Prep for release

2019-03-18 15:16:30 -04:00 · 2019-03-18 15:16:30 -04:00 · 3ea735045f
parent 90ba293a53
commit 3ea735045f
5 changed files with 84 additions and 118 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,122 +1,41 @@
-## 1.1.0 (Unreleased)
+## 1.1.0 (March 18th, 2019)

 CHANGES:

- * agent/caching: Move listeners config out of cache{} block to top level.
-   Allow running agent with cache enabled and auto-auth disabled.
- * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept
-   any matched audience, as documented and handled in OIDC logins.
-   [[GH-30]](https://github.com/hashicorp/vault-plugin-auth-jwt/issues/30)
- * auth/jwt: Apply `bound_audiences` checks to OIDC paths.
-
-FEATURES:
-
- * core: on non-windows platforms a SIGUSR2 will make the server log a dump of
-   all running goroutines' stack traces for debugging purposes.
- 
-IMPROVEMENTS:
-
- * agent/caching: Agent Caching will now return `X-Cache` and `Age` headers on
-   responses to indicates whether a response was a cache hit or miss, and
-   the freshness of the cached response when applicable.
-   [[GH-6394]](https://github.com/hashicorp/vault/pull/6394)
- * sentinel: add token namespace id and path, available in rules as 
-   token.namespace.id and token.namespace.path.
-
-BUG FIXES:
-
- * agent/caching: Non-2xx (e.g. redirects) and non-JSON responses returned by
-   the server are no longer wrapped and returned by Agent Caching as 500 
-   Internal Server Error responses.
-   [[GH-6353]](https://github.com/hashicorp/vault/pull/6353)
- * agent/caching: Add locking during cache lookup to prevent identical
-   non-cached requests made in parallel launch multiple rewener goroutines.
-   [[GH-6374]](https://github.com/hashicorp/vault/pull/6374)
- * auth/jwt: Apply `bound_claims` validation across all login paths.
- * core: The `operator migrate` command will no longer hang on empty key names.
-   [[GH-6371]](https://github.com/hashicorp/vault/pull/6371)
- * secret/ssh: Fix for a bug where attempting to delete the last ssh role
-   in the zeroaddress configuration could fail.
-   [[GH-6390]](https://github.com/hashicorp/vault/pull/6390)
- * secret/totp: Uppercase provided keys so they don't fail base32 validation
-   [GH-6400]
- * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
-   that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
-   return a error response if a filtered mount path is requested.
-   [[GH-6412]](https://github.com/hashicorp/vault/pull/6412)
- * ui: Fix for a bug where you couldn't access the data tab after clicking on
-   wrap details on the tool > unwrap page [GH-6404]
-
-## 1.1.0-beta2 (March 5th, 2019)
-
-CHANGES:
-
- * agent/caching: Enable the caching of tokens and leases generated by the
-   auto-auth token when that's in use.
-   [[GH-6293]](https://github.com/hashicorp/vault/pull/6293)
- * auth/jwt: The default listening port for the OIDC login helper is now 8250.
- * core: Token creation responses now contain the `orphan` field indicating
-   whether the new token is orphan.
-   [[GH-6230]](https://github.com/hashicorp/vault/pull/6320)
+ * auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
+   groups claim is not at the top level, it can now be specified as a
+   [JSONPointer](https://tools.ietf.org/html/rfc6901).
+ * auth/jwt: Roles now have a "role type" parameter with a default type of
+   "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
+   specified.
+ * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
+   help/warning output in previous versions of Vault for updated commands.
+ * core: Vault no longer automatically mounts a K/V backend at the "secret/"
+   path when initializing Vault
+ * core: Vault's cluster port will now be open at all times on HA standby nodes
+ * plugins: Vault no longer supports running netRPC plugins. These were
+   deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
+   defaults to gRPC. Older plugins may need to be recompiled against the latest
+   Vault dependencies.

 FEATURES:

+ * **Vault Agent Caching**: Vault Agent can now be configured to act as a
+   caching proxy to Vault. Clients can send requests to Vault Agent and the
+   request will be proxied to the Vault server and cached locally in Agent.
+   Currently Agent will cache generated leases and tokens and keep them
+   renewed. The proxy can also use the Auto Auth feature so clients do not need
+   to authenticate to Vault, but rather can make requests to Agent and have
+   Agent fully manage token lifecycle.
+ * **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
+   roles. These allow authentication via an OIDC-compliant provider via the
+   user's browser. The login may be initiated from the Vault UI or through
+   the `vault login` command.
+ * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
+   wild card matching for a single directory in the path definition.
 * **Transit Auto Unseal**: Vault can now be configured to use the Transit
   Secret Engine in another Vault cluster as an auto unseal provider.

-IMPROVEMENTS:
-
- * auth/token: A warning will be printed when 'tls_cipher_suites' includes a
-   blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2
-   specification.
- * secrets/transit: Multiple HMAC, Sign or Verify operations can now be performed
-   with one API call using the new `batch_input` parameter
-   [[GH-5875]](https://github.com/hashicorp/vault/pull/5875).
-
-BUG FIXES:
-
- * namespace (enterprise): Clearing out identity store items upon namespace
-   deletion [[GH-850]](https://github.com/hashicorp/vault-enterprise/pull/850)
- * secrets/kv: Fix issue where a v1→v2 upgrade could run on a performance
-   standby when using a local mount.
- * agent/caching: Do not trigger cache update when renewal of the cached lease
-   is triggered. [[GH-6303]](https://github.com/hashicorp/vault/pull/6303)
- * auth/token: Fix issue where empty values for token role update call were
-   ignored. [[GH-6314]](https://github.com/hashicorp/vault/pull/6314)
- * ui: fix an issue where the policies tab was erroneously hidden [GH-6301]
- * ui: fix encoding issues with kv interfaces [GH-6294]
-
-## 1.1.0-beta1 (February 20th, 2019)
-
-CHANGES:
-
- * auth/jwt: The `groups_claim_delimiter_pattern` has been removed. If the groups
-   claim is not at the top level, it can now be specified as a
-   [JSONPointer](https://tools.ietf.org/html/rfc6901).
- * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To
-   configure new JWT roles, a role type of "jwt" must be explicitly specified.
- * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output
-   for updated commands.
- * core: Vault no longer automatically mounts a k/v backend at the "secret/" path when 
-   initalizing Vault.
- * core: Vault's cluster port will now be opened on HA standby nodes.
- * plugins: Vault no longer supports running netRPC plugins. These were deprecated in 
-   favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older 
-   plugins may need to be recompiled against the latest Vault dependencies.
-
-FEATURES:
-
- * **Vault Agent Caching**: Vault Agent can now be configured to act as a caching proxy 
-   to Vault. Clients can send requests to Vault Agent and the request will be proxied
-   to the Vault server and cached locally in Agent. Currently Agent will cache 
-   generated leases and tokens and keep them renewed. The proxy can also use the Auto
-   Auth feature so clients do not need to provide a Vault token with the request.
- * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow
-   authentication via an OIDC-compliant provider via the user's browser. The
-   login may be initiatated from the Vault UI or through the `vault login` command.
- * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable wild card 
-   matching for a single directory in the path definition.
-
 IMPROVEMENTS:

 * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if
@ -125,18 +44,50 @@ IMPROVEMENTS:
 * auth/jwt: An arbitrary set of bound claims can now be configured for a role.
 * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either
   name may be specified in the `auth enable` command.
+ * command/server: A warning will be printed when 'tls_cipher_suites' includes a
+   blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2
+   specification [GH-6300]
 * core/metrics: Prometheus pull support using a new sys/metrics endpoint. [GH-5308]
+ * core: On non-windows platforms a SIGUSR2 will make the server log a dump of
+   all running goroutines' stack traces for debugging purposes [GH-6240]
 * replication: The inital replication indexing process on newly initialized or upgraded
-   clusters now runs asynchronously.
+   clusters now runs asynchronously
+ * sentinel: Add token namespace id and path, available in rules as 
+   token.namespace.id and token.namespace.path
 * ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms.
   This means, it will not be necessary to add fields on the go and JS sides in the future.
   [GH-6209]

