Navigation:
Browse pkgsrc
(this page) 2018-03-30 13:56:27 by Benny Siegert | Files touched by this commit (94) |  |
Log message: Revbump all Go packages after 1.10.1 update. ok wiz@ for committing during freeze |
| 2018-03-23 13:00:12 by Filip Hajny | Files touched by this commit (2) | |
Log message: security/vault: Update to 0.9.6 DEPRECATIONS/CHANGES: - The AWS authentication backend now allows binds for inputs as either a comma-delimited string or a string array. However, to keep consistency with input and output, when reading a role the binds will now be returned as string arrays rather than strings. - In order to prefix-match IAM role and instance profile ARNs in AWS auth backend, you now must explicitly opt-in by adding a `*` to the end of the ARN. Existing configurations will be upgraded automatically, but when writing a new role configuration the updated behavior will be used. FEATURES: - Replication Activation Enhancements: When activating a replication secondary, a public key can now be fetched first from the target cluster. This public key can be provided to the primary when requesting the activation token. If provided, the public key will be used to perform a Diffie-Hellman key exchange resulting in a shared key that encrypts the contents of the activation token. The purpose is to protect against accidental disclosure of the contents of the token if unwrapped by the wrong party, given that the contents of the token are highly sensitive. If accidentally unwrapped, the contents of the token are not usable by the unwrapping party. It is important to note that just as a malicious operator could unwrap the contents of the token, a malicious operator can pretend to be a secondary and complete the Diffie-Hellman exchange on their own; this feature provides defense in depth but still requires due diligence around replication activation, including multiple eyes on the commands/tokens and proper auditing. IMPROVEMENTS: - api: Update renewer grace period logic. It no longer is static, but rather dynamically calculates one based on the current lease duration after each renew. - auth/approle: Allow array input for bound_cidr_list - auth/aws: Allow using lists in role bind parameters - auth/aws: Allow binding by EC2 instance IDs - auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs - auth/ldap: Set a very large size limit on queries - core: Log info notifications of revoked leases for all leases/reasons, not just expirations - physical/couchdb: Removed limit on the listing of items - secret/pki: Support certificate policies - secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to improve compatibility with some ADFS scenarios - secret/transit: Allow selecting signature algorithm as well as hash algorithm when signing/verifying - server: Make sure `tls_disable_client_cert` is actually a true value rather than just set - storage/dynamodb: Allow specifying max retries for dynamo client - storage/gcs: Allow specifying chunk size for transfers, which can reduce memory utilization - sys/capabilities: Add the ability to use multiple paths for capability checking BUG FIXES: - auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also set - auth/okta: Fix honoring configured `max_ttl` value - auth/token: If a periodic token being issued has a period greater than the max_lease_ttl configured on the token store mount, truncate it. This matches renewal behavior; before it was inconsistent between issuance and renewal. - cli: Improve error messages around `vault auth help` when there is no CLI helper for a particular method |
| 2018-03-04 16:52:21 by Benny Siegert | Files touched by this commit (95) | |
Log message: Revbump all Go packages after Go 1.10 update. |
| 2018-02-27 13:32:35 by Filip Hajny | Files touched by this commit (1) |
Log message: security/vault: Simplify Makefile, enable a basic test target. |
| 2018-02-27 12:20:42 by Filip Hajny | Files touched by this commit (2) | |
Log message: security/vault: Update to 0.9.5 ## 0.9.5 (February 26th, 2018) IMPROVEMENTS: - auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling auth methods. - secret/database: Add list functionality to `database/config` endpoint - physical/consul: Allow setting a specific service address - replication: When bootstrapping a new secondary, if the initial cluster connection fails, Vault will attempt to roll back state so that bootstrapping can be tried again, rather than having to recreate the downstream cluster. This will still require fetching a new secondary activation token. BUG FIXES: - auth/aws: Update libraries to fix regression verifying PKCS#7 identity documents - listener: Revert to Go 1.9 for now to allow certificates with non-DNS names in their DNS SANs to be used for Vault's TLS connections - replication: Fix issue with a performance secondary/DR primary node losing its DR primary status when performing an update-primary operation - replication: Fix issue where performance secondaries could be unable to automatically connect to a performance primary after that performance primary has been promoted to a DR primary from a DR secondary - ui: Fix behavior when a value contains a `.