./security/vault, Tool for managing secrets

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.8.0, Package name: vault-0.8.0, Maintainer: filip

Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.


Required to build:
[lang/go] [pkgtools/cwrappers]

Master sites:

SHA1: 13dca1df577d156c584c47530a4f25929a64ab0c
RMD160: 6bedd05b97333e8101ba238fdfe37eda8c337823
Filesize: 6795.08 KB

Version history: (Expand)


CVS history: (Expand)


   2017-08-16 14:18:32 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.8.0.

SECURITY:

- We've added a note to the docs about the way the GitHub auth backend works
  as it may not be readily apparent that GitHub personal access tokens, which
  are used by the backend, can be used for unauthorized access if they are
  stolen from third party services and access to Vault is public.

DEPRECATIONS/CHANGES:

- Database Plugin Backends: Passwords generated for these backends now
  enforce stricter password requirements, as opposed to the previous behavior
  of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
  'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
  is now unauthenticated.

FEATURES:

- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
  for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
  plugins.
- PROXY Protocol Support Vault listeners can now be configured to honor
  PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
  now supports lookup and listing of leases and the associated actions from the
  'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
  blacklists of mounts can be defined per-secondary to control which mounts
  are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
  replication mode, Disaster Recovery (DR), that performs full real-time
  replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
  Replication features in Vault Enterprise UI has expanded to include new DR
  Replication mode and management of Filtered Mounts in Performance Replication
  mode.
- Vault Identity (Enterprise Only): Vault's new Identity system allows
  correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
  Only): A brand new MFA system built on top of Identity allows MFA
  (currently Duo Push, Okta Push, and TOTP) for any authenticated path within
  Vault.

IMPROVEMENTS:

- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
  hostname
- audit/socket: Enhance reconnection logic and don't require the connection to
  be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
  token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
  wildcard
- secret/ssh: Allow specifying the key ID format using template values for CA
  type
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
  client certificate verification when 'tls_require_and_verify_client_cert' is
  enabled
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD

BUG FIXES:

- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
  'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
  silently
- auth/token: Don't allow using the same token ID twice when manually
  specifying
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
  'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
  workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options
   2017-06-13 08:28:38 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.3.

## 0.7.3 (June 7th, 2017)

SECURITY:

- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2

DEPRECATIONS/CHANGES:

- Step-Down is Forwarded

FEATURES:

- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)

IMPROVEMENTS:

- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
  from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
  connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
  children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
  database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
  lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret
  backends

BUG FIXES:

- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
  various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
  authentication
- auth/aws: Check that a bound IAM principal is not empty (in the
  current state of the role) before requiring it match the previously
  authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
  scenarios
- secret/database: Increase wrapping token TTL; in a loaded scenario
  it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
  as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading
   2017-05-10 20:21:27 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.2.

0.7.2 (May 8th, 2017)

BUG FIXES:

- audit: Fix auditing entries containing certain kinds of time values

0.7.1 (May 5th, 2017)

DEPRECATIONS/CHANGES:

- LDAP Auth Backend: Group membership queries will now run as the
  binddn user when binddn/bindpass are configured, rather than as the
  authenticating user as was the case previously.

FEATURES:

- AWS IAM Authentication
- MSSQL Physical Backend
- Lease Listing and Lookup
- TOTP Secret Backend
- Database Secret Backend & Secure Plugins (Beta)

IMPROVEMENTS:

- auth/cert: Support for constraints on subject Common Name and
  DNS/email Subject Alternate Names in certificates
- auth/ldap: Use the binding credentials to search group membership
  rather than the user credentials
- cli/revoke: Add -self option to allow revoking the currently active
  token
- core: Randomize x coordinate in Shamir shares
- tidy: Improvements to auth/token/tidy and sys/leases/tidy to handle
  more cleanup cases
- secret/pki: Add no_store option that allows certificates to be
  issued without being stored. This removes the ability to look up
  and/or add to a CRL but helps with scaling to very large numbers of
  certificates.
- secret/pki: If used with a role parameter, the sign-verbatim/<role>
  endpoint honors the values of generate_lease, no_store, ttl and
  max_ttl from the given role
- secret/pki: Add role parameter allow_glob_domains that enables
  defining names in allowed_domains containing * glob patterns
- secret/pki: Update certificate storage to not use characters that
  are not supported on some filesystems
- storage/etcd3: Add discovery_srv option to query for SRV records to
  find servers
- storage/s3: Support max_parallel option to limit concurrent
  outstanding requests
- storage/s3: Use pooled transport for http client
- storage/swift: Allow domain values for V3 authentication

BUG FIXES:

- api: Respect a configured path in Vault's address
- auth/aws-ec2: New bounds added as criteria to allow role creation
- auth/ldap: Don't lowercase groups attached to users
- cli: Don't panic if vault write is used with the force flag but no
  path
- core: Help operations should request forward since standbys may not
  have appropriate info
- replication: Fix enabling secondaries when certain mounts already
  existed on the primary
- secret/mssql: Update mssql driver to support queries with colons
- secret/pki: Don't lowercase O/OU values in certs
- secret/pki: Don't attempt to validate IP SANs if none are provided
   2017-04-13 17:12:07 by Benny Siegert | Files touched by this commit (39) | Package updated
Log message:
Revbump all Go packages after the Go 1.8.1 update.
   2017-03-20 16:15:28 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.0.

SECURITY:

* Common name not being validated when `exclude_cn_from_sans` option used in
  `pki` backend

DEPRECATIONS/CHANGES:

* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates

FEATURES:

* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority

IMPROVEMENTS:

* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
  logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
  issued
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
  Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
  username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
  line
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
  recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
  for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
  leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
  authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
  and also return it when CA key pair is generated

BUG FIXES:

* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
  multiple levels of children

Full changelog:

  https://github.com/hashicorp/vault/blob … ANGELOG.md
   2017-02-13 15:23:08 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.5.

FEATURES:

- Okta Authentication: A new Okta authentication backend allows you to use
  Okta usernames and passwords to authenticate to Vault. If provided with an
  appropriate Okta API token, group membership can be queried to assign
  policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
  a RADIUS server to authenticate to Vault. Policies can be configured for
  specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
  `exportable` at creation time. This allows a properly ACL'd user to retrieve
  the associated signing key, encryption key, or HMAC key. The `exportable`
  value is returned on a key policy read and cannot be changed, so if a key is
  marked `exportable` it will always be exportable, and if it is not it will
  never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
  in the transit backend now support processing multiple input items in one
  call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
  want to have included in each audit entry, along with whether each header
  should be HMAC'd or kept plaintext. This can be useful for adding additional
  client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
  backend, allowing creation, viewing and editing of named keys as well as using
  those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
  through TCP, UDP, or UNIX Sockets.

IMPROVEMENTS:

- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
  local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
  support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
  to use. The v3 code path is significantly less complicated and may be much
  more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
  backends even if the UI cannot browse them. Additional backends can now be
  mounted from the UI as well.

BUG FIXES:

- auth/token: Fix regression in 0.6.4 where using token store roles as a
  blacklist (with only `disallowed_policies` set) would not work in most
  circumstances
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
  failover
- secret/pki: When using `sign-verbatim`, don't require a role and use the
  CSR's common name
   2017-01-03 08:44:01 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.4

SECURITY:

- default Policy Privilege Escalation: If a parent token did not have
  the default policy attached to its token, it could still create
  children with the default policy. This is no longer allowed (unless
  the parent has sudo capability for the creation path). In most cases
  this is low severity since the access grants in the default policy are
  meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
  using limited-use tokens to create leased secrets, if the
  limited-use token was revoked due to running out of uses (rather than
  due to TTL expiration or explicit revocation) it would fail to revoke
  the leased secrets. These secrets would still be revoked when their
  TTL expired, limiting the severity of this issue. An endpoint has been
  added (auth/token/tidy) that can perform housekeeping tasks on the
  token store; one of its tasks can detect this situation and revoke the
  associated leases.

FEATURES:

- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
  creating, and editing policies.

IMPROVEMENTS:

- http: Vault now sets a no-store cache control header to make it more
  secure in setups that are not end-to-end encrypted

BUG FIXES:

- auth/ldap: Don't panic if dialing returns an error and starttls is
  enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
  form so a browser refresh isn't required to continue.

0.6.3 (December 6, 2016)

DEPRECATIONS/CHANGES:

- Request size limitation: A maximum request size of 32MB is imposed
  to prevent a denial of service attack with arbitrarily large
  requests
- LDAP denies passwordless binds by default: In new LDAP mounts, or
  when existing LDAP mounts are rewritten, passwordless binds will be
  denied by default. The new deny_null_bind parameter can be set to
  false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
  new Vault node was taking over service in an HA cluster, all audit
  backends were required to be loaded successfully to take over active
  duty. This behavior now matches the behavior of the audit logging
  system itself: at least one audit backend must successfully be loaded.
  The server log contains an error when this occurs. This helps keep a
  Vault HA cluster working when there is a misconfiguration on a standby
  node.

FEATURES:

- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
  that offers access to a number of features, including
  init/unsealing/sealing, authentication via userpass or LDAP, and K/V
  reading/writing. The capability set of the UI will be expanding
  rapidly in further releases. To enable it, set ui = true in the top
  level of Vault's configuration file and point a web browser at your
  Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
  storing Vault data

IMPROVEMENTS:

- auth/github: Policies can now be assigned to users as well as to
  teams
- cli: Set the number of retries on 500 down to 0 by default (no
  retrying). It can be very confusing to users when there is a pause
  while the retries happen if they haven't explicitly set it. With
  request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
  responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
  Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
  endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys

BUG FIXES:

- api/unwrap, command/unwrap: Increase compatibility of unwrap command
  with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
  setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
  than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
  before the command returns
- cli: Fix error printing values with -field if the values contained
  formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
  audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
  failure
- secret/consul: Fix panic on user error
   2016-12-04 17:30:01 by Benny Siegert | Files touched by this commit (35) | Package updated
Log message:
Revbump Go packages after 1.7.4 update.