matches and at least one path contains `+`. `+*` is now illegal in policy paths. The previous behavior simply selected any matching segment-wildcard path that matched. [GH-6532] @@ -231,21 +234,21 @@ CHANGES: previously possible from a performance secondary. These have been resolved, and these operations may now be run from a performance secondary. -IMPROVEMENTS: +IMPROVEMENTS: * agent: Allow AppRole auto-auth without a secret-id [GH-6324] * auth/gcp: Cache clients to improve performance and reduce open file usage * auth/jwt: Bounds claims validiation will now allow matching the received - claims against a list of expected values [JWT-41] + claims against a list of expected values [JWT-41] * secret/gcp: Cache clients to improve performance and reduce open file usage * replication: Mounting/unmounting/remounting/mount-tuning is now supported from a performance secondary cluster * ui: Suport for authentication via the RADIUS auth method [GH-6488] * ui: Navigating away from secret list view will clear any page-specific filter that was applied [GH-6511] - * ui: Improved the display when OIDC auth errors [GH-6553] + * ui: Improved the display when OIDC auth errors [GH-6553] -BUG FIXES: +BUG FIXES: * agent: Allow auto-auth to be used with caching without having to define any sinks [GH-6468] @@ -284,7 +287,7 @@ BUG FIXES: * ui: add polyfill to load UI in IE11 [GH-6567] * ui: Fix issue where some elements would fail to work properly if using ACLs with segment-wildcard paths (`/+/` segments) [GH-6525] - + ## 1.1.0 (March 18th, 2019) CHANGES: @@ -339,7 +342,7 @@ IMPROVEMENTS: all running goroutines' stack traces for debugging purposes [GH-6240] * replication: The initial replication indexing process on newly initialized or upgraded clusters now runs asynchronously - * sentinel: Add token namespace id and path, available in rules as + * sentinel: Add token namespace id and path, available in rules as token.namespace.id and token.namespace.path * ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms. This means, it will not be necessary to add fields on the go and JS sides in the future. @@ -387,7 +390,7 @@ SECURITY: be read. Upgrading to this version or 1.1 will fix this issue and cause the replicated data to be deleted from filtered secondaries. More information was sent to customer contacts on file. - + ## 1.0.3 (February 12th, 2019) CHANGES: @@ -400,10 +403,10 @@ CHANGES: entity either by name or by id [GH-6105] * The Vault UI's navigation and onboarding wizard now only displays items that are permitted in a users' policy [GH-5980, GH-6094] - * An issue was fixed that caused recovery keys to not work on secondary - clusters when using a different unseal mechanism/key than the primary. This + * An issue was fixed that caused recovery keys to not work on secondary + clusters when using a different unseal mechanism/key than the primary. This would be hit if the cluster was rekeyed or initialized after 1.0. We recommend - rekeying the recovery keys on the primary cluster if you meet the above + rekeying the recovery keys on the primary cluster if you meet the above requirements. FEATURES: @@ -443,7 +446,7 @@ BUG FIXES: a performance standby very quickly, before an associated entity has been replicated. If the entity is not found in this scenario, the request will forward to the active node. - * replication: Fix issue where recovery keys would not work on secondary + * replication: Fix issue where recovery keys would not work on secondary clusters if using a different unseal mechanism than the primary. * replication: Fix a "failed to register lease" error when using performance standbys @@ -484,9 +487,9 @@ IMPROVEMENTS: * auth/aws: AWS EC2 authentication can optionally create entity aliases by image ID [GH-5846] - * autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal + * autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal [GH-5999] - * physical/foundationdb: TLS support added. [GH-5800] + * physical/foundationdb: TLS support added. [GH-5800] BUG FIXES: @@ -510,7 +513,7 @@ BUG FIXES: * ui (enterprise): properly display perf-standby count on the license page [GH-5971] * ui: fix disappearing nested secrets and go to the nearest parent when deleting a secret - [GH-5976] - * ui: fix error where deleting an item via the context menu would fail if the + * ui: fix error where deleting an item via the context menu would fail if the item name contained dots [GH-6018] * ui: allow saving of kv secret after an errored save attempt [GH-6022] * ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023] @@ -613,7 +616,7 @@ CHANGES: undocumented, but were