` ## 0.9.4 (February 20th, 2018) SECURITY: - Role Tags used with the EC2 style of AWS auth were being improperly parsed; as a result they were not being used to properly restrict values. Implementations following our suggestion of using these as defense-in-depth rather than the only source of restriction should not have significant impact. FEATURES: - ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt with ChaCha20-Poly1305 in `transit`. Key derivation and convergent encryption is also supported. - Okta Push support in Okta Auth Backend: If a user account has MFA required within Okta, an Okta Push MFA flow can be used to successfully finish authentication. - PKI Improvements: Custom OID subject alternate names can now be set, subject to allow restrictions that support globbing. Additionally, Country, Locality, Province, Street Address, and Postal Code can now be set in certificate subjects. - Manta Storage: Joyent Triton Manta can now be used for Vault storage - Google Cloud Spanner Storage: Google Cloud Spanner can now be used for Vault storage IMPROVEMENTS: - auth/centrify: Add CLI helper - audit: Always log failure metrics, even if zero, to ensure the values appear on dashboards - cli: Disable color when output is not a TTY - cli: Add `-format` flag to all subcommands - cli: Do not display deprecation warnings when the format is not table - core: If over a predefined lease count (256k), log a warning not more than once a minute. Too many leases can be problematic for many of the storage backends and often this number of leases is indicative of a need for workflow improvements. - secret/nomad: Have generated ACL tokens cap out at 64 characters - secret/pki: Country, Locality, Province, Street Address, and Postal Code can now be set on certificates - secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in issued certs; allowed values can be set per role and support globbing - secret/pki: Add a flag to make the common name optional on certs - secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally, properly handle IDNA transformations for these DNS names - secret/ssh: Add `valid-principles` flag to CLI for CA mode - storage/manta: Add Manta storage - ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine. BUG FIXES: - api/renewer: Honor increment value in renew auth calls - auth/approle: Fix inability to use limited-use-count secret IDs on replication performance secondaries - auth/approle: Cleanup of secret ID accessors during tidy and removal of dangling accessor entries - auth/aws-ec2: Avoid masking of role tag response - auth/cert: Verify DNS SANs in the authenticating certificate - auth/okta: Return configured durations as seconds, not nanoseconds - auth/okta: Get all okta groups for a user vs. default 200 limit - auth/token: Token creation via the CLI no longer forces periodic token creation. Passing an explicit zero value for the period no longer create periodic tokens. - command: Fix interpreted formatting directives when printing raw fields - command: Correctly format output when using -field and -format flags at the same time - command/rekey: Re-add lost `stored-shares` parameter - command/ssh: Create and reuse the api client - command/status: Fix panic when status returns 500 from leadership lookup - identity: Fix race when creating entities - plugin/gRPC: Fixed an issue with list requests and raw responses coming from plugins using gRPC transport - plugin/gRPC: Fix panic when special paths are not set - secret/pki: Verify a name is a valid hostname before adding to DNS SANs - secret/transit: Fix auditing when reading a key after it has been backed up or restored - secret/transit: Fix storage/memory consistency when persistence fails - storage/consul: Validate that service names are RFC 1123 compliant - storage/etcd3: Fix memory ballooning with standby instances - storage/etcd3: Fix large lists (like token loading at startup) not being handled - storage/postgresql: Fix compatibility with versions using custom string version tags - storage/zookeeper: Update vendoring to fix freezing issues - ui (Enterprise): Decoding the replication token should no longer error and prevent enabling of a secondary replication cluster via the ui. - plugin/gRPC: Add connection info to the request object |
| 2018-01-30 17:37:35 by Filip Hajny | Files touched by this commit (2) | |
Log message: Update security/vault to 0.9.3. ## 0.9.3 (January 28th, 2018) A regression from a feature merge disabled the Nomad secrets backend in 0.9.2. This release re-enables the Nomad secrets backend; it is otherwise identical to 0.9.2. ## 0.9.2 (January 26th, 2018) SECURITY: * Okta Auth Backend: While the Okta auth backend was successfully verifying usernames and passwords, it was not checking the returned state of the account, so accounts that had been marked locked out could still be used to log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed. * Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by the AppRole, AWS, and Cert auth backends would expire when the max TTL for the backend/mount/system was hit instead of their stated behavior of living as long as they are renewed. This is now fixed; existing tokens do not have to be reissued as this was purely a regression in the renewal logic. * Seal Wrapping: During certain replication states values written marked for seal wrapping may not be wrapped on the secondaries. This has