From ab8d3e4a8a4baea2165d2312de48a1bdc7c7fca7 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 30 Jul 2019 12:47:18 -0400 Subject: [PATCH] changelog++ --- CHANGELOG.md | 358 ++++++++++++++++++++++++--------------------------- 1 file changed, 168 insertions(+), 190 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0bd6533f..1489ece09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,171 @@ +## 1.2.0 (July 30th, 2019) + +CHANGES: + + * Token store roles use new, common token fields for the values + that overlap with other auth backends. `period`, `explicit_max_ttl`, and + `bound_cidrs` will continue to work, with priority being given to the + `token_` prefixed versions of those parameters. They will also be returned + when doing a read on the role if they were used to provide values initially; + however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no + longer be returned. (`explicit_max_ttl` was already not returned if empty.) + * Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now + stricter about what characters it will accept in path names. Whereas before + it would filter out unprintable characters (and this could be turned off), + control characters and other invalid characters are now rejected within Go's + HTTP library before the request is passed to Vault, and this cannot be + disabled. To continue using these (e.g. for already-written paths), they + must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes + `%00`, and so on). + * The user-configured regions on the AWSKMS seal stanza will now be preferred + over regions set in the enclosing environment. This is a _breaking_ change. + * All values in audit logs now are omitted if they are empty. This helps + reduce the size of audit log entries by not reproducing keys in each entry + that commonly don't contain any value, which can help in cases where audit + log entries are above the maximum UDP packet size and others. + * Both PeriodicFunc and WALRollback functions will be called if both are + provided. Previously WALRollback would only be called if PeriodicFunc was + not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for + details. + * Vault now uses Go's official dependency management system, Go Modules, to + manage dependencies. As a result to both reduce transitive dependencies for + API library users and plugin authors, and to work around various conflicts, + we have moved various helpers around, mostly under an `sdk/` submodule. A + couple of functions have also moved from plugin helper code to the `api/` + submodule. If you are a plugin author, take a look at some of our official + plugins and the paths they are importing for guidance. + * AppRole uses new, common token fields for values that overlap + with other auth backends. `period` and `policies` will continue to work, + with priority being given to the `token_` prefixed versions of those + parameters. They will also be returned when doing a read on the role if they + were used to provide values initially. + * In AppRole, `"default"` is no longer automatically added to the `policies` + parameter. This was a no-op since it would always be added anyways by + Vault's core; however, this can now be explicitly disabled with the new + `token_no_default_policy` field. + * In AppRole, `bound_cidr_list` is no longer returned when reading a role + * rollback: Rollback will no longer display log messages when it runs; it will + only display messages on error. + * Database plugins will now default to 4 `max_open_connections` + rather than 2. + +FEATURES: + + * **Integrated Storage**: Vault 1.2 includes a _tech preview_ of a new way to + manage storage directly within a Vault cluster. This new integrated storage + solution is based on the Raft protocol which is also used to back HashiCorp + Consul and HashiCorp Nomad. + * **Combined DB credential rotation**: Alternative mode for the Combined DB + Secret Engine to automatically rotate existing database account credentials + and set Vault as the source of truth for credentials. + * **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant + ID tokens. These customizable tokens allow encapsulating a signed, verifiable + snapshot of identity information and metadata. They can be use by other + applications—even those without Vault authorization—as a way of establishing + identity based on a Vault entity. + * **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud + Foundry certificates for Vault authentication. + * **ElasticSearch database plugin**: New ElasticSearch database plugin issues + unique, short-lived ElasticSearch credentials. + * **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP + Users and Groups have been added. + * **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as + and HA storage