upgrade notes entry for approle constraint and warning on role read
This commit is contained in:
vishalnayak
parent
c364ac823b
commit
99a2655d8e
14
CHANGELOG.md
14
CHANGELOG.md
|
|
@ -1,6 +1,6 @@
|
|||
## 0.6.2 (Unreleased)
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
|
|
@ -36,7 +36,7 @@ BUG FIXES:
|
|||
|
||||
## 0.6.1 (August 22, 2016)
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
* Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to
|
||||
connect to the HA cluster. We recommend following our [general upgrade
|
||||
|
|
@ -233,7 +233,7 @@ SECURITY:
|
|||
confusion, we have simply removed `auth/token/revoke-prefix` in 0.6, and
|
||||
`sys/revoke-prefix` will be meant for both leases and tokens instead.
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
* `auth/token/revoke-prefix` has been removed. See the security notice for
|
||||
details. [GH-1280]
|
||||
|
|
@ -508,7 +508,7 @@ BUG FIXES:
|
|||
|
||||
## 0.5.1 (February 25th, 2016)
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
* RSA keys less than 2048 bits are no longer supported in the PKI backend.
|
||||
1024-bit keys are considered unsafe and are disallowed in the Internet PKI.
|
||||
|
|
@ -592,7 +592,7 @@ SECURITY:
|
|||
would be a denial of service against a legitimate rekey operation by sending
|
||||
cancel requests over and over. Thanks to Josh Snyder for the report!
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
* `s3` physical backend: Environment variables are now preferred over
|
||||
configuration values. This makes it behave similar to the rest of Vault,
|
||||
|
|
@ -777,7 +777,7 @@ against Go 1.5.3, there are no changes from 0.4.0.
|
|||
|
||||
## 0.4.0 (December 10, 2015)
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
* Policy Name Casing: Policy names are now normalized to lower-case on write,
|
||||
helping prevent accidental case mismatches. For backwards compatibility,
|
||||
|
|
@ -927,7 +927,7 @@ MISC:
|
|||
|
||||
## 0.3.0 (September 28, 2015)
|
||||
|
||||
DEPRECATIONS/BREAKING CHANGES:
|
||||
DEPRECATIONS/CHANGES:
|
||||
|
||||
Note: deprecations and breaking changes in upcoming releases are announced
|
||||
ahead of time on the "vault-tool" mailing list.
|
||||
|
|
|
|||
|
|
@ -521,8 +521,26 @@ func (b *backend) pathRoleSecretIDList(req *logical.Request, data *framework.Fie
|
|||
return logical.ListResponse(listItems), nil
|
||||
}
|
||||
|
||||
// setRoleEntry grabs a write lock and stores the options on an role into the storage.
|
||||
// Also creates a reverse index from the role's RoleID to the role itself.
|
||||
// validRoleConstraints tells if the role has at least one constraint enabled
|
||||
func validRoleConstraints(role *roleStorageEntry) (bool, error) {
|
||||
if role == nil {
|
||||
return false, fmt.Errorf("nil role")
|
||||
}
|
||||
|
||||
// At least one constraint should be enabled on the role
|
||||
switch {
|
||||
case role.BindSecretID:
|
||||
case role.BoundCIDRList != "":
|
||||
default:
|
||||
return false, fmt.Errorf("at least one constraint should be enabled on the role")
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// setRoleEntry grabs a write lock and stores the options on an role into the
|
||||
// storage. Also creates a reverse index from the role's RoleID to the role
|
||||
// itself.
|
||||
func (b *backend) setRoleEntry(s logical.Storage, roleName string, role *roleStorageEntry, previousRoleID string) error {
|
||||
if roleName == "" {
|
||||
return fmt.Errorf("missing role name")
|
||||
|
|
@ -532,12 +550,13 @@ func (b *backend) setRoleEntry(s logical.Storage, roleName string, role *roleSto
|
|||
return fmt.Errorf("nil role")
|
||||
}
|
||||
|
||||
// At least one constraint should be enabled on the role
|
||||
switch {
|
||||
case role.BindSecretID:
|
||||
case role.BoundCIDRList != "":
|
||||
default:
|
||||
return fmt.Errorf("at least one constraint should be enabled on the role")
|
||||
// Check if role constraints are properly set
|
||||
valid, err := validRoleConstraints(role)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !valid {
|
||||
return fmt.Errorf("failed to validate role constraints")
|
||||
}
|
||||
|
||||
// Create a storage entry for the role
|
||||
|
|
@ -743,9 +762,15 @@ func (b *backend) pathRoleRead(req *logical.Request, data *framework.FieldData)
|
|||
delete(data, "role_id")
|
||||
delete(data, "hmac_key")
|
||||
|
||||
return &logical.Response{
|
||||
resp := &logical.Response{
|
||||
Data: data,
|
||||
}, nil
|
||||
}
|
||||
|
||||
if valid, _ := validRoleConstraints(role); !valid {
|
||||
resp.AddWarning("Role does not have any constraints set on it. Updates to this role will require a constraint to be set")
|
||||
}
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,3 +10,11 @@ description: |-
|
|||
|
||||
This page contains the list of breaking changes for Vault 0.6.2. Please read it
|
||||
carefully.
|
||||
|
||||
## AppRole Role Constraints
|
||||
|
||||
Creating or updating a role now requires at least one constraint to be enabled.
|
||||
Currently there are only 2 constraints: `bind_secret_id` and `bound_cidr_list`.
|
||||
`bind_secret_id` is enabled by default. Roles which had `bind_secret_id`
|
||||
disabled and `bound_cidr_list` not set, will require a constraint to be
|
||||
speficied during further updates.
|
||||
|
|
|
|||
Loading…
Reference in New Issue