been fixed, and existing values will be wrapped on next read or write. This does not affect the barrier keys. DEPRECATIONS/CHANGES: * `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool returned by `sys/health` could be misleading since it would be `false` both when a cluster was not a DR secondary but also when the node is a standby in the cluster and has not yet fully received state from the active node. This could cause health checks on LBs to decide that the node was acceptable for traffic even though DR secondaries cannot handle normal Vault traffic. (In other words, the bool could only convey "yes" or "no" but \ not "not sure yet".) This has been replaced by `replication_dr_mode` and `replication_perf_mode` which are string values that convey the current state of the node; a value of `disabled` indicates that replication is disabled or the state is still being discovered. As a result, an LB check can positively verify that the node is both not `disabled` and is not a DR secondary, and avoid sending traffic to it if either is true. * PKI Secret Backend Roles parameter types: For `ou` and `organization` in role definitions in the PKI secret backend, input can now be a comma-separated string or an array of strings. Reading a role will now return arrays for these parameters. * Plugin API Changes: The plugin API has been updated to utilize golang's context.Context package. Many function signatures now accept a context object as the first parameter. Existing plugins will need to pull in the latest Vault code and update their function signatures to begin using context and the new gRPC transport. FEATURES: * **gRPC Backend Plugins**: Backend plugins now use gRPC for transport, allowing them to be written in other languages. * **Brand New CLI**: Vault has a brand new CLI interface that is significantly streamlined, supports autocomplete, and is almost entirely backwards compatible. * **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends, create and browse roles and certificates, and issue and sign certificates via the listed roles. IMPROVEMENTS: * auth/aws: Handle IAM headers produced by clients that formulate numbers as ints rather than strings [GH-3763] * auth/okta: Support JSON lists when specifying groups and policies [GH-3801] * autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues, including HA scenarios for some Gemalto HSMs. (Enterprise) * cli: Output password prompts to stderr to make it easier to pipe an output token to another command [GH-3782] * core: Report replication status in `sys/health` [GH-3810] * physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730] * physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730] * plugins: Args for plugins can now be specified separately from the command, allowing the same output format and input format for plugin information [GH-3778] * secret/pki: `ou` and `organization` can now be specified as a comma-separated string or an array of strings [GH-3804] * plugins: Plugins will fall back to using netrpc as the communication protocol on older versions of Vault [GH-3833] BUG FIXES: * auth/(approle,aws,cert): Fix behavior where periodic tokens generated by these backends could not have their TTL renewed beyond the system/mount max TTL value [GH-3803] * auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an existing role update [GH-3843] * core/sealwrap: Speed improvements and bug fixes (Enterprise) * identity: Delete group alias when an external group is deleted [GH-3773] * legacymfa/duo: Fix intermittent panic when Duo could not be reached [GH-2030] |
| 2018-01-02 10:35:44 by Filip Hajny | Files touched by this commit (2) |
Log message: Update security/vault to 0.9.1. DEPRECATIONS/CHANGES: - AppRole Case Sensitivity: In prior versions of Vault, `list` operations against AppRole roles would require preserving case in the role name, even though most other operations within AppRole are case-insensitive with respect to the role name. This has been fixed; existing roles will behave as they have in the past, but new roles will act case-insensitively in these cases. - Token Auth Backend Roles parameter types: For `allowed_policies` and `disallowed_policies` in role definitions in the token auth backend, input can now be a comma-separated string or an array of strings. Reading a role will now return arrays for these parameters. - Transit key exporting: You can now mark a key in the `transit` backend as `exportable` at any time, rather than just at creation time; however, once this value is set, it still cannot be unset. - PKI Secret Backend Roles parameter types: For `allowed_domains` and `key_usage` in role definitions in the PKI secret backend, input can now be a comma-separated string or an array of strings. Reading a role will now return arrays for these parameters. - SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic key method in the SSH backend, the default is now to use 2048-bit keys if no specific key bit size is specified. - Consul Secret Backend lease handling: The `consul` secret backend can now accept both strings and integer numbers of seconds for its lease value. The value returned on a role read will be an integer number of seconds instead of a human-friendly string. - Unprintable characters not allowed in API