open-vault/website/content/docs/upgrading/upgrade-to-1.1.1.mdx

69 lines
2.8 KiB
Plaintext

---
layout: docs
page_title: Upgrading to Vault 1.1.1 - Guides
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.1.1. Please read it carefully.
---
# Overview
This page contains the list of deprecations and important or breaking changes
for Vault 1.1.0 compared to 1.1.1. Please read it carefully.
## Known issues
### Issue with some KVv2 mounts
There is a known issue that could cause the upgrade to 1.1.1 to fail under
certain circumstances. This issue occurs when a KV version 2 mount exists but
contains no data. This will be fixed in 1.1.2. Additionally a work around does
exist: prior to upgrading ensure all KV v2 mounts have at least one key written
to it.
### Change in LDAP group CN handling
A bug fix to allow group CNs to be found from an LDAP server in lowercase `cn`
as well as uppercase `CN` had an unintended consequence. If prior to that a
group used `cn`, as in `cn=foo,ou=bar` then the group that would need to be put
into place in the LDAP plugin to match against policies is `cn=foo,ou=bar`
since the CN would not be correctly found. After the change, the CN was
correctly found, but this would result in the group name being parsed as `foo`
and would not match groups using the full DN. In 1.1.5+, there is a boolean
config setting `use_pre111_group_cn_behavior` to allow reverting to the old
matching behavior; we also attempt to upgrade exiting configs to have that
defaulted to true.
### Long WAL replay
-> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
require an automatically-triggered reindex, either if upgrading from a pre-0.8
version of Vault or if a previously-issued reindex operation has failed in the
past. In these reindex scenarios, the secondary cluster will perform a complete
WAL replay, which can take a long time and is a partially blocking operation.
This is fixed in [Vault
1.1.3](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#113-june-5th-2019),
and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
## JWT/OIDC plugin
Logins of role_type "oidc" via the /login path are no longer allowed.
## ACL wildcards
New ordering defines which policy wins when there are multiple inexact matches
and at least one path contains `+`. `+*` is now illegal in policy paths. The
previous behavior simply selected any matching segment-wildcard path that
matched.
## Replication
Due to technical limitations, mounting and unmounting was not previously
possible from a performance secondary. These have been resolved, and these
operations may now be run from a performance secondary.