open-vault/website/source/docs/upgrading/upgrade-to-1.1.1.html.md
2019-07-30 12:37:45 -04:00

2.1 KiB

layout page_title sidebar_title sidebar_current description
docs Upgrading to Vault 1.1.1 - Guides Upgrade to 1.1.1 docs-upgrading-to-1.1.1 This page contains the list of deprecations and important or breaking changes for Vault 1.1.1. Please read it carefully.

Overview

This page contains the list of deprecations and important or breaking changes for Vault 1.1.0 compared to 1.1.1. Please read it carefully.

Known Issues

Issue with some KVv2 mounts

There is a known issue that could cause the upgrade to 1.1.1 to fail under certain circumstances. This issue occurs when a KV version 2 mount exists but contains no data. This will be fixed in 1.1.2. Addtionally a work around does exist: prior to upgrading ensure all KV v2 mounts have at least one key written to it.

Change in LDAP Group CN handling

A bug fix to allow group CNs to be found from an LDAP server in lowercase cn as well as uppercase CN had an unintended consequence. If prior to that a group used cn, as in cn=foo,ou=bar then the group that would need to be put into place in the LDAP plugin to match against policies is cn=foo,ou=bar since the CN would not be correctly found. After the change, the CN was correctly found, but this would result in the group name being parsed as foo and would not match groups using the full DN. In 1.1.5+, there is a boolean config setting use_pre111_group_cn_behavior to allow reverting to the old matching behavior; we also attempt to upgrade exiting configs to have that defaulted to true.

JWT/OIDC Plugin

Logins of role_type "oidc" via the /login path are no longer allowed.

ACL Wildcards

New ordering defines which policy wins when there are multiple inexact matches and at least one path contains +. +* is now illegal in policy paths. The previous behavior simply selected any matching segment-wildcard path that matched.

Replication

Due to technical limitations, mounting and unmounting was not previously possible from a performance secondary. These have been resolved, and these operations may now be run from a performance secondary.