1286 lines
66 KiB
Markdown
1286 lines
66 KiB
Markdown
## 1.3 (Unreleased)
|
|
|
|
FEATURES:
|
|
|
|
* **Vault Debug**: A new top-level subcommand, `debug`, is added that allows
|
|
operators to retrieve debugging information related to a particular Vault
|
|
node. Operators can use this simple workflow to capture triaging information,
|
|
which can then be consumed programmatically or by support and engineering teams.
|
|
It has the abilitity to probe for config, host, metrics, pprof, server status,
|
|
and replication status.
|
|
* **Recovery Mode**: Vault server can be brought up in recovery mode to resolve
|
|
outages caused due to data store being in bad state. This is a privileged mode
|
|
that allows `sys/raw` API calls to perform surgical corrections to the data
|
|
store. Bad storage state can be caused by bugs. However, this is usually
|
|
observed when known (and fixed) bugs are hit by older versions of Vault.
|
|
* **Entropy Augmentation (Enterprise)**: Vault now supports sourcing entropy from
|
|
external source for critical security parameters. Currently an HSM that
|
|
supports PKCS#11 is the only supported source.
|
|
* **Active Directory Secret Check-In/Check-Out**: In the Active Directory secrets
|
|
engine, users or applications can check out a service account for use, and its
|
|
password will be rotated when it's checked back in.
|
|
* **Vault Agent Template** Vault Agent now supports rendering templates containing
|
|
Vault secrets to disk, similar to Consul Template [GH-7652]
|
|
* **Transit Key Type Support**: Signing and verification is now supported with the P-384
|
|
(secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and encryption and
|
|
decryption is now supported via AES128-GCM96 [GH-7555]
|
|
* **SSRF Protection for Vault Agent**: Vault Agent has a configuration option to
|
|
require a specific header beffore allowing requests [GH-7627]
|
|
* **AWS Auth Method Root Rotation**: The credential used by the AWS auth method can
|
|
now be rotated, to ensure that only Vault knows the credentials it is using [GH-7131]
|
|
* **New UI Features** The UI now supports managing users and groups for the
|
|
Userpass, Cert, Okta, and Radius auth methods.
|
|
* **Shamir with Stored Master Key** The on disk format for Shamir seals has changed,
|
|
allowing for a secondary cluster using Shamir downstream from a primary cluster
|
|
using Auto Unseal. [GH-7694]
|
|
* **Stackdriver Metrics Sink**: Vault can now send metrics to
|
|
[Stackdriver](https://cloud.google.com/stackdriver/). See the [configuration
|
|
documentation](https://www.vaultproject.io/docs/config/index.html) for
|
|
details. [GH-6957]
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/jwt: The redirect callback host may now be specified for CLI logins
|
|
[JWT-71]
|
|
* auth/jwt: Bound claims may now contain boolean values [JWT-73]
|
|
* auth/jwt: CLI logins can now open the browser when running in WSL [JWT-77]
|
|
* core: Exit ScanView if context has been cancelled [GH-7419]
|
|
* core: re-encrypt barrier and recovery keys if the unseal key is updated
|
|
[GH-7493]
|
|
* core (enterprise): Add background seal re-wrap
|
|
* core/metrics: Add config parameter to allow unauthenticated sys/metrics
|
|
access. [GH-7550]
|
|
* replication (enterprise): Write-Ahead-Log entries will not duplicate the
|
|
data belonging to the encompassing physical entries of the transaction,
|
|
thereby improving the performance and storage capacity.
|
|
* replication (enterprise): added more replication metrics
|
|
* secrets/aws: The root config can now be read [GH-7245]
|
|
* secrets/aws: Role paths may now contain the '@' character [GH-7553]
|
|
* secrets/database/cassandra: Add ability to skip verfication of connection [GH-7614]
|
|
* storage/azure: Add config parameter to Azure storage backend to allow
|
|
specifying the ARM endpoint [GH-7567]
|
|
* storage/cassandra: Improve storage efficiency by eliminating unnecessary
|
|
copies of value data [GH-7199]
|
|
* storage/raft: Improve raft write performance by utilizing FSM Batching [GH-7527]
|
|
* storage/raft: Add support for non-voter nodes [GH-7634]
|
|
* sys: Add a new `sys/host-info` endpoint for querying information about
|
|
the host [GH-7330]
|
|
* sys: Add a new set of endpoints under `sys/pprof/` that allows profiling
|
|
information to be extracted [GH-7473]
|
|
* sys: Add endpoint that counts the total number of active identity entities [GH-7541]
|
|
* sys: `sys/seal-status` now has a `storage_type` field denoting what type of storage
|
|
the cluster is configured to use
|
|
* sys/config: Add a new endpoint under `sys/config/state/sanitized` that
|
|
returns the configuration state of the server. It excludes config values
|
|
from `storage`, `ha_storage`, and `seal` stanzas and some values
|
|
from `telemetry` due to potential sensitive entries in those fields.
|
|
* ui: when using raft storage, you can now join a raft cluster, download a
|
|
snapshot, and restore a snapshot from the UI [GH-7410]
|
|
* ui: clarify when secret version is deleted in the secret version history dropdown [GH-7714]
|
|
* sys: Add a new `sys/internal/counters/tokens` endpoint, that counts the
|
|
total number of active service token accessors in the shared token storage.
|
|
[GH-7541]
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix a data race on the token value for inmemsink [GH-7707]
|
|
* auth/gcp: Fix a bug where region information in instance groups names could
|
|
cause an authorization attempt to fail [GCP-74]
|
|
* cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
|
|
could cause confusing error messages during `vault login` [GH-7508]
|
|
* cli: Fix a bug where the `namespace list` command with JSON formatting
|
|
always returned an empty object [GH-7705]
|
|
* identity (enterprise): Fixed identity case sensitive loading in secondary
|
|
cluster [GH-7327]
|
|
* raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [GH-7619]
|
|
* ui: using the `wrapped_token` query param will work with `redirect_to` and
|
|
will automatically log in as intended [GH-7398]
|
|
* ui: fix an error when initializing from the UI using PGP keys [GH-7542]
|
|
* ui: show all active kv v2 secret versions even when `delete_version_after` is configured [GH-7685]
|
|
* cli: Command timeouts are now always specified solely by the
|
|
`VAULT_CLIENT_TIMEOUT` value. [GH-7469]
|
|
|
|
## 1.2.4 (Unreleased)
|
|
|
|
CHANGES:
|
|
|
|
* auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the CLI
|
|
should provide the corresponding region via the `region` parameter (which
|
|
already existed as a CLI parameter, and has now been added to Agent). The
|
|
automatic region detection added to the CLI and Agent in 1.2 has been removed.
|
|
|
|
IMPROVEMENTS:
|
|
* cli: Ignore existing token during CLI login [GH-7508]
|
|
* core: Log proxy settings from environment on startup [GH-7528]
|
|
* core: Cache whether we've been initialized to reduce load on storage [GH-7549]
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix handling of gzipped responses [GH-7470]
|
|
* cli: Fix panic when pgp keys list is empty [GH-7546]
|
|
* core: add hook for initializing seals for migration [GH-7666]
|
|
* core (enterprise): Migrating from one auto unseal method to another never
|
|
worked on enterprise, now it does.
