./security/vault, Tool for managing secrets

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.9.0, Package name: vault-0.9.0, Maintainer: filip

Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.


Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: e0a7cc5fb0584cbb657c7042ba7cb9e4295d385e
RMD160: e14063aebb3d3ad08cccbd1b603c19513d1cf8d3
Filesize: 8259.046 KB

Version history: (Expand)


CVS history: (Expand)


   2017-11-16 12:31:12 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.9.0.

DEPRECATIONS/CHANGES:

- API HTTP client behavior: When calling `NewClient` the API no longer
  modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
  backend that gets returned along with the authentication response
  will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
  or update a role with the mutually-exclusive options
  `disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
  backend, the TTL/max TTL values will now be an integer number of
  seconds rather than a string. This better matches the API elsewhere
  in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
  the API, the response data will additionally return a `key_info` map
  that will contain a map of each key with a corresponding object
  containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
  are still in RFC3339 format but now have a granularity of
  nanoseconds.
- High availability related values have been moved out of the
  `storage` and `ha_storage` stanzas, and into the top-level
  configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
  is optional and enables configuration of the seal type to use for
  additional data protection, such as using HSM or Cloud KMS solutions
  to encrypt and decrypt data.

FEATURES:

- RSA Support for Transit Backend: Transit backend can now generate
  RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
  enhancements, Identity is an integrated system for understanding
  users across tokens and enabling easier management of users directly
  and via groups.
- External Groups in Identity: Vault can now automatically assign
  users and systems to groups in Identity based on their membership in
  external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
  take advantage of FIPS 140-2-certified HSMs to ensure that Critical
  Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
  group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
  KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
  Sentinel to create extremely flexible access control policies - even
  on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
  auto-unsealing functionality, the `rekey` operation is now
  supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
  using Disaster Recovery replication, a token can be created that can
  be used to authorize actions such as promotion and updating primary
  information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
  auto-unsealing, a request to unseal Vault can be triggered by a
  threshold of recovery keys, rather than requiring the Vault process to
  be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
  Enterprise UI. The look and feel has been completely redesigned to
  give users a better experience and make managing secrets fast and
  easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
  backend, create and browse roles. And use them to sign keys or
  generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
  backend via the Vault Enterprise UI. In addition you can create
  roles, browse the roles and Generate IAM Credentials from them
  in the UI.

IMPROVEMENTS:

- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
  certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
  The files themselves were `600` and are all encrypted, but this
  doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
  for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
  strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
  or an integer
- secret/transit: Sign and verify operations now support a `none` hash
  algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
  Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
  promoting, and updating primary on DR Secondary clusters

BUG FIXES:

- api: Fix panic when setting a custom HTTP client but with a nil
  transport
- api: Fix authing to the `cert` backend when the CA for the client
  cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
  one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
  port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
  in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
  matching
- physical/etcd3: Fix case where standbys can lose their etcd client
  lease
- physical/file: Fix listing when underscores are the first component
  of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
  less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
  this was erroneously removed in a previous release
   2017-09-26 09:41:14 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.8.3.

CHANGES:

- Policy input/output standardization: For all built-in authentication
  backends, policies can now be specified as a comma-delimited string or an
  array if using JSON as API input; on read, policies will be returned as an
  array; and the `default` policy will not be forcefully added to policies
  saved in configurations. Please note that the `default` policy will continue
  to be added to generated tokens, however, rather than backends adding
  `default` to the given set of input policies (in some cases, and not in
  others), the stored set will reflect the user-specified set.
- `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the
  endpoint would not modify the Issuer in the generated certificate, leaving
  the output self-issued. Although theoretically valid, in practice crypto
  stacks were unhappy validating paths containing such certs. As a result,
  `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer
  DN of the generated certificate.
- `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely
  useful in break-glass or support scenarios, it is also extremely dangerous.
  As of now, a configuration file option `raw_storage_endpoint` must be set in
  order to enable this API endpoint. Once set, the available functionality has
  been enhanced slightly; it now supports listing and decrypting most of
  Vault's core data structures, except for the encryption keyring itself.
- `generic` is now `kv`: To better reflect its actual use, the `generic`
  backend is now `kv`. Using `generic` will still work for backwards
  compatibility.

FEATURES:

- GCE Support for GCP Auth: GCE instances can now authenticate to Vault
  using machine credentials.
- Support for Kubernetes Service Account Auth: Kubernetes Service Accounts
  can now authenticate to vault using JWT tokens.