 BUG FIXES:
- 
- * identity: Fix a panic at login when external group has a nil alias. [GH-6230]
- * performance standby: Fixed a bug causing performance standbys to wait longer
-   than necessary after forwarding a write to the active node.
+
+ * auth/jwt: Apply `bound_claims` validation across all login paths
+ * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept
+   any matched audience, as documented and handled in OIDC logins [JWT-30]
+ * auth/token: Fix issue where empty values for token role update call were
+   ignored [GH-6314]
+ * core: The `operator migrate` command will no longer hang on empty key names
+   [GH-6371]
+ * identity: Fix a panic at login when external group has a nil alias [GH-6230]
+ * namespaces: Clear out identity store items upon namespace deletion
+ * replication/perfstandby: Fixed a bug causing performance standbys to wait
+   longer than necessary after forwarding a write to the active node
+ * replication/mountfilter: Fix a deadlock that could occur when mount filters
+   were updated [GH-6426]
+ * secret/kv: Fix issue where a v1→v2 upgrade could run on a performance
+   standby when using a local mount
+ * secret/ssh: Fix for a bug where attempting to delete the last ssh role
+   in the zeroaddress configuration could fail [GH-6390]
+ * secret/totp: Uppercase provided keys so they don't fail base32 validation
+   [GH-6400]
+ * secret/transit: Multiple HMAC, Sign or Verify operations can now be
+   performed with one API call using the new `batch_input` parameter [GH-5875]
+ * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
+   that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
+   return a error response if a filtered mount path is requested. [GH-6412]
+ * ui: Fix for a bug where you couldn't access the data tab after clicking on
+   wrap details on the unwrap page [GH-6404]
+ * ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
+ * ui: Fix encoding issues with kv interfaces [GH-6294]
 
 ## 1.0.3 (February 12th, 2019)

--- a/terraform/aws/variables.tf
+++ b/terraform/aws/variables.tf
@ -3,7 +3,7 @@
 //-------------------------------------------------------------------

 variable "download-url" {
-    default = "https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip"
+    default = "https://releases.hashicorp.com/vault/1.1.0/vault_1.1.0_linux_amd64.zip"
    description = "URL to download Vault"
 }

--- a/version/version_base.go
+++ b/version/version_base.go
@ -7,5 +7,5 @@ func init() {
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
 	// such as "dev" (in development), "beta", "rc1", etc.
-	VersionPrerelease = "beta2"
+	VersionPrerelease = ""
 }
--- a/website/config.rb
+++ b/website/config.rb
@ -6,7 +6,7 @@ use ReshapeMiddleware, component_file: "assets/reshape.js"

 activate :hashicorp do |h|
  h.name         = "vault"
-  h.version      = "1.0.3"
+  h.version      = "1.1.0"
  h.github_slug  = "hashicorp/vault"
  h.website_root = "website"
  h.releases_enabled = true
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@ -150,6 +150,21 @@ path "secret/zip-*" {
 }
 ```

+In addition, a `+` can be used to denote any number of characters bounded
+within a single path segment (this appeared in Vault 1.1):
+
+```ruby
+# Permit reading the "teamb" path under any top-level path under secret/
+path "secret/+/teamb" {
+  capabilities = ["read"]
+}
+
+# Permit reading secret/foo/bar/teamb, secret/bar/foo/teamb, etc.
+path "secret/+/+/teamb" {
+  capabilities = ["read"]
+}
+```
+
 Vault's architecture is similar to a filesystem. Every action in Vault has a
 corresponding path and capability - even Vault's internal core configuration
 endpoints live under the "sys/" path. Policies define access to these paths and