|
|
* identity: Add required field `response_types_supported` to identity token
|
|
`.well-known/openid-configuration` response [GH-7533]
|
|
* identity: Fixed nil pointer panic when merging entities [GH-7712]
|
|
* secrets/database: Fix bug in combined DB secrets engine that can result in
|
|
writes to static-roles endpoints timing out [GH-7518]
|
|
* secrets/pki: Improve tidy to continue when value is nil [GH-7589]
|
|
* ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to be
|
|
viewed in the UI [GH-7504]
|
|
* cli: Command timeouts are now always specified solely by the
|
|
`VAULT_CLIENT_TIMEOUT` value. [GH-7469]
|
|
|
|
## 1.2.3 (September 12, 2019)
|
|
|
|
FEATURES:
|
|
|
|
* **Oracle Cloud (OCI) Integration**: Vault now support using Oracle Cloud for
|
|
storage, auto unseal, and authentication.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/jwt: Groups claim matching now treats a string response as a single
|
|
element list [JWT-63]
|
|
* auth/kubernetes: enable better support for projected tokens API by allowing
|
|
user to specify issuer [GH-65]
|
|
* auth/pcf: The PCF auth plugin was renamed to the CF auth plugin, maintaining
|
|
full backwards compatibility [GH-7346]
|
|
* replication: Premium packages now come with unlimited performance standby
|
|
nodes
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Allow batch tokens and other non-renewable tokens to be used for
|
|
agent operations [GH-7441]
|
|
* auth/jwt: Fix an error where newer (v1.2) token_* configuration parameters
|
|
were not being applied to tokens generated using the OIDC login flow
|
|
[JWT-67]
|
|
* seal/transit: Allow using Vault Agent for transit seal operations [GH-7441]
|
|
* storage/couchdb: Fix a file descriptor leak [GH-7345]
|
|
* ui: Fix a bug where the status menu would disappear when trying to revoke a
|
|
token [GH-7337]
|
|
* ui: Fix a regression that prevented input of custom items in search-select
|
|
[GH-7338]
|
|
* ui: Fix an issue with the namespace picker being unable to render nested
|
|
namespaces named with numbers and sorting of namespaces in the picker
|
|
[GH-7333]
|
|
|
|
## 1.2.2 (August 15, 2019)
|
|
|
|
CHANGES:
|
|
|
|
* auth/pcf: The signature format has been updated to use the standard Base64
|
|
encoding instead of the URL-safe variant. Signatures created using the
|
|
previous format will continue to be accepted [PCF-27]
|
|
* core: The http response code returned when an identity token key is not found
|
|
has been changed from 400 to 404
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* identity: Remove 512 entity limit for groups [GH-7317]
|
|
|
|
BUG FIXES:
|
|
|
|
* auth/approle: Fix an error where an empty `token_type` string was not being
|
|
correctly handled as `TokenTypeDefault` [GH-7273]
|
|
* auth/radius: Fix panic when logging in [GH-7286]
|
|
* ui: the string-list widget will now honor multiline input [GH-7254]
|
|
* ui: various visual bugs in the KV interface were addressed [GH-7307]
|
|
* ui: fixed incorrect URL to access help in LDAP auth [GH-7299]
|
|
|
|
## 1.2.1 (August 6th, 2019)
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix a panic on creds pulling in some error conditions in `aws` and
|
|
`alicloud` auth methods [GH-7238]
|
|
* auth/approle: Fix error reading role-id on a role created pre-1.2 [GH-7231]
|
|
* auth/token: Fix sudo check in non-root namespaces on create [GH-7224]
|
|
* core: Fix health checks with perfstandbyok=true returning the wrong status
|
|
code [GH-7240]
|
|
* ui: The web CLI will now parse input as a shell string, with special
|
|
characters escaped [GH-7206]
|
|
* ui: The UI will now redirect to a page after authentication [GH-7088]
|
|
* ui (Enterprise): The list of namespaces is now cleared when logging
|
|
out [GH-7186]
|
|
|
|
## 1.2.0 (July 30th, 2019)
|
|
|
|
CHANGES:
|
|
|
|
* Token store roles use new, common token fields for the values
|
|
that overlap with other auth backends. `period`, `explicit_max_ttl`, and
|
|
`bound_cidrs` will continue to work, with priority being given to the
|
|
`token_` prefixed versions of those parameters. They will also be returned
|
|
when doing a read on the role if they were used to provide values initially;
|
|
however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
|
|
longer be returned. (`explicit_max_ttl` was already not returned if empty.)
|
|
* Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now
|
|
stricter about what characters it will accept in path names. Whereas before
|
|
it would filter out unprintable characters (and this could be turned off),
|
|
control characters and other invalid characters are now rejected within Go's
|
|
HTTP library before the request is passed to Vault, and this cannot be
|
|
disabled. To continue using these (e.g. for already-written paths), they
|
|
must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes
|
|
`%00`, and so on).
|
|
* The user-configured regions on the AWSKMS seal stanza will now be preferred
|
|
over regions set in the enclosing environment. This is a _breaking_ change.
|
|
* All values in audit logs now are omitted if they are empty. This helps
|
|
reduce the size of audit log entries by not reproducing keys in each entry
|
|
that commonly don't contain any value, which can help in cases where audit
|
|
log entries are above the maximum UDP packet size and others.
|
|
* Both PeriodicFunc and WALRollback functions will be called if both are
|
|
provided. Previously WALRollback would only be called if PeriodicFunc was
|
|
not set. See [GH-6717](https://github.com/hashicorp/vault/pull/6717) for
|
|
details.
|
|
* Vault now uses Go's official dependency management system, Go Modules, to
|
|
manage dependencies. As a result to both reduce transitive dependencies for
|
|
API library users and plugin authors, and to work around various conflicts,
|
|
we have moved various helpers around, mostly under an `sdk/` submodule. A
|
|
couple of functions have also moved from plugin helper code to the `api/`
|
|
submodule. If you are a plugin author, take a look at some of our official
|
|
plugins and the paths they are importing for guidance.
|
|
* AppRole uses new, common token fields for values that overlap
|
|
with other auth backends. `period` and `policies` will continue to work,
|
|
with priority being given to the `token_` prefixed versions of those
|
|
parameters. They will also be returned when doing a read on the role if they
|
|
were used to provide values initially.
|
|
* In AppRole, `"default"` is no longer automatically added to the `policies`
|
|
parameter. This was a no-op since it would always be added anyways by
|
|
Vault's core; however, this can now be explicitly disabled with the new
|
|
`token_no_default_policy` field.
|
|
* In AppRole, `bound_cidr_list` is no longer returned when reading a role
|
|
* rollback: Rollback will no longer display log messages when it runs; it will
|
|
only display messages on error.
|
|
* Database plugins will now default to 4 `max_open_connections`
|
|
rather than 2.
|
|
|
|
FEATURES:
|
|
|
|
* **Integrated Storage**: Vault 1.2 includes a _tech preview_ of a new way to
|
|
manage storage directly within a Vault cluster. This new integrated storage
|
|
solution is based on the Raft protocol which is also used to back HashiCorp
|
|
Consul and HashiCorp Nomad.
|
|
* **Combined DB credential rotation**: Alternative mode for the Combined DB
|
|
Secret Engine to automatically rotate existing database account credentials
|
|
and set Vault as the source of truth for credentials.
|
|
* **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant
|
|
ID tokens. These customizable tokens allow encapsulating a signed, verifiable
|
|
snapshot of identity information and metadata. They can be use by other
|
|
applications—even those without Vault authorization—as a way of establishing
|
|
identity based on a Vault entity.
|
|
* **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud
|
|
Foundry certificates for Vault authentication.
|
|
* **ElasticSearch database plugin**: New ElasticSearch database plugin issues
|
|
unique, short-lived ElasticSearch credentials.
|
|
* **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP
|
|
Users and Groups have been added.
|
|
* **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as
|
|
and HA storage backend.
|
|
* **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP
|
|
Server, seamlessly brokering cryptographic operations for traditional
|
|
infrastructure.
|
|
* Common Token Fields: Auth methods now use common fields for controlling
|
|
token behavior, making it easier to understand configuration across methods.
|
|
* **Vault API explorer**: The Vault UI now includes an embedded API explorer
|
|
where you can browse the endpoints avaliable to you and make requests. To try
|
|
it out, open the Web CLI and type `api`.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* agent: Allow EC2 nonce to be passed in [GH-6953]
|
|
* agent: Add optional `namespace` parameter, which sets the default namespace
|
|
for the auto-auth functionality [GH-6988]
|
|
* agent: Add cert auto-auth method [GH-6652]
|
|
* api: Add support for passing data to delete operations via `DeleteWithData`
|
|
[GH-7139]
|
|
* audit/file: Dramatically speed up file operations by changing
|
|
locking/marshaling order [GH-7024]
|
|
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
|
|
* auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help
|
|
troubleshoot OIDC configuration [JWT-57]
|
|
* auth/jwt: `bound_claims` will now match received claims that are lists if any element
|
|
of the list is one of the expected values [JWT-50]
|
|
* auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew
|
|
leeway [JWT-53]
|
|
* auth/kubernetes: Allow service names/namespaces to be configured as globs
|
|
[KUBEAUTH-58]
|
|
* auth/token: Allow the support of the identity system for the token backend
|
|
via token roles [GH-6267]
|
|
* auth/token: Add a large set of token configuration options to token store
|
|
roles [GH-6662]
|
|
* cli: `path-help` now allows `-format=json` to be specified, which will
|
|
output OpenAPI [GH-7006]
|
|
* cli: Add support for passing parameters to `vault delete` operations
|
|
[GH-7139]
|
|
* cli: Add a log-format CLI flag that can specify either "standard" or "json"
|
|
for the log format for the `vault server`command. [GH-6840]
|
|
* cli: Add `-dev-no-store-token` to allow dev servers to not store the
|
|
generated token at the tokenhelper location [GH-7104]
|
|
* identity: Allow a group alias' canonical ID to be modified
|
|
* namespaces: Namespaces can now be created and deleted from performance
|
|
replication secondaries
|
|
* plugins: Change the default for `max_open_connections` for DB plugins to 4
|
|
[GH-7093]
|
|
* replication: Client TLS authentication is now supported when enabling or
|
|
updating a replication secondary
|
|
* secrets/database: Cassandra operations will now cancel on client timeout
|
|
[GH-6954]
|
|
* secrets/kv: Add optional `delete_version_after` parameter, which takes a
|
|
duration and can be set on the mount and/or the metadata for a specific key
|
|
[GH-7005]
|
|
* storage/postgres: LIST now performs better on large datasets [GH-6546]
|
|
* storage/s3: A new `path` parameter allows selecting the path within a bucket
|
|
for Vault data [GH-7157]
|
|
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
|
|
workflow in the UI [GH-6570]
|
|
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling
|
|
of the Confirm Action component [GH-6741], and using a new set of glyphs for our
|
|
Icon component [GH-6736]
|
|
* ui: Lazy loading parts of the application so that the total initial payload is
|
|
smaller [GH-6718]
|
|
* ui: Tabbing to auto-complete in filters will first complete a common prefix if there
|
|
is one [GH-6759]
|
|
* ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]
|
|
|
|
BUG FIXES:
|
|
|
|
* audit: Log requests and responses due to invalid wrapping token provided
|
|
[GH-6541]
|
|
* audit: Fix bug preventing request counter queries from working with auditing
|
|
enabled [GH-6767
|
|
* auth/aws: AWS Roles are now upgraded and saved to the latest version just
|
|
after the AWS credential plugin is mounted. [GH-7025]
|
|
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN
|
|
when parsing this value [GH-6917]
|
|
* auth/aws: Fix an error complaining about a read-only view that could occur
|
|
during updating of a role when on a performance replication secondary
|
|
[GH-6926]
|
|
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id
|
|
for OIDC logins [JWT-54]
|
|
* auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server
|
|
response is empty [JWT-55]
|
|
* auth/jwt: Fix issue where OIDC logins might intermittently fail when using
|
|
performance standbys [JWT-61]
|
|
* identity: Fix a case where modifying aliases of an entity could end up
|
|
moving the entity into the wrong namespace
|
|
* namespaces: Fix a behavior (currently only known to be benign) where we
|
|
wouldn't delete policies through the official functions before wiping the
|
|
namespaces on deletion
|
|
* secrets/database: Escape username/password before using in connection URL
|
|
[GH-7089]
|
|
* secrets/pki: Forward revocation requests to active node when on a
|
|
performance standby [GH-7173]
|
|
* ui: Fix timestamp on some transit keys [GH-6827]
|
|
* ui: Show Entities and Groups in Side Navigation [GH-7138]
|
|
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
|
|
|
|
## 1.1.4/1.1.5 (July 25th/30th, 2019)
|
|
|
|
NOTE:
|
|
|
|
Although 1.1.4 was tagged, we realized very soon after the tag was publicly
|
|
pushed that an intended fix was accidentally left out. As a result, 1.1.4 was
|
|
not officially announced and 1.1.5 should be used as the release after 1.1.3.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* identity: Allow a group alias' canonical ID to be modified
|
|
* namespaces: Improve namespace deletion performance [GH-6939]
|
|
* namespaces: Namespaces can now be created and deleted from performance
|
|
replication secondaries
|
|
|
|
BUG FIXES:
|
|
|
|
* api: Add backwards compat support for API env vars [GH-7135]
|
|
* auth/aws: Fix a case where a panic could stem from a malformed assumed-role
|
|
ARN when parsing this value [GH-6917]
|
|
* auth/ldap: Add `use_pre111_group_cn_behavior` flag to allow recovering from
|
|
a regression caused by a bug fix starting in 1.1.1 [GH-7208]
|
|
* auth/aws: Use a role cache to avoid separate locking paths [GH-6926]
|
|
* core: Fix a deadlock if a panic happens during request handling [GH-6920]
|
|
* core: Fix an issue that may cause key upgrades to not be cleaned up properly
|
|
[GH-6949]
|
|
* core: Don't shutdown if key upgrades fail due to canceled context [GH-7070]
|
|
* core: Fix panic caused by handling requests while vault is inactive
|
|
* identity: Fix reading entity and groups that have spaces in their names
|
|
[GH-7055]
|
|
* identity: Ensure entity alias operations properly verify namespace [GH-6886]
|
|
* mfa: Fix a nil pointer panic that could occur if invalid Duo credentials
|
|
were supplied
|
|
* replication: Forward step-down on perf standbys to match HA behavior
|
|
* replication: Fix various read only storage errors on performance standbys
|
|
* replication: Stop forwarding before stopping replication to eliminate some
|
|
possible bad states
|
|
* secrets/database: Allow cassandra queries to be cancled [GH-6954]
|
|
* storage/consul: Fix a regression causing vault to not connect to consul over
|
|
unix sockets [GH-6859]
|
|
* ui: Fix saving of TTL and string array fields generated by Open API [GH-7094]
|
|
|
|
## 1.1.3 (June 5th, 2019)
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* agent: Now supports proxying request query parameters [GH-6772]
|
|
* core: Mount table output now includes a UUID indicating the storage path [GH-6633]
|
|
* core: HTTP server timeout values are now configurable [GH-6666]
|
|
* replication: Improve performance of the reindex operation on secondary clusters
|
|
when mount filters are in use
|
|
* replication: Replication status API now returns the state and progress of a reindex
|
|
|
|
BUG FIXES:
|
|
|
|
* api: Return the Entity ID in the secret output [GH-6819]
|
|
* auth/jwt: Consider bound claims when considering if there is at least one
|
|
bound constraint [JWT-49]
|
|
* auth/okta: Fix handling of group names containing slashes [GH-6665]
|
|
* cli: Add deprecated stored-shares flag back to the init command [GH-6677]
|
|
* cli: Fix a panic when the KV command would return no data [GH-6675]
|
|
* cli: Fix issue causing CLI list operations to not return proper format when
|
|
there is an empty response [GH-6776]
|
|
* core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
|
|
* core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of
|
|
endpoints [GH-6654]
|
|
* core: Fix issue where some OpenAPI parameters were incorrectly listed as
|
|
being sent as a header [GH-6679]
|
|
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
|
|
* namespaces: Fix behavior when using `root` instead of `root/` as the
|
|
namespace header value
|
|
* pki: fix a panic when a client submits a null value [GH-5679]
|
|
* replication: Properly update mount entry cache on a secondary to apply all
|
|
new values after a tune
|
|
* replication: Properly close connection on bootstrap error
|
|
* replication: Fix an issue causing startup problems if a namespace policy
|
|
wasn't replicated properly
|
|
* replication: Fix longer than necessary WAL replay during an initial reindex
|
|
* replication: Fix error during mount filter invalidation on DR secondary clusters
|
|
* secrets/ad: Make time buffer configurable [AD-35]
|
|
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
|
|
* secrets/gcp: Fix error checking in some cases where the returned value could
|
|
be 403 instead of 404 [SGCP-37]
|
|
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
|
|
* storage/consul: recognize `https://` address even if schema not specified
|
|
[GH-6602]
|
|
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
|
|
could cause constant switching of the active node [GH-6637]
|
|
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
|
|
error was received from the DynamoDB API [GH-6640]
|
|
* storage/gcs: Correctly use configured chunk size values [GH-6655]
|
|
* storage/mssql: Use the correct database when pre-created schemas exist
|
|
[GH-6356]
|
|
* ui: Fix issue with select arrows on drop down menus [GH-6627]
|
|
* ui: Fix an issue where sensitive input values weren't being saved to the
|
|
server [GH-6586]
|
|
* ui: Fix web cli parsing when using quoted values [GH-6755]
|
|
* ui: Fix a namespace workflow mapping identities from external namespaces by
|
|
allowing arbitrary input in search-select component [GH-6728]
|
|
|
|
## 1.1.2 (April 18th, 2019)
|
|
|
|
This is a bug fix release containing the two items below. It is otherwise
|
|
unchanged from 1.1.1.
|
|
|
|
BUG FIXES:
|
|
|
|
* auth/okta: Fix a potential dropped error [GH-6592]
|
|
* secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be
|
|
mounted on unseal if it had previously been mounted but not written to
|
|
[KV-31]
|
|
|
|
## 1.1.1 (April 11th, 2019)
|
|
|
|
SECURITY:
|
|
|
|
* Given: (a) performance replication is enabled; (b) performance standbys are
|
|
in use on the performance replication secondary cluster; and (c) mount
|
|
filters are in use, if a mount that was previously available to a secondary
|
|
is updated to be filtered out, although the data would be removed from the
|
|
secondary cluster, the in-memory cache of the data would not be purged on
|
|
the performance standby nodes. As a result, the previously-available data
|
|
could still be read from memory if it was ever read from disk, and if this
|
|
included mount configuration data this could result in token or lease
|
|
issuance. The issue is fixed in this release; in prior releases either an
|
|
active node changeover (such as a step-down) or a restart of the standby
|
|
nodes is sufficient to cause the performance standby nodes to clear their
|
|
cache. A CVE is in the process of being issued; the number is
|
|
CVE-2019-11075.
|
|
* Roles in the JWT Auth backend using the OIDC login flow (i.e. role_type of
|
|
“oidc”) were not enforcing bound_cidrs restrictions, if any were configured
|
|
for the role. This issue did not affect roles of type “jwt”.
|
|
|
|
CHANGES:
|
|
|
|
* auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [JWT-38]
|
|
* core/acl: New ordering defines which policy wins when there are multiple
|
|
inexact matches and at least one path contains `+`. `+*` is now illegal in
|
|
policy paths. The previous behavior simply selected any matching
|
|
segment-wildcard path that matched. [GH-6532]
|
|
* replication: Due to technical limitations, mounting and unmounting was not
|
|
previously possible from a performance secondary. These have been resolved,
|
|
and these operations may now be run from a performance secondary.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* agent: Allow AppRole auto-auth without a secret-id [GH-6324]
|
|
* auth/gcp: Cache clients to improve performance and reduce open file usage
|
|
* auth/jwt: Bounds claims validiation will now allow matching the received
|
|
claims against a list of expected values [JWT-41]
|
|
* secret/gcp: Cache clients to improve performance and reduce open file usage
|
|
* replication: Mounting/unmounting/remounting/mount-tuning is now supported
|
|
from a performance secondary cluster
|
|
* ui: Suport for authentication via the RADIUS auth method [GH-6488]
|
|
* ui: Navigating away from secret list view will clear any page-specific
|
|
filter that was applied [GH-6511]
|
|
* ui: Improved the display when OIDC auth errors [GH-6553]
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Allow auto-auth to be used with caching without having to define any
|
|
sinks [GH-6468]
|
|
* agent: Disallow some nonsensical config file combinations [GH-6471]
|
|
* auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
|
|
* auth/jwt: The CLI helper for OIDC logins will now open the browser to the correct
|
|
URL when running on Windows [JWT-37]
|
|
* auth/jwt: Fix OIDC login issue where configured TLS certs weren't being used [JWT-40]
|
|
* auth/jwt: Fix an issue where the `oidc_scopes` parameter was not being included in
|
|
the response to a role read request [JWT-35]
|
|
* core: Fix seal migration case when migrating to Shamir and a seal block
|
|
wasn't explicitly specified [GH-6455]
|
|
* core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
|
|
* core: Fix incorrect representation of required properties in OpenAPI output
|
|
[GH-6490]
|
|
* core: Fix deadlock that could happen when using the UI [GH-6560]
|
|
* identity: Fix updating groups removing existing members [GH-6527]
|
|
* identity: Properly invalidate group alias in performance secondary [GH-6564]
|
|
* identity: Use namespace context when loading entities and groups to ensure
|
|
merging of duplicate entries works properly [GH-6563]
|
|
* replication: Fix performance standby election failure [GH-6561]
|
|
* replication: Fix mount filter invalidation on performance standby nodes
|
|
* replication: Fix license reloading on performance standby nodes
|
|
* replication: Fix handling of control groups on performance standby nodes
|
|
* replication: Fix some forwarding scenarios with request bodies using
|
|
performance standby nodes [GH-6538]
|
|
* secret/gcp: Fix roleset binding when using JSON [GCP-27]
|
|
* secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
|
|
* storage/dynamodb: Fix a race condition possible in HA configurations that could
|
|
leave the cluster without a leader [GH-6512]
|
|
* ui: Fix an issue where in production builds OpenAPI model generation was
|
|
failing, causing any form using it to render labels with missing fields [GH-6474]
|
|
* ui: Fix issue nav-hiding when moving between namespaces [GH-6473]
|
|
* ui: Secrets will always show in the nav regardless of access to cubbyhole [GH-6477]
|
|
* ui: fix SSH OTP generation [GH-6540]
|
|
* ui: add polyfill to load UI in IE11 [GH-6567]
|
|
* ui: Fix issue where some elements would fail to work properly if using ACLs
|
|
with segment-wildcard paths (`/+/` segments) [GH-6525]
|
|
|
|
## 1.1.0 (March 18th, 2019)
|
|
|
|
CHANGES:
|
|
|
|
* auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
|
|
groups claim is not at the top level, it can now be specified as a
|
|
[JSONPointer](https://tools.ietf.org/html/rfc6901).
|
|
* auth/jwt: Roles now have a "role type" parameter with a default type of
|
|
"oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
|
|
specified.
|
|
* cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
|
|
help/warning output in previous versions of Vault for updated commands.
|
|
* core: Vault no longer automatically mounts a K/V backend at the "secret/"
|
|
path when initializing Vault
|
|
* core: Vault's cluster port will now be open at all times on HA standby nodes
|
|
* plugins: Vault no longer supports running netRPC plugins. These were
|
|
deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
|
|
defaults to gRPC. Older plugins may need to be recompiled against the latest
|
|
Vault dependencies.
|
|
|
|
FEATURES:
|
|
|
|
* **Vault Agent Caching**: Vault Agent can now be configured to act as a
|
|
caching proxy to Vault. Clients can send requests to Vault Agent and the
|
|
request will be proxied to the Vault server and cached locally in Agent.
|
|
Currently Agent will cache generated leases and tokens and keep them
|
|
renewed. The proxy can also use the Auto Auth feature so clients do not need
|
|
to authenticate to Vault, but rather can make requests to Agent and have
|
|
Agent fully manage token lifecycle.
|
|
* **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
|
|
roles. These allow authentication via an OIDC-compliant provider via the
|
|
user's browser. The login may be initiated from the Vault UI or through
|
|
the `vault login` command.
|
|
* **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
|
|
wild card matching for a single directory in the path definition.
|
|
* **Transit Auto Unseal**: Vault can now be configured to use the Transit
|
|
Secret Engine in another Vault cluster as an auto unseal provider.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if
|
|
a role is not specified.
|
|
* auth/jwt: Arbitrary claims data can now be copied into token & alias metadata.
|
|
* auth/jwt: An arbitrary set of bound claims can now be configured for a role.
|
|
* auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either
|
|
name may be specified in the `auth enable` command.
|
|
* command/server: A warning will be printed when 'tls_cipher_suites' includes a
|
|
blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2
|
|
specification [GH-6300]
|
|
* core/metrics: Prometheus pull support using a new sys/metrics endpoint. [GH-5308]
|
|
* core: On non-windows platforms a SIGUSR2 will make the server log a dump of
|
|
all running goroutines' stack traces for debugging purposes [GH-6240]
|
|
* replication: The initial replication indexing process on newly initialized or upgraded
|
|
clusters now runs asynchronously
|
|
* sentinel: Add token namespace id and path, available in rules as
|
|
token.namespace.id and token.namespace.path
|
|
* ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms.
|
|
This means, it will not be necessary to add fields on the go and JS sides in the future.
|
|
[GH-6209]
|
|
|
|
BUG FIXES:
|
|
|
|
* auth/jwt: Apply `bound_claims` validation across all login paths
|
|
* auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept
|
|
any matched audience, as documented and handled in OIDC logins [JWT-30]
|
|
* auth/token: Fix issue where empty values for token role update call were
|
|
ignored [GH-6314]
|
|
* core: The `operator migrate` command will no longer hang on empty key names
|
|
[GH-6371]
|
|
* identity: Fix a panic at login when external group has a nil alias [GH-6230]
|
|
* namespaces: Clear out identity store items upon namespace deletion
|
|
* replication/perfstandby: Fixed a bug causing performance standbys to wait
|
|
longer than necessary after forwarding a write to the active node
|
|
* replication/mountfilter: Fix a deadlock that could occur when mount filters
|
|
were updated [GH-6426]
|
|
* secret/kv: Fix issue where a v1→v2 upgrade could run on a performance
|
|
standby when using a local mount
|
|
* secret/ssh: Fix for a bug where attempting to delete the last ssh role
|
|
in the zeroaddress configuration could fail [GH-6390]
|
|
* secret/totp: Uppercase provided keys so they don't fail base32 validation
|
|
[GH-6400]
|
|
* secret/transit: Multiple HMAC, Sign or Verify operations can now be
|
|
performed with one API call using the new `batch_input` parameter [GH-5875]
|
|
* sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
|
|
that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
|
|
return a error response if a filtered mount path is requested. [GH-6412]
|
|
* ui: Fix for a bug where you couldn't access the data tab after clicking on
|
|
wrap details on the unwrap page [GH-6404]
|
|
* ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
|
|
* ui: Fix encoding issues with kv interfaces [GH-6294]
|
|
|
|
## 1.0.3.1 (March 14th, 2019) (Enterprise Only)
|
|
|
|
SECURITY:
|
|
|
|
* A regression was fixed in replication mount filter code introduced in Vault
|
|
1.0 that caused the underlying filtered data to be replicated to
|
|
secondaries. This data was not accessible to users via Vault's API but via a
|
|
combination of privileged configuration file changes/Vault commands it could
|
|
be read. Upgrading to this version or 1.1 will fix this issue and cause the
|
|
replicated data to be deleted from filtered secondaries. More information
|
|
was sent to customer contacts on file.
|
|
|
|
## 1.0.3 (February 12th, 2019)
|
|
|
|
CHANGES:
|
|
|
|
* New AWS authentication plugin mounts will default to using the generated
|
|
role ID as the Identity alias name. This applies to both EC2 and IAM auth.
|
|
Existing mounts that explicitly set this value will not be affected but
|
|
mounts that specified no preference will switch over on upgrade.
|
|
* The default policy now allows a token to look up its associated identity
|
|
entity either by name or by id [GH-6105]
|
|
* The Vault UI's navigation and onboarding wizard now only displays items that
|
|
are permitted in a users' policy [GH-5980, GH-6094]
|
|
* An issue was fixed that caused recovery keys to not work on secondary
|
|
clusters when using a different unseal mechanism/key than the primary. This
|
|
would be hit if the cluster was rekeyed or initialized after 1.0. We recommend
|
|
rekeying the recovery keys on the primary cluster if you meet the above
|
|
requirements.
|
|
|
|
FEATURES:
|
|
|
|
* **cURL Command Output**: CLI commands can now use the `-output-curl-string`
|
|
flag to print out an equivalent cURL command.
|
|
* **Response Headers From Plugins**: Plugins can now send back headers that
|
|
will be included in the response to a client. The set of allowed headers can
|
|
be managed by the operator.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
|
|
role ID [GH-6133]
|
|
* auth/jwt: The supported set of signing algorithms is now configurable [JWT
|
|
plugin GH-16]
|
|
* core: When starting from an uninitialized state, HA nodes will now attempt
|
|
to auto-unseal using a configured auto-unseal mechanism after the active
|
|
node initializes Vault [GH-6039]
|
|
* secret/database: Add socket keepalive option for Cassandra [GH-6201]
|
|
* secret/ssh: Add signed key constraints, allowing enforcement of key types
|
|
and minimum key sizes [GH-6030]
|
|
* secret/transit: ECDSA signatures can now be marshaled in JWS-compatible
|
|
fashion [GH-6077]
|
|
* storage/etcd: Support SRV service names [GH-6087]
|
|
* storage/aws: Support specifying a KMS key ID for server-side encryption
|
|
[GH-5996]
|
|
|
|
BUG FIXES:
|
|
|
|
* core: Fix a rare case where a standby whose connection is entirely torn down
|
|
to the active node, then reconnects to the same active node, may not
|
|
successfully resume operation [GH-6167]
|
|
* cors: Don't duplicate headers when they're written [GH-6207]
|
|
* identity: Persist merged entities only on the primary [GH-6075]
|
|
* replication: Fix a potential race when a token is created and then used with
|
|
a performance standby very quickly, before an associated entity has been
|
|
replicated. If the entity is not found in this scenario, the request will
|
|
forward to the active node.
|
|
* replication: Fix issue where recovery keys would not work on secondary
|
|
clusters if using a different unseal mechanism than the primary.
|
|
* replication: Fix a "failed to register lease" error when using performance
|
|
standbys
|
|
* storage/postgresql: The `Get` method will now return an Entry object with
|
|
the `Key` member correctly populated with the full path that was requested
|
|
instead of just the last path element [GH-6044]
|
|
|
|
## 1.0.2 (January 15th, 2019)
|
|
|
|
SECURITY:
|
|
|
|
* When creating a child token from a parent with `bound_cidrs`, the list of
|
|
CIDRs would not be propagated to the child token, allowing the child token
|
|
to be used from any address.
|
|
|
|
CHANGES:
|
|
|
|
* secret/aws: Role now returns `credential_type` instead of `credential_types`
|
|
to match role input. If a legacy role that can supply more than one
|
|
credential type, they will be concatenated with a `,`.
|
|
* physical/dynamodb, autoseal/aws: Instead of Vault performing environment
|
|
variable handling, and overriding static (config file) values if found, we
|
|
use the default AWS SDK env handling behavior, which also looks for
|
|
deprecated values. If you were previously providing both config values and
|
|
environment values, please ensure the config values are unset if you want to
|
|
use environment values.
|
|
* Namespaces (Enterprise): Providing "root" as the header value for
|
|
`X-Vault-Namespace` will perform the request on the root namespace. This is
|
|
equivalent to providing an empty value. Creating a namespace called "root" in
|
|
the root namespace is disallowed.
|
|
|
|
FEATURES:
|
|
|
|
* **InfluxDB Database Plugin**: Use Vault to dynamically create and manage InfluxDB
|
|
users
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
|
|
image ID [GH-5846]
|
|
* autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
|
|
[GH-5999]
|
|
* physical/foundationdb: TLS support added. [GH-5800]
|
|
|
|
BUG FIXES:
|
|
|
|
* api: Fix a couple of places where we were using the `LIST` HTTP verb
|
|
(necessary to get the right method into the wrapping lookup function) and
|
|
not then modifying it to a `GET`; although this is officially the verb Vault
|
|
uses for listing and it's fully legal to use custom verbs, since many WAFs
|
|
and API gateways choke on anything outside of RFC-standardized verbs we fall
|
|
back to `GET` [GH-6026]
|
|
* autoseal/aws: Fix reading session tokens when AWS access key/secret key are
|
|
also provided [GH-5965]
|
|
* command/operator/rekey: Fix help output showing `-delete-backup` when it
|
|
should show `-backup-delete` [GH-5981]
|
|
* core: Fix bound_cidrs not being propagated to child tokens
|
|
* replication: Correctly forward identity entity creation that originates from
|
|
performance standby nodes (Enterprise)
|
|
* secret/aws: Make input `credential_type` match the output type (string, not
|
|
array) [GH-5972]
|
|
* secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
|
|
* secret/pki: Fix reading certificates on windows with the file storage backend [GH-6013]
|
|
* ui (enterprise): properly display perf-standby count on the license page [GH-5971]
|
|
* ui: fix disappearing nested secrets and go to the nearest parent when deleting
|
|
a secret - [GH-5976]
|
|
* ui: fix error where deleting an item via the context menu would fail if the
|
|
item name contained dots [GH-6018]
|
|
* ui: allow saving of kv secret after an errored save attempt [GH-6022]
|
|
* ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]
|
|
|
|
## 1.0.1 (December 14th, 2018)
|
|
|
|
SECURITY:
|
|
|
|
* Update version of Go to 1.11.3 to fix Go bug
|
|
https://github.com/golang/go/issues/29233 which corresponds to
|
|
CVE-2018-16875
|
|
* Database user revocation: If a client has configured custom revocation
|
|
statements for a role with a value of `""`, that statement would be executed
|
|
verbatim, resulting in a lack of actual revocation but success for the
|
|
operation. Vault will now strip empty statements from any provided; as a
|
|
result if an empty statement is provided, it will behave as if no statement
|
|
is provided, falling back to the default revocation statement.
|
|
|
|
CHANGES:
|
|
|
|
* secret/database: On role read, empty statements will be returned as empty
|
|
slices instead of potentially being returned as JSON null values. This makes
|
|
it more in line with other parts of Vault and makes it easier for statically
|
|
typed languages to interpret the values.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* cli: Strip iTerm extra characters from password manager input [GH-5837]
|
|
* command/server: Setting default kv engine to v1 in -dev mode can now be
|
|
specified via -dev-kv-v1 [GH-5919]
|
|
* core: Add operationId field to OpenAPI output [GH-5876]
|
|
* ui: Added ability to search for Group and Policy IDs when creating Groups
|
|
and Entities instead of typing them in manually
|
|
|
|
BUG FIXES:
|
|
|
|
* auth/azure: Cache azure authorizer [15]
|
|
* auth/gcp: Remove explicit project for service account in GCE authorizer [58]
|
|
* cli: Show correct stored keys/threshold for autoseals [GH-5910]
|
|
* cli: Fix backwards compatibility fallback when listing plugins [GH-5913]
|
|
* core: Fix upgrades when the seal config had been created on early versions
|
|
of vault [GH-5956]
|
|
* namespaces: Correctly reload the proper mount when tuning or reloading the
|
|
mount [GH-5937]
|
|
* secret/azure: Cache azure authorizer [19]
|
|
* secret/database: Strip empty statements on user input [GH-5955]
|
|
* secret/gcpkms: Add path for retrieving the public key [5]
|
|
* secret/pki: Fix panic that could occur during tidy operation when malformed
|
|
data was found [GH-5931]
|
|
* secret/pki: Strip empty line in ca_chain output [GH-5779]
|
|
* ui: Fixed a bug where the web CLI was not usable via the `fullscreen`
|
|
command - [GH-5909]
|
|
* ui: Fix a bug where you couldn't write a jwt auth method config [GH-5936]
|
|
|
|
## 0.11.6 (December 14th, 2018)
|
|
|
|
This release contains the three security fixes from 1.0.0 and 1.0.1 and the
|
|
following bug fixes from 1.0.0/1.0.1:
|
|
|
|
* namespaces: Correctly reload the proper mount when tuning or reloading the
|
|
mount [GH-5937]
|
|
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
|
|
* replication/perfstandby: Fix redirect on approle update [GH-5820]
|
|
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
|
|
[GH-5809]
|
|
|
|
It is otherwise identical to 0.11.5.
|
|
|
|
## 1.0.0 (December 3rd, 2018)
|
|
|
|
SECURITY:
|
|
|
|
* When debugging a customer incident we discovered that in the case of
|
|
malformed data from an autoseal mechanism, Vault's master key could be
|
|
logged in Vault's server log. For this to happen, the data would need to be
|
|
modified by the autoseal mechanism after being submitted to it by Vault but
|
|
prior to encryption, or after decryption, prior to it being returned to
|
|
Vault. To put it another way, it requires the data that Vault submits for
|
|
encryption to not match the data returned after decryption. It is not
|
|
sufficient for the autoseal mechanism to return an error, and it cannot be
|
|
triggered by an outside attacker changing the on-disk ciphertext as all
|
|
autoseal mechanisms use authenticated encryption. We do not believe that
|
|
this is generally a cause for concern; since it involves the autoseal
|
|
mechanism returning bad data to Vault but with no error, in a working Vault
|
|
configuration this code path should never be hit, and if hitting this issue
|
|
Vault will not be unsealing properly anyways so it will be obvious what is
|
|
happening and an immediate rekey of the master key can be performed after
|
|
service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3
|
|
score of 5.2 has been assigned.
|
|
|
|
CHANGES:
|
|
|
|
* Tokens are now prefixed by a designation to indicate what type of token they
|
|
are. Service tokens start with `s.` and batch tokens start with `b.`.
|
|
Existing tokens will still work (they are all of service type and will be
|
|
considered as such). Prefixing allows us to be more efficient when consuming
|
|
a token, which keeps the critical path of requests faster.
|
|
* Paths within `auth/token` that allow specifying a token or accessor in the
|
|
URL have been removed. These have been deprecated since March 2016 and
|
|
undocumented, but were retained for backwards compatibility. They shouldn't
|
|
be used due to the possibility of those paths being logged, so at this point
|
|
they are simply being removed.
|
|
* Vault will no longer accept updates when the storage key has invalid UTF-8
|
|
character encoding [GH-5819]
|
|
* Mount/Auth tuning the `options` map on backends will now upsert any provided
|
|
values, and keep any of the existing values in place if not provided. The
|
|
options map itself cannot be unset once it's set, but the keypairs within the
|
|
map can be unset if an empty value is provided, with the exception of the
|
|
`version` keypair which is handled differently for KVv2 purposes.
|
|
* Agent no longer automatically reauthenticates when new credentials are
|
|
detected. It's not strictly necessary and in some cases was causing
|
|
reauthentication much more often than intended.
|
|
* HSM Regenerate Key Support Removed: Vault no longer supports destroying and
|
|
regenerating encryption keys on an HSM; it only supports creating them.
|
|
Although this has never been a source of a customer incident, it is simply a
|
|
code path that is too trivial to activate, especially by mistyping
|
|
`regenerate_key` instead of `generate_key`.
|
|
* Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the
|
|
seal type in the barrier config storage entry will be upgraded from
|
|
"hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals.
|
|
If performing seal migration, the barrier config should first be upgraded
|
|
prior to starting migration.
|
|
* Go API client uses pooled HTTP client: The Go API client now uses a
|
|
connection-pooling HTTP client by default. For CLI operations this makes no
|
|
difference but it should provide significant performance benefits for those
|
|
writing custom clients using the Go API library. As before, this can be
|
|
changed to any custom HTTP client by the caller.
|
|
* Builtin Secret Engines and Auth Methods are integrated deeper into the
|
|
plugin system. The plugin catalog can now override builtin plugins with
|
|
custom versions of the same name. Additionally the plugin system now
|
|
requires a plugin `type` field when configuring plugins, this can be "auth",
|
|
"database", or "secret".
|
|
|
|
FEATURES:
|
|
|
|
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
|
|
from Enterprise to Open Source. We've created a migrator to allow migrating
|
|
between Shamir seals and auto unseal methods.
|
|
* **Batch Tokens**: Batch tokens trade off some features of service tokens for no
|
|
storage overhead, and in most cases can be used across performance
|
|
replication clusters.
|
|
* **Replication Speed Improvements**: We've worked hard to speed up a lot of
|
|
operations when using Vault Enterprise Replication.
|
|
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
|
|
pattern to keys stored within GCP Cloud KMS.
|
|
* **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
|
|
credentials when having Agent automatically authenticate to Vault
|
|
* **OpenAPI Support**: Descriptions of mounted backends can be served directly
|
|
from Vault
|
|
* **Kubernetes Projected Service Account Tokens**: Projected Service Account
|
|
Tokens are now supported in Kubernetes auth
|
|
* **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
|
|
the wrap token or secret JSON in the UI
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* agent: Support for configuring the location of the kubernetes service account
|
|
[GH-5725]
|
|
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
|
|
* secret/totp: Allow @ character to be part of key name [GH-5652]
|
|
* secret/consul: Add support for new policy based tokens added in Consul 1.4
|
|
[GH-5586]
|
|
* ui: Improve the token auto-renew warning, and automatically begin renewal
|
|
when a user becomes active again [GH-5662]
|
|
* ui: The unbundled UI page now has some styling [GH-5665]
|
|
* ui: Improved banner and popup design [GH-5672]
|
|
* ui: Added token type to auth method mount config [GH-5723]
|
|
* ui: Display additonal wrap info when unwrapping. [GH-5664]
|
|
* ui: Empty states have updated styling and link to relevant actions and
|
|
documentation [GH-5758]
|
|
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
|
|
read secret metadata [GH-5879]
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix auth when multiple redirects [GH-5814]
|
|
* cli: Restore the `-policy-override` flag [GH-5826]
|
|
* core: Fix rekey progress reset which did not happen under certain
|
|
circumstances. [GH-5743]
|
|
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
|
|
* identity: Update group memberships when entity is deleted [GH-5786]
|
|
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
|
|
* replication/perfstandby: Fix redirect on approle update [GH-5820]
|
|
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
|
|
having distinct scopes
|
|
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
|
|
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
|
|
[GH-5804]
|
|
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
|
|
[GH-5809]
|
|
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
|
|
for all other operations for backwards compatibility
|
|
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
|
|
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
|
|
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
|
|
* ui: Fix the PKI context menu so that items load [GH-5824]
|
|
* ui: Update DR Secondary Token generation command [GH-5857]
|
|
* ui: Fix pagination bug where controls would be rendered once for each
|
|
item when viewing policies [GH-5866]
|
|
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
|
|
the revoke button in the UI [GH-5647]
|
|
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
|
|
|
|
## 0.11.5 (November 13th, 2018)
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix issue when specifying two file sinks [GH-5610]
|
|
* auth/userpass: Fix minor timing issue that could leak the presence of a
|
|
username [GH-5614]
|
|
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
|
|
* autounseal/azure: Fix key version tracking (Enterprise)
|
|
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
|
|
* core: Fix buggy behavior if trying to remount into a namespace
|
|
* identity: Fix duplication of entity alias entity during alias transfer
|
|
between entities [GH-5733]
|
|
* namespaces: Fix tuning of auth mounts in a namespace
|
|
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
|
|
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
|
|
when trying to use tool/hash [GH-5714]
|
|
|
|
## 0.11.4 (October 23rd, 2018)
|
|
|
|
CHANGES:
|
|
|
|
* core: HA lock file is no longer copied during `operator migrate` [GH-5503].
|
|
We've categorized this as a change, but generally this can be considered
|
|
just a bug fix, and no action is needed.
|
|
|
|
FEATURES:
|
|
|
|
* **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
|
|
remove older unused key versions
|
|
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
|
|
individual secret versions in the UI
|
|
* **Azure Existing Service Principal Support**: Credentials can now be generated
|
|
against an existing service principal
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* core: Add last WAL in leader/health output for easier debugging [GH-5523]
|
|
* identity: Identity names will now be handled case insensitively by default.
|
|
This includes names of entities, aliases and groups [GH-5404]
|
|
* secrets/aws: Added role-option max_sts_ttl to cap TTL for AWS STS
|
|
credentials [GH-5500]
|
|
* secret/database: Allow Cassandra user to be non-superuser so long as it has
|
|
role creation permissions [GH-5402]
|
|
* secret/radius: Allow setting the NAS Identifier value in the generated
|
|
packet [GH-5465]
|
|
* secret/ssh: Allow usage of JSON arrays when setting zero addresses [GH-5528]
|
|
* secret/transit: Allow trimming unused keys [GH-5388]
|
|
* ui: Support KVv2 [GH-5547], [GH-5563]
|
|
* ui: Allow viewing and updating Vault license via the UI
|
|
* ui: Onboarding will now display your progress through the chosen tutorials
|
|
* ui: Dynamic secret backends obfuscate sensitive data by default and
|
|
visibility is toggleable
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix potential hang during agent shutdown [GH-5026]
|
|
* auth/ldap: Fix listing of users/groups that contain slashes [GH-5537]
|
|
* core: Fix memory leak during some expiration calls [GH-5505]
|
|
* core: Fix generate-root operations requiring empty `otp` to be provided
|
|
instead of an empty body [GH-5495]
|
|
* identity: Remove lookup check during alias removal from entity [GH-5524]
|
|
* secret/pki: Fix TTL/MaxTTL check when using `sign-verbatim` [GH-5549]
|
|
* secret/pki: Fix regression in 0.11.2+ causing the NotBefore value of
|
|
generated certificates to be set to the Unix epoch if the role value was not
|
|
set, instead of using the default of 30 seconds [GH-5481]
|
|
* storage/mysql: Use `varbinary` instead of `varchar` when creating HA tables
|
|
[GH-5529]
|
|
|
|
## 0.11.3 (October 8th, 2018)
|
|
|
|
SECURITY:
|
|
|
|
* Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused
|
|
lease IDs containing periods (`.`) to not be revoked properly. Upon startup
|
|
when revocation is tried again these should now revoke successfully.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/ldap: Listing of users and groups return absolute paths [GH-5537]
|
|
* secret/pki: OID SANs can now specify `*` to allow any value [GH-5459]
|
|
|
|
BUG FIXES:
|
|
|
|
* auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
|
|
* cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473]
|
|
* secret/database/mongodb: Fix panic that could occur at high load [GH-5463]
|
|
* secret/pki: Fix CA generation not allowing OID SANs [GH-5459]
|
|
|
|
## 0.11.2 (October 2nd, 2018)
|
|
|
|
CHANGES:
|
|
|
|
* `sys/seal-status` now includes an `initialized` boolean in the output. If
|
|
Vault is not initialized, it will return a `200` with this value set `false`
|
|
instead of a `400`.
|
|
* `passthrough_request_headers` will now deny certain headers from being
|
|
provided to backends based on a global denylist.
|
|
* Token Format: Tokens are now represented as a base62 value; tokens in
|
|
namespaces will have the namespace identifier appended. (This appeared in
|
|
Enterprise in 0.11.0, but is only in OSS in 0.11.2.)
|
|
|
|
FEATURES:
|
|
|
|
* **AWS Secret Engine Root Credential Rotation**: The credential used by the AWS
|
|
secret engine can now be rotated, to ensure that only Vault knows the
|
|
credentials it is using [GH-5140]
|
|
* **Storage Backend Migrator**: A new `operator migrate` command allows offline
|
|
migration of data between two storage backends
|
|
* **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for
|
|
Auto Unseal and Seal Wrapping
|
|
|
|
BUG FIXES:
|
|
|
|
* auth/okta: Fix reading deprecated `token` parameter if a token was
|
|
previously set in the configuration [GH-5409]
|
|
* core: Re-add deprecated capabilities information for now [GH-5360]
|
|
* core: Fix handling of cyclic token relationships [GH-4803]
|
|
* storage/mysql: Fix locking on MariaDB [GH-5343]
|
|
* replication: Fix DR API when using a token [GH-5398]
|
|
* identity: Ensure old group alias is removed when a new one is written [GH-5350]
|
|
* storage/alicloud: Don't call uname on package init [GH-5358]
|
|
* secrets/jwt: Fix issue where request context would be canceled too early
|
|
* ui: fix need to have update for aws iam creds generation [GF-5294]
|
|
* ui: fix calculation of token expiry [GH-5435]
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/aws: The identity alias name can now configured to be either IAM unique
|
|
ID of the IAM Principal, or ARN of the caller identity [GH-5247]
|
|
* auth/cert: Add allowed_organizational_units support [GH-5252]
|
|
* cli: Format TTLs for non-secret responses [GH-5367]
|
|
* identity: Support operating on entities and groups by their names [GH-5355]
|
|
* plugins: Add `env` parameter when registering plugins to the catalog to allow
|
|
operators to include environment variables during plugin execution. [GH-5359]
|
|
* secrets/aws: WAL Rollback improvements [GH-5202]
|
|
* secrets/aws: Allow specifying STS role-default TTLs [GH-5138]
|
|
* secrets/pki: Add configuration support for setting NotBefore [GH-5325]
|
|
* core: Support for passing the Vault token via an Authorization Bearer header [GH-5397]
|
|
* replication: Reindex process now runs in the background and does not block other
|
|
vault operations
|
|
* storage/zookeeper: Enable TLS based communication with Zookeeper [GH-4856]
|
|
* ui: you can now init a cluster with a seal config [GH-5428]
|
|
* ui: added the option to force promote replication clusters [GH-5438]
|
|
* replication: Allow promotion of a secondary when data is syncing with a "force" flag
|
|
|
|
## 0.11.1.1 (September 17th, 2018) (Enterprise Only)
|
|
|
|
BUG FIXES:
|
|
|
|
* agent: Fix auth handler-based wrapping of output tokens [GH-5316]
|
|
* core: Properly store the replication checkpoint file if it's larger than the
|
|
storage engine's per-item limit
|
|
* core: Improve WAL deletion rate
|
|
* core: Fix token creation on performance standby nodes
|
|
* core: Fix unwrapping inside a namespace
|
|
* core: Always forward tidy operations from performance standby nodes
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* auth/aws: add support for key/value pairs or JSON values for
|
|
`iam_request_headers` with IAM auth method [GH-5320]
|
|
* auth/aws, secret/aws: Throttling errors from the AWS API will now be
|
|
reported as 502 errors by Vault, along with the original error [GH-5270]
|
|
* replication: Start fetching during a sync from where it previously errored
|
|
|
|
## 0.11.1 (September 6th, 2018)
|
|
|
|
SECURITY:
|
|
|
|
* Random Byte Reading in Barrier: Prior to this release, Vault was not
|
|
properly checking the error code when reading random bytes for the IV for
|
|
AES operations in its cryptographic barrier. Specifically, this means that
|
|
such an IV could potentially be zero multiple times, causing nonce re-use
|
|
and weakening the security of the key. On most platforms this should never
|
|
happen because reading from kernel random sources is non-blocking and always
|
|
successful, but there may be platform-specific behavior that has not been
|
|
accounted for. (Vault has tests to check exactly this, and the tests have
|
|
never seen nonce re-use.)
|
|
|
|
FEATURES:
|
|
|
|
* AliCloud Agent Support: Vault Agent can now authenticate against the
|
|
AliCloud auth method.
|
|
* UI: Enable AliCloud auth method and Azure secrets engine via the UI.
|
|
|
|
IMPROVEMENTS:
|
|
|
|
* core: Logging level for most logs (not including secrets/auth plugins) can
|
|
now be changed on-the-fly via `SIGHUP`, reading the desired value from
|
|
Vault's config file [GH-5280]
|
|
|
|
BUG FIXES:
|
|
|
|
* core: Ensure we use a background context when stepping down [GH-5290]
|
|
* core: Properly check error return from random byte reading [GH-5277]
|
|
* core: Re-add `sys/` top-route injection for now [GH-5241]
|
|
* core: Policies stored in minified JSON would return an error [GH-5229]
|
|
* core: Evaluate templated policies in capabilities check [GH-5250]
|
|
* identity: Update MemDB with identity group alias while loading groups [GH-5289]
|
|
* secrets/database: Fix nil pointer when revoking some leases [GH-5262]
|
|
* secrets/pki: Fix sign-verbatim losing extra Subject attributes [GH-5245]
|
|
* secrets/pki: Remove certificates from store when tidying revoked
|
|
certificates and simplify API [GH-5231]
|
|
* ui: JSON editor will not coerce input to an object, and will now show an
|
|
error about Vault expecting an object [GH-5271]
|
|
* ui: authentication form will now default to any methods that have been tuned
|
|
to show up for unauthenticated users [GH-5281]
|
|
|
|
|
|
## 0.11.0 (August 28th, 2018)
|
|
|
|
DEPRECATIONS/CHANGES:
|
|
|
|
* Request Timeouts: A default request timeout of 90s is now enforced. This
|
|
setting can be overwritten in the config file. If you anticipate requests
|
|
taking longer than 90s this setting should be updated before upgrading.
|
|
* (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
|
|
will be some further guidelines around when this will be removed again.)
|
|
* `sys/` Top Level Injection: For the last two years for backwards
|
|
compatibility data for various `sys/` routes has been injected into both the
|
|
Secret's Data map and into the top level of the JSON response object.
|
|
However, this has some subtle issues that pop up from time to time and is
|
|
becoming increasingly complicated to maintain, so it's finally being
|
|
removed.
|
|
* Path Fallback for List Operations: For a very long time Vault has
|
|
automatically adjusted `list` operations to always end in a `/`, as list
|
|
operations operates on prefixes, so all list operations by definition end
|
|
with `/`. This was done server-side so affects all clients. However, this
|
|
has also led to a lot of confusion for users writing policies that assume
|
|
that the path that they use in the CLI is the path used internally. Starting
|
|
in 0.11, ACL policies gain a new fallback rule for listing: they will use a
|
|
matching path ending in `/` if available, but if not found, they will look
|
|
for the same path without a trailing `/`. This allows putting `list`
|
|
capabilities in the same path block as most other capabilities for that
|
|
path, while not providing any extra access if `list` wasn't actually
|
|
provided there.
|
|
* Performance Standbys On By Default: If you flavor/license of Vault
|
|
Enterprise supports Performance Standbys, they are on by default. You can
|
|
disable this behavior per-node with the `disable_performance_standby`
|
|
configuration flag.
|
|
* AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
|
|
the type of AWS credential they are generating; this reduces reduce
|
|
ambiguity that existed previously as well as enables new features for
|
|
specific credential types. Writing role data and generating credentials
|
|
remain backwards compatible; however, the data returned when reading a
|
|
role's configuration has changed in backwards-incompatible ways. Anything
|
|
that depended on reading role data from the AWS secret engine will break
|
|
until it is updated to work with the new format.
|
|
* Token Format (Enterprise): Tokens are now represented as a base62 value;
|
|
tokens in namespaces will have the namespace identifier appended.
|
|
|
|
FEATURES:
|
|
|
|
* **Namespaces (Enterprise)**: A set of features within Vault Enterprise
|
|
that allows Vault environments to support *Secure Multi-tenancy* within a
|
|
single Vault Enterprise infrastructure. Through namespaces, Vault
|
|
administrators can support tenant isolation for teams and individuals as
|
|
well as empower those individuals to self-manage their own tenant
|
|
environment.
|
|
* **Performance Standbys (Enterprise)**: Standby nodes can now service
|
|
requests that do not modify storage. This provides near-horizontal scaling
|
|
of a cluster in some workloads, and is the intra-cluster analogue of
|
|
the existing Performance Replication feature, which replicates to distinct
|
|
clusters in other datacenters, geos, etc.
|
|
* **AliCloud OSS Storage**: AliCloud OSS can now be used for Vault storage.
|
|
* **AliCloud Auth Plugin**: AliCloud's identity services can now be used to
|
|
grant access to Vault. See the [plugin
|
|
repository](https://github.com/hashicorp/vault-plugin-auth-alicloud) for
|
|
more information.
|
|
* **Azure Secrets Plugin**: There is now a plugin (pulled in to Vault) that
|
|
allows generating credentials to allow access to Azure. See the [plugin
|
|
repository](https://github.com/hashicorp/vault-plugin-secrets-azure) for
|
|
more information.
|
|
* **HA Support for MySQL Storage**: MySQL storage now supports HA.
|
|
* **ACL Templating**: ACL policies can now be templated using identity Entity,
|
|
Groups, and Metadata.
|
|
* **UI Onboarding wizards**: The Vault UI can provide contextual help and
|
|
guidance, linking out to relevant
|