paths: Unprintable characters are no longer allowed in names in the API (paths and path parameters), with an extra restriction on whitespace characters. Allowed characters are those that are considered printable by Unicode plus spaces. FEATURES: - Transit Backup/Restore: The `transit` backend now supports a backup operation that can export a given key, including all key versions and configuration, as well as a restore operation allowing import into another Vault. - gRPC Database Plugins: Database plugins now use gRPC for transport, allowing them to be written in other languages. - Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked using Vault. - TLS Cert Auth Backend Improvements: The `cert` auth backend can now match against custom certificate extensions via exact or glob matching, and additionally supports max_ttl and periodic token toggles. IMPROVEMENTS: - auth/cert: Support custom certificate constraints - auth/cert: Support setting `max_ttl` and `period` - audit/file: Setting a file mode of `0000` will now disable Vault from automatically `chmod`ing the log file - auth/github: The legacy MFA system can now be used with the GitHub auth backend - auth/okta: The legacy MFA system can now be used with the Okta auth backend - auth/token: `allowed_policies` and `disallowed_policies` can now be specified as a comma-separated string or an array of strings - command/server: The log level can now be specified with `VAULT_LOG_LEVEL` - core: Period values from auth backends will now be checked and applied to the TTL value directly by core on login and renewal requests - database/mongodb: Add optional `write_concern` parameter, which can be set during database configuration. This establishes a session-wide write concern for the lifecycle of the mount - http: Request path containing non-printable characters will return 400 - Bad Request - mfa/okta: Filter a given email address as a login filter, allowing operation when login email and account email are different - plugins: Make Vault more resilient when unsealing when plugins are unavailable - secret/pki: `allowed_domains` and `key_usage` can now be specified as a comma-separated string or an array of strings - secret/ssh: Allow 4096-bit keys to be used in dynamic key method - secret/consul: The Consul secret backend now uses the value of `lease` set on the role, if set, when renewing a secret. - storage/mysql: Don't attempt database creation if it exists, which can help under certain permissions constraints BUG FIXES: - api/status (enterprise): Fix status reporting when using an auto seal - auth/approle: Fix case-sensitive/insensitive comparison issue - auth/cert: Return `allowed_names` on role read - auth/ldap: Fix incorrect control information being sent - core: Fix seal status reporting when using an autoseal - core: Add creation path to wrap info for a control group token - core: Fix potential panic that could occur using plugins when a node transitioned from active to standby - core: Fix memory ballooning when a connection would connect to the cluster port and then go away -- redux! - core: Replace recursive token revocation logic with depth-first logic, which can avoid hitting stack depth limits in extreme cases - core: When doing a read on configured audited-headers, properly handle case insensitivity - core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable - database/mysql: Allow the creation statement to use commands that are not yet supported by the prepare statement protocol - plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference` |
| 2017-11-16 12:31:12 by Filip Hajny | Files touched by this commit (2) | |
Log message: Update security/vault to 0.9.0. DEPRECATIONS/CHANGES: - API HTTP client behavior: When calling `NewClient` the API no longer modifies the provided client/transport. - AWS EC2 client nonce behavior: The client nonce generated by the backend that gets returned along with the authentication response will be audited in plaintext. - AWS Auth role options: The API will now error when trying to create or update a role with the mutually-exclusive options `disallow_reauthentication` and `allow_instance_migration`. - SSH CA role read changes: When reading back a role from the `ssh` backend, the TTL/max TTL values will now be an integer number of seconds rather than a string. This better matches the API elsewhere in Vault. - SSH role list changes: When listing roles from the `ssh` backend via the API, the response data will additionally return a `key_info` map that will contain a map of each key with a corresponding object containing the `key_type`. - More granularity in audit logs: Audit request and response entires are still in RFC3339 format but now have a granularity of nanoseconds. - High availability related values have been moved out of the `storage` and `ha_storage` stanzas, and into the top-level configuration. `redirect_addr` has been renamed to `api_addr`. - A new `seal` stanza has been added to the configuration file, which is optional and enables configuration of the seal type to use for additional data protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt data. FEATURES: - RSA Support for Transit Backend: Transit backend can now generate RSA keys which can be used for encryption and signing. - Identity