retained for backwards compatibility. They shouldn't be used due to the possibility of those paths being logged, so at this point they are simply being removed. - * Vault will no longer accept updates when the storage key has invalid UTF-8 + * Vault will no longer accept updates when the storage key has invalid UTF-8 character encoding [GH-5819] * Mount/Auth tuning the `options` map on backends will now upsert any provided values, and keep any of the existing values in place if not provided. The @@ -679,7 +682,7 @@ IMPROVEMENTS: * ui: Improved banner and popup design [GH-5672] * ui: Added token type to auth method mount config [GH-5723] * ui: Display additonal wrap info when unwrapping. [GH-5664] - * ui: Empty states have updated styling and link to relevant actions and + * ui: Empty states have updated styling and link to relevant actions and documentation [GH-5758] * ui: Allow editing of KV V2 data when a token doesn't have capabilities to read secret metadata [GH-5879] @@ -699,7 +702,7 @@ BUG FIXES: [[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16) * storage/gcs: Send md5 of values to GCS to avoid potential corruption [GH-5804] - * secrets/kv: Fix issue where storage version would get incorrectly downgraded + * secrets/kv: Fix issue where storage version would get incorrectly downgraded [GH-5809] * secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths for all other operations for backwards compatibility @@ -731,7 +734,7 @@ BUG FIXES: * ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660] * ui: Fix issue where IE 11 didn't render the UI and also had a broken form when trying to use tool/hash [GH-5714] - + ## 0.11.4 (October 23rd, 2018) CHANGES: @@ -744,7 +747,7 @@ FEATURES: * **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to remove older unused key versions - * **Web UI support for KV Version 2**: Browse, delete, undelete and destroy + * **Web UI support for KV Version 2**: Browse, delete, undelete and destroy individual secret versions in the UI * **Azure Existing Service Principal Support**: Credentials can now be generated against an existing service principal @@ -798,7 +801,7 @@ IMPROVEMENTS: BUG FIXES: - * auth/ldap: Fix panic if specific values were given to be escaped [GH-5471] + * auth/ldap: Fix panic if specific values were given to be escaped [GH-5471] * cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473] * secret/database/mongodb: Fix panic that could occur at high load [GH-5463] * secret/pki: Fix CA generation not allowing OID SANs [GH-5459] @@ -823,7 +826,7 @@ FEATURES: credentials it is using [GH-5140] * **Storage Backend Migrator**: A new `operator migrate` command allows offline migration of data between two storage backends - * **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for + * **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for Auto Unseal and Seal Wrapping BUG FIXES: @@ -836,16 +839,16 @@ BUG FIXES: * replication: Fix DR API when using a token [GH-5398] * identity: Ensure old group alias is removed when a new one is written [GH-5350] * storage/alicloud: Don't call uname on package init [GH-5358] - * secrets/jwt: Fix issue where request context would be canceled too early + * secrets/jwt: Fix issue where request context would be canceled too early * ui: fix need to have update for aws iam creds generation [GF-5294] * ui: fix calculation of token expiry [GH-5435] - + IMPROVEMENTS: * auth/aws: The identity alias name can now configured to be either IAM unique ID of the IAM Principal, or ARN of the caller identity [GH-5247] * auth/cert: Add allowed_organizational_units support [GH-5252] - * cli: Format TTLs for non-secret responses [GH-5367] + * cli: Format TTLs for non-secret responses [GH-5367] * identity: Support operating on entities and groups by their names [GH-5355] * plugins: Add `env` parameter when registering plugins to the catalog to allow operators to include environment variables during plugin execution. [GH-5359] @@ -853,13 +856,13 @@ IMPROVEMENTS: * secrets/aws: Allow specifying STS role-default TTLs [GH-5138] * secrets/pki: Add configuration support for setting NotBefore [GH-5325] * core: Support for passing the Vault token via an Authorization Bearer header [GH-5397] - * replication: Reindex process now runs in the background and does not block other + * replication: Reindex process now runs in the background and does not block other vault operations * storage/zookeeper: Enable TLS based communication with Zookeeper [GH-4856] * ui: you can now init a cluster with a seal config [GH-5428] * ui: added the option to force promote replication clusters [GH-5438] * replication: Allow promotion of a secondary when data is syncing with a "force" flag - + ## 0.11.1.1 (September 17th, 2018) (Enterprise Only) BUG FIXES: @@ -918,11 +921,11 @@ BUG FIXES: * secrets/pki: Fix sign-verbatim losing extra Subject attributes [GH-5245] * secrets/pki: Remove certificates from store when tidying revoked certificates and simplify API [GH-5231] - * ui: JSON editor will not coerce input to an object, and will now show an + * ui: JSON editor will not coerce input to an object, and will now show an error about Vault expecting an object [GH-5271] * ui: authentication form will now default to any methods that have been tuned to show up for unauthenticated users [GH-5281] - + ## 0.11.0 (August 28th, 2018) @@ -973,7 +976,7 @@ FEATURES: single Vault Enterprise infrastructure. Through namespaces, Vault administrators can support tenant isolation for teams and individuals as well as empower those individuals to self-manage their own tenant - environment. + environment. * **Performance Standbys (Enterprise)**: Standby nodes can now service requests that do not modify storage. This provides near-horizontal scaling of a cluster in some workloads, and is the intra-cluster analogue of @@ -984,14 +987,14 @@ FEATURES: grant access to Vault. See the [plugin repository](https://github.com/hashicorp/vault-plugin-auth-alicloud) for more information. - * **Azure Secrets Plugin**: There is now a plugin (pulled in to Vault) that + * **Azure Secrets Plugin**: There is now a plugin (pulled in to Vault) that allows generating credentials to allow access to Azure. See the [plugin repository](https://github.com/hashicorp/vault-plugin-secrets-azure) for more information. * **HA Support for MySQL Storage**: MySQL storage now supports HA. * **ACL Templating**: ACL policies can now be templated using identity Entity, Groups, and Metadata. - * **UI Onboarding wizards**: The Vault UI can provide contextual help and + * **UI Onboarding wizards**: The Vault UI can provide contextual help and guidance, linking out to relevant links or guides on vaultproject.io for various workflows in Vault. @@ -1063,7 +1066,7 @@ FEATURES: * **FoundationDB Storage**: You can now use FoundationDB for storing Vault data. * **UI Control Group Workflow (enterprise)**: The UI will now detect control - group responses and provides a workflow to view the status of the request + group responses and provides a workflow to view the status of the request and to authorize requests. * **Vault Agent (Beta)**: Vault Agent is a daemon that can automatically authenticate for you across a variety of authentication methods, provide @@ -1092,7 +1095,7 @@ IMPROVEMENTS: * secrets/ssh: Allow Vault to work with single-argument SSH flags [GH-4825] * secrets/ssh: SSH executable path can now be configured in the CLI [GH-4937] * storage/swift: Add additional configuration options [GH-4901] - * ui: Choose which auth methods to show to unauthenticated users via + * ui: Choose which auth methods to show to unauthenticated users via `listing_visibility` in the auth method edit forms [GH-4854] * ui: Authenticate users automatically by passing a wrapped token to the UI via the new `wrapped_token` query parameter [GH-4854] @@ -1110,22 +1113,22 @@ BUG FIXES: * core: Fix issue releasing the leader lock in some circumstances [GH-4915] * core: Fix a panic that could happen if the server was shut down while still starting up - * core: Fix deadlock that would occur if a leadership loss occurs at the same + * core: Fix deadlock that would occur if a leadership loss occurs at the same time as a seal operation [GH-4932] - * core: Fix issue with auth mounts failing to renew tokens due to policies + * core: Fix issue with auth mounts failing to renew tokens due to policies changing [GH-4960] * auth/radius: Fix issue where some radius logins were being canceled too early [GH-4941] - * core: Fix accidental seal of vault of we lose leadership during startup + * core: Fix accidental seal of vault of we lose leadership during startup [GH-4924] - * core: Fix standby not being able to forward requests larger than 4MB + * core: Fix standby not being able to forward requests larger than 4MB [GH-4844] * core: Avoid panic while processing group memberships [GH-4841] * identity: Fix a race condition creating aliases [GH-4965] * plugins: Fix being unable to send very large payloads to or from plugins [GH-4958] * physical/azure: Long list responses would sometimes be truncated [GH-4983] - * replication: Allow replication status requests to be processed while in + * replication: Allow replication status requests to be processed while in merkle sync * replication: Ensure merkle reindex flushes all changes to storage immediately * replication: Fix a case where a network interruption could cause a secondary @@ -1135,7 +1138,7 @@ BUG FIXES: * secrets/database: Fix panic during DB creds revocation [GH-4846] * ui: Fix usage of cubbyhole backend in the UI [GH-4851] * ui: Fix toggle state when a secret is JSON-formatted [GH-4913] - * ui: Fix coercion of falsey values to empty string when editing secrets as + * ui: Fix coercion of falsey values to empty string when editing secrets as JSON [GH-4977] ## 0.10.3 (June 20th, 2018) @@ -1276,7 +1279,7 @@ IMPROVEMENTS: * auth/ldap: Obfuscate error messages pre-bind for greater security [GH-4700] * cli: `vault login` now supports a `-no-print` flag to suppress printing token information but still allow storing into the token helper [GH-4454] - * core/pkcs11 (enterprise): Add support for CKM_AES_CBC_PAD, CKM_RSA_PKCS, and + * core/pkcs11 (enterprise): Add support for CKM_AES_CBC_PAD, CKM_RSA_PKCS, and CKM_RSA_PKCS_OAEP mechanisms * core/pkcs11 (enterprise): HSM slots can now be selected by token label instead of just slot number @@ -1304,7 +1307,7 @@ IMPROVEMENTS: * ui: Identity interface now lists groups by name [GH-4655] * ui: Permission denied errors still render the sidebar in the Access section [GH-4658] - * replication: Improve performance of index page flushes and WAL garbage + * replication: Improve performance of index page flushes and WAL garbage collecting BUG FIXES: @@ -1415,7 +1418,7 @@ IMPROVEMENTS: the rate of writes committed * secret/ssh: Update dynamic key install script to use shell locking to avoid concurrent modifications [GH-4358] - * ui: Access to `sys/mounts` is no longer needed to use the UI - the list of + * ui: Access to `sys/mounts` is no longer needed to use the UI - the list of engines will show you the ones you implicitly have access to (because you have access to to secrets in those engines) [GH-4439] @@ -1440,16 +1443,16 @@ BUG FIXES: interface properly [GH-4398] * ui: Corrected the saving of mount tune ttls for auth methods [GH-4431] * ui: Credentials generation no longer checks capabilities before making - api calls. This should fix needing "update" capabilites to read IAM + api calls. This should fix needing "update" capabilites to read IAM credentials in the AWS secrets engine [GH-4446] ## 0.10.0 (April 10th, 2018) SECURITY: - * Log sanitization for Combined Database Secret Engine: In certain failure - scenarios with incorrectly formatted connection urls, the raw connection - errors were being returned to the user with the configured database + * Log sanitization for Combined Database Secret Engine: In certain failure + scenarios with incorrectly formatted connection urls, the raw connection + errors were being returned to the user with the configured database credentials. Errors are now sanitized before being returned to the user. DEPRECATIONS/CHANGES: @@ -1524,7 +1527,7 @@ FEATURES: * HA for Google Cloud Storage: The GCS storage type now supports HA. * UI support for identity: Add and edit entities, groups, and their associated aliases. - * UI auth method support: Enable, disable, and configure all of the built-in + * UI auth method support: Enable, disable, and configure all of the built-in authentication methods. * UI (Enterprise): View and edit Sentinel policies. @@ -1557,17 +1560,17 @@ BUG FIXES: * secret/pki: When tidying if a value is unexpectedly nil, delete it and move on [GH-4214] * storage/s3: Fix panic if S3 returns no Content-Length header [GH-4222] - * ui: Fixed an issue where the UI was checking incorrect paths when operating - on transit keys. Capabilities are now checked when attempting to encrypt / + * ui: Fixed an issue where the UI was checking incorrect paths when operating + on transit keys. Capabilities are now checked when attempting to encrypt / decrypt, etc. * ui: Fixed IE 11 layout issues and JS errors that would stop the application from running. - * ui: Fixed the link that gets rendered when a user doesn't have permissions + * ui: Fixed the link that gets rendered when a user doesn't have permissions to view the root of a secret engine. The link now sends them back to the list of secret engines. - * replication: Fix issue with DR secondaries when using mount specified local + * replication: Fix issue with DR secondaries when using mount specified local paths. - * cli: Fix an issue where generating a dr operation token would not output the + * cli: Fix an issue where generating a dr operation token would not output the token [GH-4328] ## 0.9.6 (March 20th, 2018)