backend. + * **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP + Server, seamlessly brokering cryptographic operations for traditional + infrastructure. + * Common Token Fields: Auth methods now use common fields for controlling + token behavior, making it easier to understand configuration across methods. + * **Vault API explorer**: The Vault UI now includes an embedded API explorer + where you can browse the endpoints avaliable to you and make requests. To try + it out, open the Web CLI and type `api`. + +IMPROVEMENTS: + + * agent: Allow EC2 nonce to be passed in [GH-6953] + * agent: Add optional `namespace` parameter, which sets the default namespace + for the auto-auth functionality [GH-6988] + * api: Add support for passing data to delete operations via `DeleteWithData` + [GH-7139] + * audit/file: Dramatically speed up file operations by changing + locking/marshaling order [GH-7024] + * auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43] + * auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help + troubleshoot OIDC configuration [JWT-57] + * auth/jwt: `bound_claims` will now match received claims that are lists if any element + of the list is one of the expected values [JWT-50] + * auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew + leeway [JWT-53] + * auth/kubernetes: Allow service names/namespaces to be configured as globs + [KUBEAUTH-58] + * auth/token: Allow the support of the identity system for the token backend + via token roles [GH-6267] + * auth/token: Add a large set of token configuration options to token store + roles [GH-6662] + * cli: `path-help` now allows `-format=json` to be specified, which will + output OpenAPI [GH-7006] + * cli: Add support for passing parameters to `vault delete` operations + [GH-7139] + * cli: Add a log-format CLI flag that can specify either "standard" or "json" + for the log format for the `vault server`command. [GH-6840] + * cli: Add `-dev-no-store-token` to allow dev servers to not store the + generated token at the tokenhelper location [GH-7104] + * identity: Allow a group alias' canonical ID to be modified + * namespaces: Namespaces can now be created and deleted from performance + replication secondaries + * plugins: Change the default for `max_open_connections` for DB plugins to 4 + [GH-7093] + * replication: Client TLS authentication is now supported when enabling or + updating a replication secondary + * secrets/database: Cassandra operations will now cancel on client timeout + [GH-6954] + * secrets/kv: Add optional `delete_version_after` parameter, which takes a + duration and can be set on the mount and/or the metadata for a specific key + [GH-7005] + * storage/postgres: LIST now performs better on large datasets [GH-6546] + * storage/s3: A new `path` parameter allows selecting the path within a bucket + for Vault data [GH-7157] + * ui: KV v1 and v2 will now gracefully degrade allowing a write without read + workflow in the UI [GH-6570] + * ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling + of the Confirm Action component [GH-6741], and using a new set of glyphs for our + Icon component [GH-6736] + * ui: Lazy loading parts of the application so that the total initial payload is + smaller [GH-6718] + * ui: Tabbing to auto-complete in filters will first complete a common prefix if there + is one [GH-6759] + * ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768] + +BUG FIXES: + + * audit: Log requests and responses due to invalid wrapping token provided + [GH-6541] + * auth/aws: AWS Roles are now upgraded and saved to the latest version just + after the AWS credential plugin is mounted. [GH-7025] + * auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN + when parsing this value [GH-6917] + * auth/aws: Fix an error complaining about a read-only view that could occur + during updating of a role when on a performance replication secondary + [GH-6926] + * auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id + for OIDC logins [JWT-54] + * auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server + response is empty [JWT-55] + * auth/jwt: Fix issue where OIDC logins might intermittently fail when using + performance standbys [JWT-61] + * identity: Fix a case where modifying aliases of an entity could end up + moving the entity into the wrong namespace + * namespaces: Fix a behavior (currently only known to be benign) where we + wouldn't delete policies through the official functions before wiping the + namespaces on deletion + * secrets/pki: Forward revocation requests to active node when on a + performance standby [GH-7173] + * ui: Fix timestamp on some transit keys [GH-6827] + * ui: Show Entities and Groups in Side Navigation [GH-7138] + * ui: Ensure dropdown updates selected item on HTTP Request Metrics page + * secret/database: Escape username/password before using in connection URL + [GH-7089] + ## 1.1.4/1.1.5 (July 25th/30th, 2019) NOTE: @@ -40,196 +208,6 @@ BUG FIXES: unix sockets [GH-6859] * ui: Fix saving of TTL and string array fields generated by Open API [GH-7094] -## 1.2.0-rc1 (July 25th, 2019) - -CHANGES: - - * rollback: Rollback will no longer display log messages when it runs; it will - only display messages on error. - * plugins: Database plugins will now default to 4 `max_open_connections` - rather than 2. - -IMPROVEMENTS: - - * api: Add support for passing data to delete operations via `DeleteWithData` - [GH-7139] - * cli: Add support for passing parameters to `vault delete` operations - [GH-7139] - * cli: Add a log-format CLI flag that can specify either "standard" or "json" - for the log format for the `vault server`command. [GH-6840] - * cli: Add `-dev-no-store-token` to allow dev servers to not store the - generated token at the tokenhelper location [GH-7104] - * plugins: Change the default for `max_open_connections` for DB plugins to 4 - [GH-7093] - * storage/s3: A new `path` parameter allows selecting the path within a bucket - for Vault data [GH-7157] - -BUG FIXES: - - * audit: Log requests and responses due to invalid wrapping token provided - [GH-6541] - * auth/aws: AWS Roles are now upgraded and saved to the latest version just - after the AWS credential plugin is mounted. [GH-7025] - * auth/jwt: Fix issue where OIDC logins might intermittently fail when using - performance standbys [JWT-61] - * secrets/pki: Forward revocation requests to active node when on a - performance standby [GH-7173] - * ui: Show Entities and Groups in Side Navigation [GH-7138] - * ui: Ensure dropdown updates selected item on HTTP Request Metrics page - -## 1.2.0-beta2 (July 9th, 2019) - -CHANGES: - - * auth/approle: AppRole uses new, common token fields for values that overlap - with other auth backends. `period` and `policies` will continue to work, - with priority being given to the `token_` prefixed versions of those - parameters. They will also be returned when doing a read on the role if they - were used to provide values initially. - * auth/approle: `"default"` is no longer automatically added to the `policies` - parameter. This was a no-op since it would always be added anyways by - Vault's core; however, this can now be explicitly disabled with the new - `token_no_default_policy` field. - * auth/approle: `bound_cidr_list` is no longer returned when reading a role - -FEATURES: - - * **Integrated Storage**: Vault 1.2 includes a tech preview of a new way to - manage storage directly within a Vault cluster. This new integrated storage - solution is based on the Raft protocol which is also used to back HashiCorp - Consul and HashiCorp Nomad. - * **Vault API explorer**: The Vault UI now includes an embedded API explorer - where you can browse the endpoints avaliable to you and make requests. To try - it out, open the Web CLI and type `api`. - -IMPROVEMENTS: - - * agent: Allow EC2 nonce to be passed in [GH-6953] - * agent: Add optional `namespace` parameter, which sets the default namespace - for the auto-auth functionality [GH-6988] - * audit/file: Dramatically speed up file operations by changing - locking/marshaling order [GH-7024] - * auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help - troubleshoot OIDC configuration [JWT-57] - * auth/token: Allow the support of the identity system for the token backend - via token roles [GH-6267] - * cli: `path-help` now allows `-format=json` to be specified, which will - output OpenAPI [GH-7006] - * secrets/kv: Add optional `delete_version_after` parameter, which takes a - duration and can be set on the mount and/or the metadata for a specific key - [GH-7005] - -BUG FIXES: - - * secret/database: Escape username/password before using in connection URL - [GH-7089] - -## 1.2.0-beta1 (June 25th, 2019) - -CHANGES: - - * auth/token: Token store roles use new, common token fields for the values - that overlap with other auth backends. `period`, `explicit_max_ttl`, and - `bound_cidrs` will continue to work, with priority being given to the - `token_` prefixed versions of those parameters. They will also be returned - when doing a read on the role if they were used to provide values initially; - however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no - longer be returned. (`explicit_max_ttl` was already not returned if empty.) - * Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now - stricter about what characters it will accept in path names. Whereas before - it would filter out unprintable characters (and this could be turned off), - control characters and other invalid characters are now rejected within Go's - HTTP library before the request is passed to Vault, and this cannot be - disabled. To continue using these (e.g. for already-written paths), they - must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes - `%00`, and so on). - * The user-configured regions on the AWSKMS seal stanza will now be preferred - over regions set in the enclosing environment. This is a _breaking_ change. - * All values in audit logs now are omitted if they are empty. This helps - reduce the size of audit log entries by not reproducing keys in each entry - that commonly don't contain any value, which can help in cases where audit - log entries are above the maximum UDP packet size and others. - * Both PeriodicFunc and WALRollback functions will be called if both are - provided. Previously WALRollback would only be called if PeriodicFunc was - not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for - details. - * Vault now uses Go's official dependency management system, Go Modules, to - manage dependencies. As a result to both reduce transitive dependencies for - API library users and plugin authors, and to work around various conflicts, - we have moved various helpers around, mostly under an `sdk/` submodule. A - couple of functions have also moved from plugin helper code to the `api/` - submodule. If you are a plugin author, take a look at some of our official - plugins and the paths they are importing for guidance. - -FEATURES: - - * **Combined DB credential rotation**: Alternative mode for the Combined DB - Secret Engine to automatically rotate existing database account credentials - and set Vault as the source of truth for credentials. - * **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant - ID tokens. These customizable tokens allow encapsulating a signed, verifiable - snapshot of identity information and metadata. They can be use by other - applications—even those without Vault authorization—as a way of establishing - identity based on a Vault entity. - * **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud - Foundry certificates for Vault authentication. - * **ElasticSearch database plugin**: New ElasticSearch database plugin issues - unique, short-lived ElasticSearch credentials. - * **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP - Users and Groups have been added. - * **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as - and HA storage backend. - * **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP Server, - seamlessly brokering cryptographic operations for traditional infrastructure. - -IMPROVEMENTS: - - * auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43] - * auth/jwt: `bound_claims` will now match received claims that are lists if any element - of the list is one of the expected values [JWT-50] - * auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew - leeway [JWT-53] - * auth/kubernetes: Allow service names/namespaces to be configured as globs - [KUBEAUTH-58] - * auth/token: Add a large set of token configuration options to token store - roles [GH-6662] - * identity: Allow a group alias' canonical ID to be modified - * namespaces: Namespaces can now be created and deleted from performance - replication secondaries - * replication: Client TLS authentication is now supported when enabling or - updating a replication secondary - * secrets/database: Cassandra operations will now cancel on client timeout - [GH-6954] - * storage/postgres: LIST now performs better on large datasets [GH-6546] - * ui: KV v1 and v2 will now gracefully degrade allowing a write without read - workflow in the UI [GH-6570] - * ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling - of the Confirm Action component [GH-6741], and using a new set of glyphs for our - Icon component [GH-6736] - * ui: Lazy loading parts of the application so that the total initial payload is - smaller [GH-6718] - * ui: Tabbing to auto-complete in filters will first complete a common prefix if there - is one [GH-6759] - * ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768] - -BUG FIXES: - - * auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN - when parsing this value [GH-6917] - * auth/aws: Fix an error complaining about a read-only view that could occur - during updating of a role when on a performance replication secondary - [GH-6926] - * auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id - for OIDC logins [JWT-54] - * auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server - response is empty [JWT-55] - * identity: Fix a case where modifying aliases of an entity could end up - moving the entity into the wrong namespace - * namespaces: Fix a behavior (currently only known to be benign) where we - wouldn't delete policies through the official functions before wiping the - namespaces on deletion - * ui: Fix timestamp on some transit keys [GH-6827] - ## 1.1.3 (June 5th, 2019) IMPROVEMENTS: