changelog++
This commit is contained in:
Jeff Mitchell
parent
01987f972c
commit
ab8d3e4a8a
358
CHANGELOG.md
358
CHANGELOG.md
|
|
@ -1,3 +1,171 @@
|
|||
## 1.2.0 (July 30th, 2019)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* Token store roles use new, common token fields for the values
|
||||
that overlap with other auth backends. `period`, `explicit_max_ttl`, and
|
||||
`bound_cidrs` will continue to work, with priority being given to the
|
||||
`token_` prefixed versions of those parameters. They will also be returned
|
||||
when doing a read on the role if they were used to provide values initially;
|
||||
however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
|
||||
longer be returned. (`explicit_max_ttl` was already not returned if empty.)
|
||||
* Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now
|
||||
stricter about what characters it will accept in path names. Whereas before
|
||||
it would filter out unprintable characters (and this could be turned off),
|
||||
control characters and other invalid characters are now rejected within Go's
|
||||
HTTP library before the request is passed to Vault, and this cannot be
|
||||
disabled. To continue using these (e.g. for already-written paths), they
|
||||
must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes
|
||||
`%00`, and so on).
|
||||
* The user-configured regions on the AWSKMS seal stanza will now be preferred
|
||||
over regions set in the enclosing environment. This is a _breaking_ change.
|
||||
* All values in audit logs now are omitted if they are empty. This helps
|
||||
reduce the size of audit log entries by not reproducing keys in each entry
|
||||
that commonly don't contain any value, which can help in cases where audit
|
||||
log entries are above the maximum UDP packet size and others.
|
||||
* Both PeriodicFunc and WALRollback functions will be called if both are
|
||||
provided. Previously WALRollback would only be called if PeriodicFunc was
|
||||
not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for
|
||||
details.
|
||||
* Vault now uses Go's official dependency management system, Go Modules, to
|
||||
manage dependencies. As a result to both reduce transitive dependencies for
|
||||
API library users and plugin authors, and to work around various conflicts,
|
||||
we have moved various helpers around, mostly under an `sdk/` submodule. A
|
||||
couple of functions have also moved from plugin helper code to the `api/`
|
||||
submodule. If you are a plugin author, take a look at some of our official
|
||||
plugins and the paths they are importing for guidance.
|
||||
* AppRole uses new, common token fields for values that overlap
|
||||
with other auth backends. `period` and `policies` will continue to work,
|
||||
with priority being given to the `token_` prefixed versions of those
|
||||
parameters. They will also be returned when doing a read on the role if they
|
||||
were used to provide values initially.
|
||||
* In AppRole, `"default"` is no longer automatically added to the `policies`
|
||||
parameter. This was a no-op since it would always be added anyways by
|
||||
Vault's core; however, this can now be explicitly disabled with the new
|
||||
`token_no_default_policy` field.
|
||||
* In AppRole, `bound_cidr_list` is no longer returned when reading a role
|
||||
* rollback: Rollback will no longer display log messages when it runs; it will
|
||||
only display messages on error.
|
||||
* Database plugins will now default to 4 `max_open_connections`
|
||||
rather than 2.
|
||||
|
||||
FEATURES:
|
||||
|
||||
* **Integrated Storage**: Vault 1.2 includes a _tech preview_ of a new way to
|
||||
manage storage directly within a Vault cluster. This new integrated storage
|
||||
solution is based on the Raft protocol which is also used to back HashiCorp
|
||||
Consul and HashiCorp Nomad.
|
||||
* **Combined DB credential rotation**: Alternative mode for the Combined DB
|
||||
Secret Engine to automatically rotate existing database account credentials
|
||||
and set Vault as the source of truth for credentials.
|
||||
* **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant
|
||||
ID tokens. These customizable tokens allow encapsulating a signed, verifiable
|
||||
snapshot of identity information and metadata. They can be use by other
|
||||
applications—even those without Vault authorization—as a way of establishing
|
||||
identity based on a Vault entity.
|
||||
* **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud
|
||||
Foundry certificates for Vault authentication.
|
||||
* **ElasticSearch database plugin**: New ElasticSearch database plugin issues
|
||||
unique, short-lived ElasticSearch credentials.
|
||||
* **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP
|
||||
Users and Groups have been added.
|
||||
* **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as
|
||||
and HA storage backend.
|
||||
* **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP
|
||||
Server, seamlessly brokering cryptographic operations for traditional
|
||||
infrastructure.
|
||||
* Common Token Fields: Auth methods now use common fields for controlling
|
||||
token behavior, making it easier to understand configuration across methods.
|
||||
* **Vault API explorer**: The Vault UI now includes an embedded API explorer
|
||||
where you can browse the endpoints avaliable to you and make requests. To try
|
||||
it out, open the Web CLI and type `api`.
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* agent: Allow EC2 nonce to be passed in [GH-6953]
|
||||
* agent: Add optional `namespace` parameter, which sets the default namespace
|
||||
for the auto-auth functionality [GH-6988]
|
||||
* api: Add support for passing data to delete operations via `DeleteWithData`
|
||||
[GH-7139]
|
||||
* audit/file: Dramatically speed up file operations by changing
|
||||
locking/marshaling order [GH-7024]
|
||||
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
|
||||
* auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help
|
||||
troubleshoot OIDC configuration [JWT-57]
|
||||
* auth/jwt: `bound_claims` will now match received claims that are lists if any element
|
||||
of the list is one of the expected values [JWT-50]
|
||||
* auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew
|
||||
leeway [JWT-53]
|
||||
* auth/kubernetes: Allow service names/namespaces to be configured as globs
|
||||
[KUBEAUTH-58]
|
||||
* auth/token: Allow the support of the identity system for the token backend
|
||||
via token roles [GH-6267]
|
||||
* auth/token: Add a large set of token configuration options to token store
|
||||
roles [GH-6662]
|
||||
* cli: `path-help` now allows `-format=json` to be specified, which will
|
||||
output OpenAPI [GH-7006]
|
||||
* cli: Add support for passing parameters to `vault delete` operations
|
||||
[GH-7139]
|
||||
* cli: Add a log-format CLI flag that can specify either "standard" or "json"
|
||||
for the log format for the `vault server`command. [GH-6840]
|
||||
* cli: Add `-dev-no-store-token` to allow dev servers to not store the
|
||||
generated token at the tokenhelper location [GH-7104]
|
||||
* identity: Allow a group alias' canonical ID to be modified
|
||||
* namespaces: Namespaces can now be created and deleted from performance
|
||||
replication secondaries
|
||||
* plugins: Change the default for `max_open_connections` for DB plugins to 4
|
||||
[GH-7093]
|
||||
* replication: Client TLS authentication is now supported when enabling or
|
||||
updating a replication secondary
|
||||
* secrets/database: Cassandra operations will now cancel on client timeout
|
||||
[GH-6954]
|
||||
* secrets/kv: Add optional `delete_version_after` parameter, which takes a
|
||||
duration and can be set on the mount and/or the metadata for a specific key
|
||||
[GH-7005]
|
||||
* storage/postgres: LIST now performs better on large datasets [GH-6546]
|
||||
* storage/s3: A new `path` parameter allows selecting the path within a bucket
|
||||
for Vault data [GH-7157]
|
||||
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
|
||||
workflow in the UI [GH-6570]
|
||||
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling
|
||||
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
|
||||
Icon component [GH-6736]
|
||||
* ui: Lazy loading parts of the application so that the total initial payload is
|
||||
smaller [GH-6718]
|
||||
* ui: Tabbing to auto-complete in filters will first complete a common prefix if there
|
||||
is one [GH-6759]
|
||||
* ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* audit: Log requests and responses due to invalid wrapping token provided
|
||||
[GH-6541]
|
||||
* auth/aws: AWS Roles are now upgraded and saved to the latest version just
|
||||
after the AWS credential plugin is mounted. [GH-7025]
|
||||
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN
|
||||
when parsing this value [GH-6917]
|
||||
* auth/aws: Fix an error complaining about a read-only view that could occur
|
||||
during updating of a role when on a performance replication secondary
|
||||
[GH-6926]
|
||||
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id
|
||||
for OIDC logins [JWT-54]
|
||||
* auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server
|
||||
response is empty [JWT-55]
|
||||
* auth/jwt: Fix issue where OIDC logins might intermittently fail when using
|
||||
performance standbys [JWT-61]
|
||||
* identity: Fix a case where modifying aliases of an entity could end up
|
||||
moving the entity into the wrong namespace
|
||||
* namespaces: Fix a behavior (currently only known to be benign) where we
|
||||
wouldn't delete policies through the official functions before wiping the
|
||||
namespaces on deletion
|
||||
* secrets/pki: Forward revocation requests to active node when on a
|
||||
performance standby [GH-7173]
|
||||
* ui: Fix timestamp on some transit keys [GH-6827]
|
||||
* ui: Show Entities and Groups in Side Navigation [GH-7138]
|
||||
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
|
||||
* secret/database: Escape username/password before using in connection URL
|
||||
[GH-7089]
|
||||
|
||||
## 1.1.4/1.1.5 (July 25th/30th, 2019)
|
||||
|
||||
NOTE:
|
||||
|
|
@ -40,196 +208,6 @@ BUG FIXES:
|
|||
unix sockets [GH-6859]
|
||||
* ui: Fix saving of TTL and string array fields generated by Open API [GH-7094]
|
||||
|
||||
## 1.2.0-rc1 (July 25th, 2019)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* rollback: Rollback will no longer display log messages when it runs; it will
|
||||
only display messages on error.
|
||||
* plugins: Database plugins will now default to 4 `max_open_connections`
|
||||
rather than 2.
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* api: Add support for passing data to delete operations via `DeleteWithData`
|
||||
[GH-7139]
|
||||
* cli: Add support for passing parameters to `vault delete` operations
|
||||
[GH-7139]
|
||||
* cli: Add a log-format CLI flag that can specify either "standard" or "json"
|
||||
for the log format for the `vault server`command. [GH-6840]
|
||||
* cli: Add `-dev-no-store-token` to allow dev servers to not store the
|
||||
generated token at the tokenhelper location [GH-7104]
|
||||
* plugins: Change the default for `max_open_connections` for DB plugins to 4
|
||||
[GH-7093]
|
||||
* storage/s3: A new `path` parameter allows selecting the path within a bucket
|
||||
for Vault data [GH-7157]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* audit: Log requests and responses due to invalid wrapping token provided
|
||||
[GH-6541]
|
||||
* auth/aws: AWS Roles are now upgraded and saved to the latest version just
|
||||
after the AWS credential plugin is mounted. [GH-7025]
|
||||
* auth/jwt: Fix issue where OIDC logins might intermittently fail when using
|
||||
performance standbys [JWT-61]
|
||||
* secrets/pki: Forward revocation requests to active node when on a
|
||||
performance standby [GH-7173]
|
||||
* ui: Show Entities and Groups in Side Navigation [GH-7138]
|
||||
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
|
||||
|
||||
## 1.2.0-beta2 (July 9th, 2019)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* auth/approle: AppRole uses new, common token fields for values that overlap
|
||||
with other auth backends. `period` and `policies` will continue to work,
|
||||
with priority being given to the `token_` prefixed versions of those
|
||||
parameters. They will also be returned when doing a read on the role if they
|
||||
were used to provide values initially.
|
||||
* auth/approle: `"default"` is no longer automatically added to the `policies`
|
||||
parameter. This was a no-op since it would always be added anyways by
|
||||
Vault's core; however, this can now be explicitly disabled with the new
|
||||
`token_no_default_policy` field.
|
||||
* auth/approle: `bound_cidr_list` is no longer returned when reading a role
|
||||
|
||||
FEATURES:
|
||||
|
||||
* **Integrated Storage**: Vault 1.2 includes a tech preview of a new way to
|
||||
manage storage directly within a Vault cluster. This new integrated storage
|
||||
solution is based on the Raft protocol which is also used to back HashiCorp
|
||||
Consul and HashiCorp Nomad.
|
||||
* **Vault API explorer**: The Vault UI now includes an embedded API explorer
|
||||
where you can browse the endpoints avaliable to you and make requests. To try
|
||||
it out, open the Web CLI and type `api`.
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* agent: Allow EC2 nonce to be passed in [GH-6953]
|
||||
* agent: Add optional `namespace` parameter, which sets the default namespace
|
||||
for the auto-auth functionality [GH-6988]
|
||||
* audit/file: Dramatically speed up file operations by changing
|
||||
locking/marshaling order [GH-7024]
|
||||
* auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help
|
||||
troubleshoot OIDC configuration [JWT-57]
|
||||
* auth/token: Allow the support of the identity system for the token backend
|
||||
via token roles [GH-6267]
|
||||
* cli: `path-help` now allows `-format=json` to be specified, which will
|
||||
output OpenAPI [GH-7006]
|
||||
* secrets/kv: Add optional `delete_version_after` parameter, which takes a
|
||||
duration and can be set on the mount and/or the metadata for a specific key
|
||||
[GH-7005]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* secret/database: Escape username/password before using in connection URL
|
||||
[GH-7089]
|
||||
|
||||
## 1.2.0-beta1 (June 25th, 2019)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* auth/token: Token store roles use new, common token fields for the values
|
||||
that overlap with other auth backends. `period`, `explicit_max_ttl`, and
|
||||
`bound_cidrs` will continue to work, with priority being given to the
|
||||
`token_` prefixed versions of those parameters. They will also be returned
|
||||
when doing a read on the role if they were used to provide values initially;
|
||||
however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
|
||||
longer be returned. (`explicit_max_ttl` was already not returned if empty.)
|
||||
* Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now
|
||||
stricter about what characters it will accept in path names. Whereas before
|
||||
it would filter out unprintable characters (and this could be turned off),
|
||||
control characters and other invalid characters are now rejected within Go's
|
||||
HTTP library before the request is passed to Vault, and this cannot be
|
||||
disabled. To continue using these (e.g. for already-written paths), they
|
||||
must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes
|
||||
`%00`, and so on).
|
||||
* The user-configured regions on the AWSKMS seal stanza will now be preferred
|
||||
over regions set in the enclosing environment. This is a _breaking_ change.
|
||||
* All values in audit logs now are omitted if they are empty. This helps
|
||||
reduce the size of audit log entries by not reproducing keys in each entry
|
||||
that commonly don't contain any value, which can help in cases where audit
|
||||
log entries are above the maximum UDP packet size and others.
|
||||
* Both PeriodicFunc and WALRollback functions will be called if both are
|
||||
provided. Previously WALRollback would only be called if PeriodicFunc was
|
||||
not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for
|
||||
details.
|
||||
* Vault now uses Go's official dependency management system, Go Modules, to
|
||||
manage dependencies. As a result to both reduce transitive dependencies for
|
||||
API library users and plugin authors, and to work around various conflicts,
|
||||
we have moved various helpers around, mostly under an `sdk/` submodule. A
|
||||
couple of functions have also moved from plugin helper code to the `api/`
|
||||
submodule. If you are a plugin author, take a look at some of our official
|
||||
plugins and the paths they are importing for guidance.
|
||||
|
||||
FEATURES:
|
||||
|
||||
* **Combined DB credential rotation**: Alternative mode for the Combined DB
|
||||
Secret Engine to automatically rotate existing database account credentials
|
||||
and set Vault as the source of truth for credentials.
|
||||
* **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant
|
||||
ID tokens. These customizable tokens allow encapsulating a signed, verifiable
|
||||
snapshot of identity information and metadata. They can be use by other
|
||||
applications—even those without Vault authorization—as a way of establishing
|
||||
identity based on a Vault entity.
|
||||
* **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud
|
||||
Foundry certificates for Vault authentication.
|
||||
* **ElasticSearch database plugin**: New ElasticSearch database plugin issues
|
||||
unique, short-lived ElasticSearch credentials.
|
||||
* **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP
|
||||
Users and Groups have been added.
|
||||
* **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as
|
||||
and HA storage backend.
|
||||
* **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP Server,
|
||||
seamlessly brokering cryptographic operations for traditional infrastructure.
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
|
||||
* auth/jwt: `bound_claims` will now match received claims that are lists if any element
|
||||
of the list is one of the expected values [JWT-50]
|
||||
* auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew
|
||||
leeway [JWT-53]
|
||||
* auth/kubernetes: Allow service names/namespaces to be configured as globs
|
||||
[KUBEAUTH-58]
|
||||
* auth/token: Add a large set of token configuration options to token store
|
||||
roles [GH-6662]
|
||||
* identity: Allow a group alias' canonical ID to be modified
|
||||
* namespaces: Namespaces can now be created and deleted from performance
|
||||
replication secondaries
|
||||
* replication: Client TLS authentication is now supported when enabling or
|
||||
updating a replication secondary
|
||||
* secrets/database: Cassandra operations will now cancel on client timeout
|
||||
[GH-6954]
|
||||
* storage/postgres: LIST now performs better on large datasets [GH-6546]
|
||||
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
|
||||
workflow in the UI [GH-6570]
|
||||
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling
|
||||
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
|
||||
Icon component [GH-6736]
|
||||
* ui: Lazy loading parts of the application so that the total initial payload is
|
||||
smaller [GH-6718]
|
||||
* ui: Tabbing to auto-complete in filters will first complete a common prefix if there
|
||||
is one [GH-6759]
|
||||
* ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN
|
||||
when parsing this value [GH-6917]
|
||||
* auth/aws: Fix an error complaining about a read-only view that could occur
|
||||
during updating of a role when on a performance replication secondary
|
||||
[GH-6926]
|
||||
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id
|
||||
for OIDC logins [JWT-54]
|
||||
* auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server
|
||||
response is empty [JWT-55]
|
||||
* identity: Fix a case where modifying aliases of an entity could end up
|
||||
moving the entity into the wrong namespace
|
||||
* namespaces: Fix a behavior (currently only known to be benign) where we
|
||||
wouldn't delete policies through the official functions before wiping the
|
||||
namespaces on deletion
|
||||
* ui: Fix timestamp on some transit keys [GH-6827]
|
||||
|
||||
## 1.1.3 (June 5th, 2019)
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
|
|
|||
Loading…
Reference in New Issue