System: Now in open source and with significant enhancements, Identity is an integrated system for understanding users across tokens and enabling easier management of users directly and via groups. - External Groups in Identity: Vault can now automatically assign users and systems to groups in Identity based on their membership in external groups. - Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now take advantage of FIPS 140-2-certified HSMs to ensure that Critical Security Parameters are protected in a compliant fashion. - Control Groups (Enterprise): Require multiple members of an Identity group to authorize a requested action before it is allowed to run. - Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS KMS and GCP CKMS. - Sentinel Integration (Enterprise): Take advantage of HashiCorp Sentinel to create extremely flexible access control policies - even on unauthenticated endpoints. - Barrier Rekey Support for Auto-Unseal (Enterprise): When using auto-unsealing functionality, the `rekey` operation is now supported; it uses recovery keys to authorize the master key rekey. - Operation Token for Disaster Recovery Actions (Enterprise): When using Disaster Recovery replication, a token can be created that can be used to authorize actions such as promotion and updating primary information, rather than using recovery keys. - Trigger Auto-Unseal with Recovery Keys (Enterprise): When using auto-unsealing, a request to unseal Vault can be triggered by a threshold of recovery keys, rather than requiring the Vault process to be restarted. - UI Redesign (Enterprise): All new experience for the Vault Enterprise UI. The look and feel has been completely redesigned to give users a better experience and make managing secrets fast and easy. - UI: SSH Secret Backend (Enterprise): Configure an SSH secret backend, create and browse roles. And use them to sign keys or generate one time passwords. - UI: AWS Secret Backend (Enterprise): You can now configure the AWS backend via the Vault Enterprise UI. In addition you can create roles, browse the roles and Generate IAM Credentials from them in the UI. IMPROVEMENTS: - api: Add ability to set custom headers on each call - command/server: Add config option to disable requesting client certificates - core: Disallow mounting underneath an existing path, not just over - physical/file: Use `700` as permissions when creating directories. The files themselves were `600` and are all encrypted, but this doesn't hurt. - secret/aws: Add ability to use custom IAM/STS endpoints - secret/cassandra: Work around Cassandra ignoring consistency levels for a user listing query - secret/pki: Private keys can now be marshalled as PKCS#8 - secret/pki: Allow entering URLs for `pki` as both comma-separated strings and JSON arrays - secret/ssh: Role TTL/max TTL can now be specified as either a string or an integer - secret/transit: Sign and verify operations now support a `none` hash algorithm to allow signing/verifying pre-hashed data - secret/database: Add the ability to glob allowed roles in the Database Backend - ui (enterprise): Support for RSA keys in the transit backend - ui (enterprise): Support for DR Operation Token generation, promoting, and updating primary on DR Secondary clusters BUG FIXES: - api: Fix panic when setting a custom HTTP client but with a nil transport - api: Fix authing to the `cert` backend when the CA for the client cert is not known to the server's listener - auth/approle: Create role ID index during read if a role is missing one - auth/aws: Don't allow mutually exclusive options - auth/radius: Fix logging in in some situations - core: Fix memleak when a connection would connect to the cluster port and then go away - core: Fix panic if a single-use token is used to step-down or seal - core: Set rather than add headers to prevent some duplicated headers in responses when requests were forwarded to the active node - physical/etcd3: Fix some listing issues due to how etcd3 does prefix matching - physical/etcd3: Fix case where standbys can lose their etcd client lease - physical/file: Fix listing when underscores are the first component of a path - plugins: Allow response errors to be returned from backend plugins - secret/transit: Fix panic if the length of the input ciphertext was less than the expected nonce length - ui (enterprise): Reinstate support for generic secret backends - this was erroneously removed in a previous release |
| 2017-09-26 09:41:14 by Filip Hajny | Files touched by this commit (2) |
