Path to this page:
Subject: CVS commit: pkgsrc/security/vault
From: Filip Hajny
Date: 2018-09-03 20:59:08
Message id: 20180903185908.946EDFBF8@cvs.NetBSD.org
Log Message:
security/vault: Update to 0.11.0.
DEPRECATIONS/CHANGES:
- Request Timeouts: A default request timeout of 90s is now enforced. This
setting can be overwritten in the config file. If you anticipate requests
taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
will be some further guidelines around when this will be removed again.)
* `sys/` Top Level Injection: For the last two years for backwards
compatibility data for various `sys/` routes has been injected into both the
Secret's Data map and into the top level of the JSON response object.
However, this has some subtle issues that pop up from time to time and is
becoming increasingly complicated to maintain, so it's finally being
removed.
- Path Fallback for List Operations: For a very long time Vault has
automatically adjusted `list` operations to always end in a `/`, as list
operations operates on prefixes, so all list operations by definition end
with `/`. This was done server-side so affects all clients. However, this
has also led to a lot of confusion for users writing policies that assume
that the path that they use in the CLI is the path used internally. Starting
in 0.11, ACL policies gain a new fallback rule for listing: they will use a
matching path ending in `/` if available, but if not found, they will look
for the same path without a trailing `/`. This allows putting `list`
capabilities in the same path block as most other capabilities for that
path, while not providing any extra access if `list` wasn't actually
provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
Enterprise supports Performance Standbys, they are on by default. You can
disable this behavior per-node with the `disable_performance_standby`
configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
the type of AWS credential they are generating; this reduces reduce
ambiguity that existed previously as well as enables new features for
specific credential types. Writing role data and generating credentials
remain backwards compatible; however, the data returned when reading a
role's configuration has changed in backwards-incompatible ways. Anything
that depended on reading role data from the AWS secret engine will break
until it is updated to work with the new format.
FEATURES:
- Namespaces (Enterprise): A set of features within Vault Enterprise
that allows Vault environments to support *Secure Multi-tenancy* within a
single Vault Enterprise infrastructure. Through namespaces, Vault
administrators can support tenant isolation for teams and individuals as
well as empower those individuals to self-manage their own tenant
environment.
- Performance Standbys (Enterprise): Standby nodes can now service
requests that do not modify storage. This provides near-horizontal scaling
of a cluster in some workloads, and is the intra-cluster analogue of
the existing Performance Replication feature, which replicates to distinct
clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
allows generating credentials to allow access to Azure. See the plugin
repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
guidance, linking out to relevant links or guides on vaultproject.io for
various workflows in Vault.
IMPROVEMENTS:
- agent: Add `exit_after_auth` to be able to use the Agent for a single
authentication
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.
BUG FIXES:
- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
(IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
could cause Vault not to start up due to two entities referencing the same
alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
legal, doing so inherently means the CRL can't be trusted anyways, so it's
not useful and easy to footgun.
- storage/gcp,spanner: Fix data races
Files: