./security/vault, Tool for managing secrets

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.7.3, Package name: vault-0.7.3, Maintainer: filip

Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.


Required to build:
[lang/go] [pkgtools/cwrappers]

Master sites:

SHA1: 6cec196e3d4483aee896e6ca69993bebf856d142
RMD160: 2091b5f947579a7a715090164d8ccb2c805cb2b6
Filesize: 6537.73 KB

Version history: (Expand)


CVS history: (Expand)


   2017-06-13 08:28:38 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.3.

## 0.7.3 (June 7th, 2017)

SECURITY:

- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2

DEPRECATIONS/CHANGES:

- Step-Down is Forwarded

FEATURES:

- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)

IMPROVEMENTS:

- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
  from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
  connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
  children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
  database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
  lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret
  backends

BUG FIXES:

- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
  various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
  authentication
- auth/aws: Check that a bound IAM principal is not empty (in the
  current state of the role) before requiring it match the previously
  authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
  scenarios
- secret/database: Increase wrapping token TTL; in a loaded scenario
  it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
  as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading
   2017-05-10 20:21:27 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.2.

0.7.2 (May 8th, 2017)

BUG FIXES:

- audit: Fix auditing entries containing certain kinds of time values

0.7.1 (May 5th, 2017)

DEPRECATIONS/CHANGES:

- LDAP Auth Backend: Group membership queries will now run as the
  binddn user when binddn/bindpass are configured, rather than as the
  authenticating user as was the case previously.

FEATURES:

- AWS IAM Authentication
- MSSQL Physical Backend
- Lease Listing and Lookup
- TOTP Secret Backend
- Database Secret Backend & Secure Plugins (Beta)

IMPROVEMENTS:

- auth/cert: Support for constraints on subject Common Name and
  DNS/email Subject Alternate Names in certificates
- auth/ldap: Use the binding credentials to search group membership
  rather than the user credentials
- cli/revoke: Add -self option to allow revoking the currently active
  token
- core: Randomize x coordinate in Shamir shares
- tidy: Improvements to auth/token/tidy and sys/leases/tidy to handle
  more cleanup cases
- secret/pki: Add no_store option that allows certificates to be
  issued without being stored. This removes the ability to look up
  and/or add to a CRL but helps with scaling to very large numbers of
  certificates.
- secret/pki: If used with a role parameter, the sign-verbatim/<role>
  endpoint honors the values of generate_lease, no_store, ttl and
  max_ttl from the given role
- secret/pki: Add role parameter allow_glob_domains that enables
  defining names in allowed_domains containing * glob patterns
- secret/pki: Update certificate storage to not use characters that
  are not supported on some filesystems
- storage/etcd3: Add discovery_srv option to query for SRV records to
  find servers
- storage/s3: Support max_parallel option to limit concurrent
  outstanding requests
- storage/s3: Use pooled transport for http client
- storage/swift: Allow domain values for V3 authentication

BUG FIXES:

- api: Respect a configured path in Vault's address
- auth/aws-ec2: New bounds added as criteria to allow role creation
- auth/ldap: Don't lowercase groups attached to users
- cli: Don't panic if vault write is used with the force flag but no
  path
- core: Help operations should request forward since standbys may not
  have appropriate info
- replication: Fix enabling secondaries when certain mounts already
  existed on the primary
- secret/mssql: Update mssql driver to support queries with colons
- secret/pki: Don't lowercase O/OU values in certs
- secret/pki: Don't attempt to validate IP SANs if none are provided
   2017-04-13 17:12:07 by Benny Siegert | Files touched by this commit (39) | Package updated
Log message:
Revbump all Go packages after the Go 1.8.1 update.
   2017-03-20 16:15:28 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.0.

SECURITY:

* Common name not being validated when `exclude_cn_from_sans` option used in
  `pki` backend

DEPRECATIONS/CHANGES:

* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates

FEATURES:

* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority

IMPROVEMENTS:

* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
  logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
  issued
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
  Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
  username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
  line
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
  recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
  for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
  leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
  authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
  and also return it when CA key pair is generated

BUG FIXES:

* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
  multiple levels of children

Full changelog:

  https://github.com/hashicorp/vault/blob … ANGELOG.md
   2017-02-13 15:23:08 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.5.

FEATURES:

- Okta Authentication: A new Okta authentication backend allows you to use
  Okta usernames and passwords to authenticate to Vault. If provided with an
  appropriate Okta API token, group membership can be queried to assign
  policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
  a RADIUS server to authenticate to Vault. Policies can be configured for
  specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
  `exportable` at creation time. This allows a properly ACL'd user to retrieve
  the associated signing key, encryption key, or HMAC key. The `exportable`
  value is returned on a key policy read and cannot be changed, so if a key is
  marked `exportable` it will always be exportable, and if it is not it will
  never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
  in the transit backend now support processing multiple input items in one
  call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
  want to have included in each audit entry, along with whether each header
  should be HMAC'd or kept plaintext. This can be useful for adding additional
  client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
  backend, allowing creation, viewing and editing of named keys as well as using
  those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
  through TCP, UDP, or UNIX Sockets.

IMPROVEMENTS:

- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
  local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
  support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
  to use. The v3 code path is significantly less complicated and may be much
  more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
  backends even if the UI cannot browse them. Additional backends can now be
  mounted from the UI as well.

BUG FIXES:

- auth/token: Fix regression in 0.6.4 where using token store roles as a
  blacklist (with only `disallowed_policies` set) would not work in most
  circumstances
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
  failover
- secret/pki: When using `sign-verbatim`, don't require a role and use the
  CSR's common name
   2017-01-03 08:44:01 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.4

SECURITY:

- default Policy Privilege Escalation: If a parent token did not have
  the default policy attached to its token, it could still create
  children with the default policy. This is no longer allowed (unless
  the parent has sudo capability for the creation path). In most cases
  this is low severity since the access grants in the default policy are
  meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
  using limited-use tokens to create leased secrets, if the
  limited-use token was revoked due to running out of uses (rather than
  due to TTL expiration or explicit revocation) it would fail to revoke
  the leased secrets. These secrets would still be revoked when their
  TTL expired, limiting the severity of this issue. An endpoint has been
  added (auth/token/tidy) that can perform housekeeping tasks on the
  token store; one of its tasks can detect this situation and revoke the
  associated leases.

FEATURES:

- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
  creating, and editing policies.

IMPROVEMENTS:

- http: Vault now sets a no-store cache control header to make it more
  secure in setups that are not end-to-end encrypted

BUG FIXES:

- auth/ldap: Don't panic if dialing returns an error and starttls is
  enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
  form so a browser refresh isn't required to continue.

0.6.3 (December 6, 2016)

DEPRECATIONS/CHANGES:

- Request size limitation: A maximum request size of 32MB is imposed
  to prevent a denial of service attack with arbitrarily large
  requests
- LDAP denies passwordless binds by default: In new LDAP mounts, or
  when existing LDAP mounts are rewritten, passwordless binds will be
  denied by default. The new deny_null_bind parameter can be set to
  false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
  new Vault node was taking over service in an HA cluster, all audit
  backends were required to be loaded successfully to take over active
  duty. This behavior now matches the behavior of the audit logging
  system itself: at least one audit backend must successfully be loaded.
  The server log contains an error when this occurs. This helps keep a
  Vault HA cluster working when there is a misconfiguration on a standby
  node.

FEATURES:

- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
  that offers access to a number of features, including
  init/unsealing/sealing, authentication via userpass or LDAP, and K/V
  reading/writing. The capability set of the UI will be expanding
  rapidly in further releases. To enable it, set ui = true in the top
  level of Vault's configuration file and point a web browser at your
  Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
  storing Vault data

IMPROVEMENTS:

- auth/github: Policies can now be assigned to users as well as to
  teams
- cli: Set the number of retries on 500 down to 0 by default (no
  retrying). It can be very confusing to users when there is a pause
  while the retries happen if they haven't explicitly set it. With
  request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
  responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
  Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
  endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys

BUG FIXES:

- api/unwrap, command/unwrap: Increase compatibility of unwrap command
  with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
  setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
  than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
  before the command returns
- cli: Fix error printing values with -field if the values contained
  formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
  audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
  failure
- secret/consul: Fix panic on user error
   2016-12-04 17:30:01 by Benny Siegert | Files touched by this commit (35) | Package updated
Log message:
Revbump Go packages after 1.7.4 update.
   2016-10-29 10:59:49 by Benny Siegert | Files touched by this commit (34) | Package updated
Log message:
Revbump packages depending on Go after the Go 1.7.3 update.