IMPROVEMENTS:

- configuration: Provide a config option to store Vault server's process ID
  (PID) in a file
- mfa (Enterprise): Add the ability to use identity metadata in username
  format
- mfa/okta (Enterprise): Add support for configuring base_url for API calls
- secret/pki: `sign-intermediate` will now allow specifying a `ttl` value
  longer than the signing CA certificate's NotAfter value.
- sys/raw: Raw storage access is now disabled by default

BUG FIXES:

- auth/okta: Fix regression that removed the ability to set base_url
- core: Fix panic while loading leases at startup on ARM processors
- secret/pki: Fix `sign-self-issued` encoding the wrong subject public key
   2017-09-06 13:44:07 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
## 0.8.2 (September 5th, 2017)

SECURITY:

- In prior versions of Vault, if authenticating via AWS IAM and
  requesting a periodic token, the period was not properly respected.
  This could lead to tokens expiring unexpectedly, or a token lifetime
  being longer than expected. Upon token renewal with Vault 0.8.2 the
  period will be properly enforced.

DEPRECATIONS/CHANGES:

- `vault ssh` users should supply `-mode` and `-role` to reduce the
  number of API calls. A future version of Vault will mark these
  optional values are required. Failure to supply `-mode` or `-role`
  will result in a warning.
- Vault plugins will first briefly run a restricted version of the
  plugin to fetch metadata, and then lazy-load the plugin on first
  request to prevent crash/deadlock of Vault during the unseal process.
  Plugins will need to be built with the latest changes in order for them
  to run properly.

FEATURES:

- Lazy Lease Loading: On startup, Vault will now load leases from
  storage in a lazy fashion (token checks and revocation/renewal
  requests still force an immediate load). For larger installations this
  can significantly reduce downtime when switching active nodes or
  bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
  backend for authenticating to machines. It also supports remote host
  key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
  signing self-issued CA certs. This is useful when switching root CAs.

IMPROVEMENTS:

- audit/file: Allow specifying `stdout` as the `file_path` to log to
  standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
  case-preserving
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
  -autocomplete-install`
- cli: Add ability to handle wrapped responses when using `vault auth`.
  What is output depends on the other given flags; see the help output
  for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
  `cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
  of the parameter or within the `config` object when mounting a secret
  or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
  mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
  and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
  of seconds
- secret/pki: Self-issued certs can now be signed via
  `pki/root/sign-self-issued`
- storage/gcp: Use application default credentials if they exist

BUG FIXES:

- auth/aws: Properly use role-set period values for IAM-derived token
  renewals
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
  case-insensitively
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
  address
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
  process.
- plugins: Skip mounting plugin-based secret and credential mounts when
  setting up mounts if the plugin is no longer present in the catalog.
   2017-09-06 11:03:07 by Thomas Klausner | Files touched by this commit (86)
Log message:
Follow some redirects.
   2017-08-17 09:58:53 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.8.1.

DEPRECATIONS/CHANGES:

- PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already
  exists will now return a `204` instead of overwriting an existing root. If
  you want to recreate the root, first run a delete operation on `pki/root`
  (requires `sudo` capability), then generate it again.

FEATURES:

- Oracle Secret Backend: There is now an external plugin to support leased
  credentials for Oracle databases (distributed separately).
- GCP IAM Auth Backend: There is now an authentication backend that allows
  using GCP IAM credentials to retrieve Vault tokens. This is available as
  both a plugin and built-in to Vault.
- PingID Push Support for Path-Baased MFA (Enterprise): PingID Push can
  now be used for MFA with the new path-based MFA introduced in Vault
  Enterprise 0.8.
- Permitted DNS Domains Support in PKI: The `pki` backend now supports
  specifying permitted DNS domains for CA certificates, allowing you to
  narrowly scope the set of domains for which a CA can issue or sign child
  certificates.
- Plugin Backend Reload Endpoint: Plugin backends can now be triggered to
  reload using the `sys/plugins/reload/backend` endpoint and providing either
  the plugin name or the mounts to reload.
- Self-Reloading Plugins: The plugin system will now attempt to reload a
  crashed or stopped plugin, once per request.

IMPROVEMENTS:

- auth/approle: Allow array input for policies in addition to comma-delimited
  strings
- auth/aws: Allow using root credentials for IAM authentication
- plugins: Send logs through Vault's logger rather than stdout
- secret/pki: Add `pki/root` delete operation
- secret/pki: Don't overwrite an existing root cert/key when calling generate

BUG FIXES:

- aws: Don't prefer a nil HTTP client over an existing one
- core: If there is an error when checking for create/update existence, return
  500 instead of 400
- secret/database: Avoid creating usernames that are too long for legacy MySQL
   2017-08-16 14:18:32 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.8.0.

SECURITY:

- We've added a note to the docs about the way the GitHub auth backend works
  as it may not be readily apparent that GitHub personal access tokens, which
  are used by the backend, can be used for unauthorized access if they are
  stolen from third party services and access to Vault is public.

DEPRECATIONS/CHANGES:

- Database Plugin Backends: Passwords generated for these backends now
  enforce stricter password requirements, as opposed to the previous behavior
  of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
  'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
  is now unauthenticated.

FEATURES:

- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
  for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
  plugins.
- PROXY Protocol Support Vault listeners can now be configured to honor
  PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
  now supports lookup and listing of leases and the associated actions from the
  'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
  blacklists of mounts can be defined per-secondary to control which mounts
  are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
  replication mode, Disaster Recovery (DR), that performs full real-time
  replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
  Replication features in Vault Enterprise UI has expanded to include new DR
  Replication mode and management of Filtered Mounts in Performance Replication
  mode.
- Vault Identity (Enterprise Only): Vault's new Identity system allows
  correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
  Only): A brand new MFA system built on top of Identity allows MFA
  (currently Duo Push, Okta Push, and TOTP) for any authenticated path within
  Vault.

IMPROVEMENTS:

- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
  hostname
- audit/socket: Enhance reconnection logic and don't require the connection to
  be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
  token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
  wildcard
- secret/ssh: Allow specifying the key ID format using template values for CA
  type
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
  client certificate verification when 'tls_require_and_verify_client_cert' is
  enabled
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD

BUG FIXES:

- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
  'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
  silently
- auth/token: Don't allow using the same token ID twice when manually
  specifying
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
  'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
  workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options
   2017-06-13 08:28:38 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.3.

## 0.7.3 (June 7th, 2017)

SECURITY:

- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2

DEPRECATIONS/CHANGES:

- Step-Down is Forwarded

FEATURES:

- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)

IMPROVEMENTS:

- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
  from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
  connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
  children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
  database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
  lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret
  backends

BUG FIXES:

- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
  various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
  authentication
- auth/aws: Check that a bound IAM principal is not empty (in the
  current state of the role) before requiring it match the previously
  authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
  scenarios
- secret/database: Increase wrapping token TTL; in a loaded scenario
  it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
  as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading
   2017-05-10 20:21:27 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.2.

0.7.2 (May 8th, 2017)

BUG FIXES:

- audit: Fix auditing entries containing certain kinds of time values

0.7.1 (May 5th, 2017)

DEPRECATIONS/CHANGES:

- LDAP Auth Backend: Group membership queries will now run as the
  binddn user when binddn/bindpass are configured, rather than as the
  authenticating user as was the case previously.

FEATURES:

- AWS IAM Authentication
- MSSQL Physical Backend
- Lease Listing and Lookup
- TOTP Secret Backend
- Database Secret Backend & Secure Plugins (Beta)

IMPROVEMENTS:

- auth/cert: Support for constraints on subject Common Name and
  DNS/email Subject Alternate Names in certificates
- auth/ldap: Use the binding credentials to search group membership
  rather than the user credentials
- cli/revoke: Add -self option to allow revoking the currently active
  token
- core: Randomize x coordinate in Shamir shares
- tidy: Improvements to auth/token/tidy and sys/leases/tidy to handle
  more cleanup cases
- secret/pki: Add no_store option that allows certificates to be
  issued without being stored. This removes the ability to look up
  and/or add to a CRL but helps with scaling to very large numbers of
  certificates.
- secret/pki: If used with a role parameter, the sign-verbatim/<role>
  endpoint honors the values of generate_lease, no_store, ttl and
  max_ttl from the given role
- secret/pki: Add role parameter allow_glob_domains that enables
  defining names in allowed_domains containing * glob patterns
- secret/pki: Update certificate storage to not use characters that
  are not supported on some filesystems
- storage/etcd3: Add discovery_srv option to query for SRV records to
  find servers
- storage/s3: Support max_parallel option to limit concurrent
  outstanding requests
- storage/s3: Use pooled transport for http client
- storage/swift: Allow domain values for V3 authentication

BUG FIXES:

- api: Respect a configured path in Vault's address
- auth/aws-ec2: New bounds added as criteria to allow role creation
- auth/ldap: Don't lowercase groups attached to users
- cli: Don't panic if vault write is used with the force flag but no
  path
- core: Help operations should request forward since standbys may not
  have appropriate info
- replication: Fix enabling secondaries when certain mounts already
  existed on the primary
- secret/mssql: Update mssql driver to support queries with colons
- secret/pki: Don't lowercase O/OU values in certs
- secret/pki: Don't attempt to validate IP SANs if none are provided