Log message: Update security/vault to 0.8.3. CHANGES: - Policy input/output standardization: For all built-in authentication backends, policies can now be specified as a comma-delimited string or an array if using JSON as API input; on read, policies will be returned as an array; and the `default` policy will not be forcefully added to policies saved in configurations. Please note that the `default` policy will continue to be added to generated tokens, however, rather than backends adding `default` to the given set of input policies (in some cases, and not in others), the stored set will reflect the user-specified set. - `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the endpoint would not modify the Issuer in the generated certificate, leaving the output self-issued. Although theoretically valid, in practice crypto stacks were unhappy validating paths containing such certs. As a result, `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer DN of the generated certificate. - `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely useful in break-glass or support scenarios, it is also extremely dangerous. As of now, a configuration file option `raw_storage_endpoint` must be set in order to enable this API endpoint. Once set, the available functionality has been enhanced slightly; it now supports listing and decrypting most of Vault's core data structures, except for the encryption keyring itself. - `generic` is now `kv`: To better reflect its actual use, the `generic` backend is now `kv`. Using `generic` will still work for backwards compatibility. FEATURES: - GCE Support for GCP Auth: GCE instances can now authenticate to Vault using machine credentials. - Support for Kubernetes Service Account Auth: Kubernetes Service Accounts can now authenticate to vault using JWT tokens. IMPROVEMENTS: - configuration: Provide a config option to store Vault server's process ID (PID) in a file - mfa (Enterprise): Add the ability to use identity metadata in username format - mfa/okta (Enterprise): Add support for configuring base_url for API calls - secret/pki: `sign-intermediate` will now allow specifying a `ttl` value longer than the signing CA certificate's NotAfter value. - sys/raw: Raw storage access is now disabled by default BUG FIXES: - auth/okta: Fix regression that removed the ability to set base_url - core: Fix panic while loading leases at startup on ARM processors - secret/pki: Fix `sign-self-issued` encoding the wrong subject public key |
| 2017-09-06 13:44:07 by Filip Hajny | Files touched by this commit (2) | |
Log message: ## 0.8.2 (September 5th, 2017) SECURITY: - In prior versions of Vault, if authenticating via AWS IAM and requesting a periodic token, the period was not properly respected. This could lead to tokens expiring unexpectedly, or a token lifetime being longer than expected. Upon token renewal with Vault 0.8.2 the period will be properly enforced. DEPRECATIONS/CHANGES: - `vault ssh` users should supply `-mode` and `-role` to reduce the number of API calls. A future version of Vault will mark these optional values are required. Failure to supply `-mode` or `-role` will result in a warning. - Vault plugins will first briefly run a restricted version of the plugin to fetch metadata, and then lazy-load the plugin on first request to prevent crash/deadlock of Vault during the unseal process. Plugins will need to be built with the latest changes in order for them to run properly. FEATURES: - Lazy Lease Loading: On startup, Vault will now load leases from storage in a lazy fashion (token checks and revocation/renewal requests still force an immediate load). For larger installations this can significantly reduce downtime when switching active nodes or bringing Vault up from cold start. - SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA backend for authenticating to machines. It also supports remote host key verification through the SSH CA backend, if enabled. - Signing of Self-Issued Certs in PKI: The `pki` backend now supports signing self-issued CA certs. This is useful when switching root CAs. IMPROVEMENTS: - audit/file: Allow specifying `stdout` as the `file_path` to log to standard output - auth/aws: Allow wildcards in `bound_iam_principal_id` - auth/okta: Compare groups case-insensitively since Okta is only case-preserving - auth/okta: Standarize Okta configuration APIs across backends - cli: Add subcommand autocompletion that can be enabled with `vault -autocomplete-install` - cli: Add ability to handle wrapped responses when using `vault auth`. What is output depends on the other given flags; see the help output for that command for more information. - core: TLS cipher suites used for cluster behavior can now be set via `cluster_cipher_suites` in configuration - core: The `plugin_name` can now either be specified directly as part of the parameter or within the `config` object when mounting a secret or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively - core: It is now possible to update the `description` of a mount when mount-tuning, although this must be done through the HTTP layer - secret/databases/mongo: If an EOF is encountered, attempt reconnecting and retrying the operation - secret/pki: TTLs can now be specified as a string or an integer number of seconds - secret/pki: Self-issued certs can now be signed via `pki/root/sign-self-issued` - storage/gcp: Use application default credentials if they exist BUG FIXES: - auth/aws: Properly use role-set period values for IAM-derived token renewals - auth/okta: Fix updating organization/ttl/max_ttl after initial setting - core: Fix PROXY when underlying connection is TLS - core: Policy-related commands would sometimes fail to act case-insensitively - storage/consul: Fix parsing TLS configuration when using a bare IPv6 address - plugins: Lazy-load plugins to prevent crash/deadlock during unseal process. - plugins: Skip mounting plugin-based secret and credential mounts when setting up mounts if the plugin is no longer present in the catalog. |
New packages: