./security/vault, Tool for managing secrets

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 0.11.2nb2, Package name: vault-0.11.2nb2, Maintainer: fhajny

Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.

Required to build:
[pkgtools/cwrappers] [lang/go111]

Master sites:

SHA1: edf3693416121ed75244afab37db1bad491733b1
RMD160: 27c7f6a5a8148c993c746b4be7198caa6b37a4f0
Filesize: 24223.117 KB

Version history: (Expand)

CVS history: (Expand)

   2018-12-19 16:47:12 by Benny Siegert | Files touched by this commit (141) | Package updated
Log message:
Revbump all Go packages after go111 update.
   2018-12-15 22:12:25 by Thomas Klausner | Files touched by this commit (67) | Package updated
Log message:
*: update email for fhajny
   2018-11-04 19:38:09 by Benny Siegert | Files touched by this commit (122) | Package updated
Log message:
Revbump all Go packages after go111 update.
   2018-10-07 22:19:38 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
## 0.11.2 (October 2nd, 2018)


- `sys/seal-status` now includes an `initialized` boolean in the
  output. If Vault is not initialized, it will return a `200` with
  this value set `false` instead of a `400`.
- `passthrough_request_headers` will now deny certain headers from
  being provided to backends based on a global denylist.


- AWS Secret Engine Root Credential Rotation: The credential used by
  the AWS secret engine can now be rotated, to ensure that only Vault
  knows the credentials it is using.
- Storage Backend Migrator: A new `operator migrate` command allows
  offline migration of data between two storage backends.
- AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise):
  AliCloud KMS can now be used a support seal for  Auto Unseal and
  Seal Wrapping.


- auth/okta: Fix reading deprecated `token` parameter if a token was
  previously set in the configuration
- core: Re-add deprecated capabilities information for now
- core: Fix handling of cyclic token relationships
- storage/mysql: Fix locking on MariaDB
- replication: Fix DR API when using a token
- identity: Ensure old group alias is removed when a new one is
- storage/alicloud: Don't call uname on package init
- secrets/jwt: Fix issue where request context would be canceled too
- ui: fix need to have update for aws iam creds generation
- ui: fix calculation of token expiry


- auth/aws: The identity alias name can now configured to be either
  IAM unique ID of the IAM Principal, or ARN of the caller identity
- auth/cert: Add allowed_organizational_units support
- cli: Format TTLs for non-secret responses
- identity: Support operating on entities and groups by their names
- plugins: Add `env` parameter when registering plugins to the catalog
  to allow operators to include environment variables during plugin
- secrets/aws: WAL Rollback improvements
- secrets/aws: Allow specifying STS role-default TTLs
- secrets/pki: Add configuration support for setting NotBefore
- core: Support for passing the Vault token via an Authorization
  Bearer header
- replication: Reindex process now runs in the background and does not
  block other vault operations
- storage/zookeeper: Enable TLS based communication with Zookeeper
- ui: you can now init a cluster with a seal config
- ui: added the option to force promote replication clusters
- replication: Allow promotion of a secondary when data is syncing
  with a "force" flag
   2018-09-06 22:41:53 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
security/vault: Update to 0.11.1.


- Random Byte Reading in Barrier: Prior to this release, Vault was not
  properly checking the error code when reading random bytes for the IV for
  AES operations in its cryptographic barrier. Specifically, this means that
  such an IV could potentially be zero multiple times, causing nonce re-use
  and weakening the security of the key. On most platforms this should never
  happen because reading from kernel random sources is non-blocking and always
  successful, but there may be platform-specific behavior that has not been
  accounted for. (Vault has tests to check exactly this, and the tests have
  never seen nonce re-use.)


- AliCloud Agent Support: Vault Agent can now authenticate against the
  AliCloud auth method.
- UI: Enable AliCloud auth method and Azure secrets engine via the UI.


- core: Logging level for most logs (not including secrets/auth plugins) can
  now be changed on-the-fly via `SIGHUP`, reading the desired value from
  Vault's config file


- core: Ensure we use a background context when stepping down
- core: Properly check error return from random byte reading
- core: Re-add `sys/` top-route injection for now
- core: Properly store the replication checkpoint file if it's larger than the
  storage engine's per-item limit
- identity: Update MemDB with identity group alias while loading groups
- secrets/database: Fix nil pointer when revoking some leases
- secrets/pki: Fix sign-verbatim losing extra Subject attributes
- secrets/pki: Remove certificates from store when tidying revoked
  certificates and simplify API
- ui: JSON editor will not coerce input to an object, and will now show an
  error about Vault expecting an object
- ui: authentication form will now default to any methods that have been tuned
  to show up for unauthenticated users
   2018-09-03 20:59:08 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
security/vault: Update to 0.11.0.


- Request Timeouts: A default request timeout of 90s is now enforced. This
  setting can be overwritten in the config file. If you anticipate requests
  taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
  will be some further guidelines around when this will be removed again.)
  * `sys/` Top Level Injection: For the last two years for backwards
  compatibility data for various `sys/` routes has been injected into both the
  Secret's Data map and into the top level of the JSON response object.
  However, this has some subtle issues that pop up from time to time and is
  becoming increasingly complicated to maintain, so it's finally being
- Path Fallback for List Operations: For a very long time Vault has
  automatically adjusted `list` operations to always end in a `/`, as list
  operations operates on prefixes, so all list operations by definition end
  with `/`. This was done server-side so affects all clients. However, this
  has also led to a lot of confusion for users writing policies that assume
  that the path that they use in the CLI is the path used internally. Starting
  in 0.11, ACL policies gain a new fallback rule for listing: they will use a
  matching path ending in `/` if available, but if not found, they will look
  for the same path without a trailing `/`. This allows putting `list`
  capabilities in the same path block as most other capabilities for that
  path, while not providing any extra access if `list` wasn't actually
  provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
  Enterprise supports Performance Standbys, they are on by default. You can
  disable this behavior per-node with the `disable_performance_standby`
  configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
  the type of AWS credential they are generating; this reduces reduce
  ambiguity that existed previously as well as enables new features for
  specific credential types. Writing role data and generating credentials
  remain backwards compatible; however, the data returned when reading a
  role's configuration has changed in backwards-incompatible ways. Anything
  that depended on reading role data from the AWS secret engine will break
  until it is updated to work with the new format.


- Namespaces (Enterprise): A set of features within Vault Enterprise
  that allows Vault environments to support *Secure Multi-tenancy* within a
  single Vault Enterprise infrastructure. Through namespaces, Vault
  administrators can support tenant isolation for teams and individuals as
  well as empower those individuals to self-manage their own tenant
- Performance Standbys (Enterprise): Standby nodes can now service
  requests that do not modify storage. This provides near-horizontal scaling
  of a cluster in some workloads, and is the intra-cluster analogue of
  the existing Performance Replication feature, which replicates to distinct
  clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
  grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
  allows generating credentials to allow access to Azure. See the plugin
  repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
  Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
  guidance, linking out to relevant links or guides on vaultproject.io for
  various workflows in Vault.


- agent: Add `exit_after_auth` to be able to use the Agent for a single
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.


- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
  (IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
  format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
  could cause Vault not to start up due to two entities referencing the same
  alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
  database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
  legal, doing so inherently means the CRL can't be trusted anyways, so it's
  not useful and easy to footgun.
- storage/gcp,spanner: Fix data races
   2018-07-08 15:54:39 by Benny Siegert | Files touched by this commit (2)
Log message:
Do not use "naked" go invocations.

Use ${GO} instead.
   2018-06-12 19:50:29 by Benny Siegert | Files touched by this commit (102) | Package updated
Log message:
Revbump all Go packages after lang/go update.