luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

changelog++

This commit is contained in:
Jeff Mitchell 2019-07-30 12:47:18 -04:00
parent 01987f972c
commit ab8d3e4a8a
1 changed files with 168 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

358
CHANGELOG.md
View File

@ -1,3 +1,171 @@
## 1.2.0 (July 30th, 2019)
CHANGES:
* Token store roles use new, common token fields for the values
that overlap with other auth backends. `period`, `explicit_max_ttl`, and
`bound_cidrs` will continue to work, with priority being given to the
`token_` prefixed versions of those parameters. They will also be returned
when doing a read on the role if they were used to provide values initially;
however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
longer be returned. (`explicit_max_ttl` was already not returned if empty.)
* Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now
stricter about what characters it will accept in path names. Whereas before
it would filter out unprintable characters (and this could be turned off),
control characters and other invalid characters are now rejected within Go's
HTTP library before the request is passed to Vault, and this cannot be
disabled. To continue using these (e.g. for already-written paths), they
must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes
`%00`, and so on).
* The user-configured regions on the AWSKMS seal stanza will now be preferred
over regions set in the enclosing environment. This is a _breaking_ change.
* All values in audit logs now are omitted if they are empty. This helps
reduce the size of audit log entries by not reproducing keys in each entry
that commonly don't contain any value, which can help in cases where audit
log entries are above the maximum UDP packet size and others.
* Both PeriodicFunc and WALRollback functions will be called if both are
provided. Previously WALRollback would only be called if PeriodicFunc was
not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for
details.
* Vault now uses Go's official dependency management system, Go Modules, to
manage dependencies. As a result to both reduce transitive dependencies for
API library users and plugin authors, and to work around various conflicts,
we have moved various helpers around, mostly under an `sdk/` submodule. A
couple of functions have also moved from plugin helper code to the `api/`
submodule. If you are a plugin author, take a look at some of our official
plugins and the paths they are importing for guidance.
* AppRole uses new, common token fields for values that overlap
with other auth backends. `period` and `policies` will continue to work,
with priority being given to the `token_` prefixed versions of those
parameters. They will also be returned when doing a read on the role if they
were used to provide values initially.
* In AppRole, `"default"` is no longer automatically added to the `policies`
parameter. This was a no-op since it would always be added anyways by
Vault's core; however, this can now be explicitly disabled with the new
`token_no_default_policy` field.
* In AppRole, `bound_cidr_list` is no longer returned when reading a role
* rollback: Rollback will no longer display log messages when it runs; it will
only display messages on error.
* Database plugins will now default to 4 `max_open_connections`
rather than 2.
FEATURES:
* **Integrated Storage**: Vault 1.2 includes a _tech preview_ of a new way to
manage storage directly within a Vault cluster. This new integrated storage
solution is based on the Raft protocol which is also used to back HashiCorp
Consul and HashiCorp Nomad.
* **Combined DB credential rotation**: Alternative mode for the Combined DB
Secret Engine to automatically rotate existing database account credentials
and set Vault as the source of truth for credentials.
* **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant
ID tokens. These customizable tokens allow encapsulating a signed, verifiable
snapshot of identity information and metadata. They can be use by other
applications—even those without Vault authorization—as a way of establishing
identity based on a Vault entity.
* **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud
Foundry certificates for Vault authentication.
* **ElasticSearch database plugin**: New ElasticSearch database plugin issues
unique, short-lived ElasticSearch credentials.
* **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP
Users and Groups have been added.
* **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as
and HA storage backend.
* **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP
Server, seamlessly brokering cryptographic operations for traditional
infrastructure.
* Common Token Fields: Auth methods now use common fields for controlling
token behavior, making it easier to understand configuration across methods.
* **Vault API explorer**: The Vault UI now includes an embedded API explorer
where you can browse the endpoints avaliable to you and make requests. To try
it out, open the Web CLI and type `api`.
IMPROVEMENTS:
* agent: Allow EC2 nonce to be passed in [GH-6953]
* agent: Add optional `namespace` parameter, which sets the default namespace
for the auto-auth functionality [GH-6988]
* api: Add support for passing data to delete operations via `DeleteWithData`
[GH-7139]
* audit/file: Dramatically speed up file operations by changing
locking/marshaling order [GH-7024]
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
* auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help
troubleshoot OIDC configuration [JWT-57]
* auth/jwt: `bound_claims` will now match received claims that are lists if any element
of the list is one of the expected values [JWT-50]
* auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew
leeway [JWT-53]
* auth/kubernetes: Allow service names/namespaces to be configured as globs
[KUBEAUTH-58]
* auth/token: Allow the support of the identity system for the token backend
via token roles [GH-6267]
* auth/token: Add a large set of token configuration options to token store
roles [GH-6662]
* cli: `path-help` now allows `-format=json` to be specified, which will
output OpenAPI [GH-7006]
* cli: Add support for passing parameters to `vault delete` operations
[GH-7139]
* cli: Add a log-format CLI flag that can specify either "standard" or "json"
for the log format for the `vault server`command. [GH-6840]
* cli: Add `-dev-no-store-token` to allow dev servers to not store the
generated token at the tokenhelper location [GH-7104]
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Namespaces can now be created and deleted from performance
replication secondaries
* plugins: Change the default for `max_open_connections` for DB plugins to 4
[GH-7093]
* replication: Client TLS authentication is now supported when enabling or
updating a replication secondary
* secrets/database: Cassandra operations will now cancel on client timeout
[GH-6954]
* secrets/kv: Add optional `delete_version_after` parameter, which takes a
duration and can be set on the mount and/or the metadata for a specific key
[GH-7005]
* storage/postgres: LIST now performs better on large datasets [GH-6546]
* storage/s3: A new `path` parameter allows selecting the path within a bucket
for Vault data [GH-7157]
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
Icon component [GH-6736]
* ui: Lazy loading parts of the application so that the total initial payload is
smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a common prefix if there
is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]
BUG FIXES:
* audit: Log requests and responses due to invalid wrapping token provided
[GH-6541]
* auth/aws: AWS Roles are now upgraded and saved to the latest version just
after the AWS credential plugin is mounted. [GH-7025]
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN
when parsing this value [GH-6917]
* auth/aws: Fix an error complaining about a read-only view that could occur
during updating of a role when on a performance replication secondary
[GH-6926]
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id
for OIDC logins [JWT-54]
* auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server
response is empty [JWT-55]
* auth/jwt: Fix issue where OIDC logins might intermittently fail when using
performance standbys [JWT-61]
* identity: Fix a case where modifying aliases of an entity could end up
moving the entity into the wrong namespace
* namespaces: Fix a behavior (currently only known to be benign) where we
wouldn't delete policies through the official functions before wiping the
namespaces on deletion
* secrets/pki: Forward revocation requests to active node when on a
performance standby [GH-7173]
* ui: Fix timestamp on some transit keys [GH-6827]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
* secret/database: Escape username/password before using in connection URL
[GH-7089]
## 1.1.4/1.1.5 (July 25th/30th, 2019) ## 1.1.4/1.1.5 (July 25th/30th, 2019)
NOTE: NOTE:
@ -40,196 +208,6 @@ BUG FIXES:
unix sockets [GH-6859] unix sockets [GH-6859]
* ui: Fix saving of TTL and string array fields generated by Open API [GH-7094] * ui: Fix saving of TTL and string array fields generated by Open API [GH-7094]
## 1.2.0-rc1 (July 25th, 2019)
CHANGES:
* rollback: Rollback will no longer display log messages when it runs; it will
only display messages on error.
* plugins: Database plugins will now default to 4 `max_open_connections`
rather than 2.
IMPROVEMENTS:
* api: Add support for passing data to delete operations via `DeleteWithData`
[GH-7139]
* cli: Add support for passing parameters to `vault delete` operations
[GH-7139]
* cli: Add a log-format CLI flag that can specify either "standard" or "json"
for the log format for the `vault server`command. [GH-6840]
* cli: Add `-dev-no-store-token` to allow dev servers to not store the
generated token at the tokenhelper location [GH-7104]
* plugins: Change the default for `max_open_connections` for DB plugins to 4
[GH-7093]
* storage/s3: A new `path` parameter allows selecting the path within a bucket
for Vault data [GH-7157]
BUG FIXES:
* audit: Log requests and responses due to invalid wrapping token provided
[GH-6541]
* auth/aws: AWS Roles are now upgraded and saved to the latest version just
after the AWS credential plugin is mounted. [GH-7025]
* auth/jwt: Fix issue where OIDC logins might intermittently fail when using
performance standbys [JWT-61]
* secrets/pki: Forward revocation requests to active node when on a
performance standby [GH-7173]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
## 1.2.0-beta2 (July 9th, 2019)
CHANGES:
* auth/approle: AppRole uses new, common token fields for values that overlap
with other auth backends. `period` and `policies` will continue to work,
with priority being given to the `token_` prefixed versions of those
parameters. They will also be returned when doing a read on the role if they
were used to provide values initially.
* auth/approle: `"default"` is no longer automatically added to the `policies`
parameter. This was a no-op since it would always be added anyways by
Vault's core; however, this can now be explicitly disabled with the new
`token_no_default_policy` field.
* auth/approle: `bound_cidr_list` is no longer returned when reading a role
FEATURES:
* **Integrated Storage**: Vault 1.2 includes a tech preview of a new way to
manage storage directly within a Vault cluster. This new integrated storage
solution is based on the Raft protocol which is also used to back HashiCorp
Consul and HashiCorp Nomad.
* **Vault API explorer**: The Vault UI now includes an embedded API explorer
where you can browse the endpoints avaliable to you and make requests. To try
it out, open the Web CLI and type `api`.
IMPROVEMENTS:
* agent: Allow EC2 nonce to be passed in [GH-6953]
* agent: Add optional `namespace` parameter, which sets the default namespace
for the auto-auth functionality [GH-6988]
* audit/file: Dramatically speed up file operations by changing
locking/marshaling order [GH-7024]
* auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help
troubleshoot OIDC configuration [JWT-57]
* auth/token: Allow the support of the identity system for the token backend
via token roles [GH-6267]
* cli: `path-help` now allows `-format=json` to be specified, which will
output OpenAPI [GH-7006]
* secrets/kv: Add optional `delete_version_after` parameter, which takes a
duration and can be set on the mount and/or the metadata for a specific key
[GH-7005]
BUG FIXES:
* secret/database: Escape username/password before using in connection URL
[GH-7089]
## 1.2.0-beta1 (June 25th, 2019)
CHANGES:
* auth/token: Token store roles use new, common token fields for the values
that overlap with other auth backends. `period`, `explicit_max_ttl`, and
`bound_cidrs` will continue to work, with priority being given to the
`token_` prefixed versions of those parameters. They will also be returned
when doing a read on the role if they were used to provide values initially;
however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
longer be returned. (`explicit_max_ttl` was already not returned if empty.)
* Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now
stricter about what characters it will accept in path names. Whereas before
it would filter out unprintable characters (and this could be turned off),
control characters and other invalid characters are now rejected within Go's
HTTP library before the request is passed to Vault, and this cannot be
disabled. To continue using these (e.g. for already-written paths), they
must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes
`%00`, and so on).
* The user-configured regions on the AWSKMS seal stanza will now be preferred
over regions set in the enclosing environment. This is a _breaking_ change.
* All values in audit logs now are omitted if they are empty. This helps
reduce the size of audit log entries by not reproducing keys in each entry
that commonly don't contain any value, which can help in cases where audit
log entries are above the maximum UDP packet size and others.
* Both PeriodicFunc and WALRollback functions will be called if both are
provided. Previously WALRollback would only be called if PeriodicFunc was
not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for
details.
* Vault now uses Go's official dependency management system, Go Modules, to
manage dependencies. As a result to both reduce transitive dependencies for
API library users and plugin authors, and to work around various conflicts,
we have moved various helpers around, mostly under an `sdk/` submodule. A
couple of functions have also moved from plugin helper code to the `api/`
submodule. If you are a plugin author, take a look at some of our official
plugins and the paths they are importing for guidance.
FEATURES:
* **Combined DB credential rotation**: Alternative mode for the Combined DB
Secret Engine to automatically rotate existing database account credentials
and set Vault as the source of truth for credentials.
* **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant
ID tokens. These customizable tokens allow encapsulating a signed, verifiable
snapshot of identity information and metadata. They can be use by other
applications—even those without Vault authorization—as a way of establishing
identity based on a Vault entity.
* **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud
Foundry certificates for Vault authentication.
* **ElasticSearch database plugin**: New ElasticSearch database plugin issues
unique, short-lived ElasticSearch credentials.
* **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP
Users and Groups have been added.
* **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as
and HA storage backend.
* **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP Server,
seamlessly brokering cryptographic operations for traditional infrastructure.
IMPROVEMENTS:
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
* auth/jwt: `bound_claims` will now match received claims that are lists if any element
of the list is one of the expected values [JWT-50]
* auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew
leeway [JWT-53]
* auth/kubernetes: Allow service names/namespaces to be configured as globs
[KUBEAUTH-58]
* auth/token: Add a large set of token configuration options to token store
roles [GH-6662]
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Namespaces can now be created and deleted from performance
replication secondaries
* replication: Client TLS authentication is now supported when enabling or
updating a replication secondary
* secrets/database: Cassandra operations will now cancel on client timeout
[GH-6954]
* storage/postgres: LIST now performs better on large datasets [GH-6546]
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
Icon component [GH-6736]
* ui: Lazy loading parts of the application so that the total initial payload is
smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a common prefix if there
is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]
BUG FIXES:
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN
when parsing this value [GH-6917]
* auth/aws: Fix an error complaining about a read-only view that could occur
during updating of a role when on a performance replication secondary
[GH-6926]
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id
for OIDC logins [JWT-54]
* auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server
response is empty [JWT-55]
* identity: Fix a case where modifying aliases of an entity could end up
moving the entity into the wrong namespace
* namespaces: Fix a behavior (currently only known to be benign) where we
wouldn't delete policies through the official functions before wiping the
namespaces on deletion
* ui: Fix timestamp on some transit keys [GH-6827]
## 1.1.3 (June 5th, 2019) ## 1.1.3 (June 5th, 2019)
IMPROVEMENTS: IMPROVEMENTS: