diff --git a/CHANGELOG.md b/CHANGELOG.md index 09927bd03d..c6b5e752fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,7 +25,7 @@ FEATURES: (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and encryption and decryption is now supported via AES128-GCM96 [GH-7555] * **SSRF Protection for Vault Agent**: Vault Agent has a configuration option to - require a specific header beffore allowing requests. + require a specific header beffore allowing requests [GH-7627] * **AWS Auth Method Root Rotation**: The credential used by the AWS auth method can now be rotated, to ensure that only Vault knows the credentials it is using [GH-7131] * **New UI Features** The UI now supports managing users and groups for the @@ -38,18 +38,6 @@ FEATURES: documentation](https://www.vaultproject.io/docs/config/index.html) for details. [GH-6957] -CHANGES: - - * auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the CLI - should provide the corresponding region via the `region` parameter (which - already existed as a CLI parameter, and has now been added to Agent). The - automatic region detection added to the CLI and Agent in 1.2 has been removed. - * sys/seal-status now has a `storage_type` field denoting what type of storage - the cluster is configured to use - * Vault Agent now has a new optional `require_request_header` option per - listener. If the option is set, each incoming request must have a - `X-Vault-Request: true` header entry. [GH-7627] - IMPROVEMENTS: * auth/jwt: The redirect callback host may now be specified for CLI logins @@ -79,6 +67,8 @@ IMPROVEMENTS: * sys: Add a new set of endpoints under `sys/pprof/` that allows profiling information to be extracted [GH-7473] * sys: Add endpoint that counts the total number of active identity entities [GH-7541] + * sys: `sys/seal-status` now has a `storage_type` field denoting what type of storage + the cluster is configured to use * sys/config: Add a new endpoint under `sys/config/state/sanitized` that returns the configuration state of the server. It excludes config values from `storage`, `ha_storage`, and `seal` stanzas and some values @@ -1291,1656 +1281,4 @@ FEATURES: * **ACL Templating**: ACL policies can now be templated using identity Entity, Groups, and Metadata. * **UI Onboarding wizards**: The Vault UI can provide contextual help and - guidance, linking out to relevant links or guides on vaultproject.io for - various workflows in Vault. - -IMPROVEMENTS: - - * agent: Add `exit_after_auth` to be able to use the Agent for a single - authentication [GH-5013] - * auth/approle: Add ability to set token bound CIDRs on individual Secret IDs - [GH-5034] - * cli: Add support for passing parameters to `vault read` operations [GH-5093] - * secrets/aws: Make credential types more explicit [GH-4360] - * secrets/nomad: Support for longer token names [GH-5117] - * secrets/pki: Allow disabling CRL generation [GH-5134] - * storage/azure: Add support for different Azure environments [GH-4997] - * storage/file: Sort keys in list responses [GH-5141] - * storage/mysql: Support special characters in database and table names. - -BUG FIXES: - - * auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set - (IOW, error in this case) - * core: Prevent Go's HTTP library from interspersing logs in a different - format and/or interleaved [GH-5135] - * identity: Properly populate `mount_path` and `mount_type` on group lookup - [GH-5074] - * identity: Fix persisting alias metadata [GH-5188] - * identity: Fix carryover issue from previously fixed race condition that - could cause Vault not to start up due to two entities referencing the same - alias. These entities are now merged. [GH-5000] - * replication: Fix issue causing some pages not to flush to storage - * secrets/database: Fix inability to update custom SQL statements on - database roles. [GH-5080] - * secrets/pki: Disallow putting the CA's serial on its CRL. While technically - legal, doing so inherently means the CRL can't be trusted anyways, so it's - not useful and easy to footgun. [GH-5134] - * storage/gcp,spanner: Fix data races [GH-5081] - -## 0.10.4 (July 25th, 2018) - -SECURITY: - - * Control Groups: The associated Identity entity with a request was not being - properly persisted. As a result, the same authorizer could provide more than - one authorization. - -DEPRECATIONS/CHANGES: - - * Revocations of dynamic secrets leases are now queued/asynchronous rather - than synchronous. This allows Vault to take responsibility for revocation - even if the initial attempt fails. The previous synchronous behavior can be - attained via the `-sync` CLI flag or `sync` API parameter. When in - synchronous mode, if the operation results in failure it is up to the user - to retry. - * CLI Retries: The CLI will no longer retry commands on 5xx errors. This was a - source of confusion to users as to why Vault would "hang" before returning a - 5xx error. The Go API client still defaults to two retries. - * Identity Entity Alias metadata: You can no longer manually set metadata on - entity aliases. All alias data (except the canonical entity ID it refers to) - is intended to be managed by the plugin providing the alias information, so - allowing it to be set manually didn't make sense. - -FEATURES: - - * **JWT/OIDC Auth Method**: The new `jwt` auth method accepts JWTs and either - validates signatures locally or uses OIDC Discovery to fetch the current set - of keys for signature validation. Various claims can be specified for - validation (in addition to the cryptographic signature) and a user and - optional groups claim can be used to provide Identity information. - * **FoundationDB Storage**: You can now use FoundationDB for storing Vault - data. - * **UI Control Group Workflow (enterprise)**: The UI will now detect control - group responses and provides a workflow to view the status of the request - and to authorize requests. - * **Vault Agent (Beta)**: Vault Agent is a daemon that can automatically - authenticate for you across a variety of authentication methods, provide - tokens to clients, and keep the tokens renewed, reauthenticating as - necessary. - -IMPROVEMENTS: - - * auth/azure: Add support for virtual machine scale sets - * auth/gcp: Support multiple bindings for region, zone, and instance group - * cli: Add subcommands for interacting with the plugin catalog [GH-4911] - * cli: Add a `-description` flag to secrets and auth tune subcommands to allow - updating an existing secret engine's or auth method's description. This - change also allows the description to be unset by providing an empty string. - * core: Add config flag to disable non-printable character check [GH-4917] - * core: A `max_request_size` parameter can now be set per-listener to adjust - the maximum allowed size per request [GH-4824] - * core: Add control group request endpoint to default policy [GH-4904] - * identity: Identity metadata is now passed through to plugins [GH-4967] - * replication: Add additional saftey checks and logging when replication is - in a bad state - * secrets/kv: Add support for using `-field=data` to KVv2 when using `vault - kv` [GH-4895] - * secrets/pki: Add the ability to tidy revoked but unexpired certificates - [GH-4916] - * secrets/ssh: Allow Vault to work with single-argument SSH flags [GH-4825] - * secrets/ssh: SSH executable path can now be configured in the CLI [GH-4937] - * storage/swift: Add additional configuration options [GH-4901] - * ui: Choose which auth methods to show to unauthenticated users via - `listing_visibility` in the auth method edit forms [GH-4854] - * ui: Authenticate users automatically by passing a wrapped token to the UI via - the new `wrapped_token` query parameter [GH-4854] - -BUG FIXES: - - * api: Fix response body being cleared too early [GH-4987] - * auth/approle: Fix issue with tidy endpoint that would unnecessarily remove - secret accessors [GH-4981] - * auth/aws: Fix updating `max_retries` [GH-4980] - * auth/kubernetes: Trim trailing whitespace when sending JWT - * cli: Fix parsing of environment variables for integer flags [GH-4925] - * core: Fix returning 500 instead of 503 if a rekey is attempted when Vault is - sealed [GH-4874] - * core: Fix issue releasing the leader lock in some circumstances [GH-4915] - * core: Fix a panic that could happen if the server was shut down while still - starting up - * core: Fix deadlock that would occur if a leadership loss occurs at the same - time as a seal operation [GH-4932] - * core: Fix issue with auth mounts failing to renew tokens due to policies - changing [GH-4960] - * auth/radius: Fix issue where some radius logins were being canceled too early - [GH-4941] - * core: Fix accidental seal of vault of we lose leadership during startup - [GH-4924] - * core: Fix standby not being able to forward requests larger than 4MB - [GH-4844] - * core: Avoid panic while processing group memberships [GH-4841] - * identity: Fix a race condition creating aliases [GH-4965] - * plugins: Fix being unable to send very large payloads to or from plugins - [GH-4958] - * physical/azure: Long list responses would sometimes be truncated [GH-4983] - * replication: Allow replication status requests to be processed while in - merkle sync - * replication: Ensure merkle reindex flushes all changes to storage immediately - * replication: Fix a case where a network interruption could cause a secondary - to be unable to reconnect to a primary - * secrets/pki: Fix permitted DNS domains performing improper validation - [GH-4863] - * secrets/database: Fix panic during DB creds revocation [GH-4846] - * ui: Fix usage of cubbyhole backend in the UI [GH-4851] - * ui: Fix toggle state when a secret is JSON-formatted [GH-4913] - * ui: Fix coercion of falsey values to empty string when editing secrets as - JSON [GH-4977] - -## 0.10.3 (June 20th, 2018) - -DEPRECATIONS/CHANGES: - - * In the audit log and in client responses, policies are now split into three - parameters: policies that came only from tokens, policies that came only - from Identity, and the combined set. Any previous location of policies via - the API now contains the full, combined set. - * When a token is tied to an Identity entity and the entity is deleted, the - token will no longer be usable, regardless of the validity of the token - itself. - * When authentication succeeds but no policies were defined for that specific - user, most auth methods would allow a token to be generated but a few would - reject the authentication, namely `ldap`, `okta`, and `radius`. Since the - `default` policy is added by Vault's core, this would incorrectly reject - valid authentications before they would in fact be granted policies. This - inconsistency has been addressed; valid authentications for these methods - now succeed even if no policy was specifically defined in that method for - that user. - -FEATURES: - - * Root Rotation for Active Directory: You can now command Vault to rotate the - configured root credentials used in the AD secrets engine, to ensure that - only Vault knows the credentials it's using. - * URI SANs in PKI: You can now configure URI Subject Alternate Names in the - `pki` backend. Roles can limit which SANs are allowed via globbing. - * `kv rollback` Command: You can now use `vault kv rollback` to roll a KVv2 - path back to a previous non-deleted/non-destroyed version. The previous - version becomes the next/newest version for the path. - * Token Bound CIDRs in AppRole: You can now add CIDRs to which a token - generated from AppRole will be bound. - -IMPROVEMENTS: - - * approle: Return 404 instead of 202 on invalid role names during POST - operations [GH-4778] - * core: Add idle and initial header read/TLS handshake timeouts to connections - to ensure server resources are cleaned up [GH-4760] - * core: Report policies in token, identity, and full sets [GH-4747] - * secrets/databases: Add `create`/`update` distinction for connection - configurations [GH-3544] - * secrets/databases: Add `create`/`update` distinction for role configurations - [GH-3544] - * secrets/databases: Add best-effort revocation logic for use when a role has - been deleted [GH-4782] - * secrets/kv: Add `kv rollback` [GH-4774] - * secrets/pki: Add URI SANs support [GH-4675] - * secrets/ssh: Allow standard SSH command arguments to be used, without - requiring username@hostname syntax [GH-4710] - * storage/consul: Add context support so that requests are cancelable - [GH-4739] - * sys: Added `hidden` option to `listing_visibility` field on `sys/mounts` - API [GH-4827] - * ui: Secret values are obfuscated by default and visibility is toggleable [GH-4422] - -BUG FIXES: - - * auth/approle: Fix panic due to metadata being nil [GH-4719] - * auth/aws: Fix delete path for tidy operations [GH-4799] - * core: Optimizations to remove some speed regressions due to the - security-related changes in 0.10.2 - * storage/dynamodb: Fix errors seen when reading existing DynamoDB data [GH-4721] - * secrets/database: Fix default MySQL root rotation statement [GH-4748] - * secrets/gcp: Fix renewal for GCP account keys - * secrets/kv: Fix writing to the root of a KVv2 mount from `vault kv` commands - incorrectly operating on a root+mount path instead of being an error - [GH-4726] - * seal/pkcs11: Add `CKK_SHA256_HMAC` to the search list when finding HMAC - keys, fixing lookup on some Thales devices - * replication: Fix issue enabling replication when a non-auth mount and auth - mount have the same name - * auth/kubernetes: Fix issue verifying ECDSA signed JWTs - * ui: add missing edit mode for auth method configs [GH-4770] - -## 0.10.2 (June 6th, 2018) - -SECURITY: - - * Tokens: A race condition was identified that could occur if a token's - lease expired while Vault was not running. In this case, when Vault came - back online, sometimes it would properly revoke the lease but other times it - would not, leading to a Vault token that no longer had an expiration and had - essentially unlimited lifetime. This race was per-token, not all-or-nothing - for all tokens that may have expired during Vault's downtime. We have fixed - the behavior and put extra checks in place to help prevent any similar - future issues. In addition, the logic we have put in place ensures that such - lease-less tokens can no longer be used (unless they are root tokens that - never had an expiration to begin with). - * Convergent Encryption: The version 2 algorithm used in `transit`'s - convergent encryption feature is susceptible to offline - plaintext-confirmation attacks. As a result, we are introducing a version 3 - algorithm that mitigates this. If you are currently using convergent - encryption, we recommend upgrading, rotating your encryption key (the new - key version will use the new algorithm), and rewrapping your data (the - `rewrap` endpoint can be used to allow a relatively non-privileged user to - perform the rewrapping while never divulging the plaintext). - * AppRole case-sensitive role name secret-id leaking: When using a mixed-case - role name via AppRole, deleting a secret-id via accessor or other operations - could end up leaving the secret-id behind and valid but without an accessor. - This has now been fixed, and we have put checks in place to prevent these - secret-ids from being used. - -DEPRECATIONS/CHANGES: - - * PKI duration return types: The PKI backend now returns durations (e.g. when - reading a role) as an integer number of seconds instead of a Go-style - string, in line with how the rest of Vault's API returns durations. - -FEATURES: - - * Active Directory Secrets Engine: A new `ad` secrets engine has been created - which allows Vault to rotate and provide credentials for configured AD - accounts. - * Rekey Verification: Rekey operations can now require verification. This - turns on a two-phase process where the existing key shares authorize - generating a new master key, and a threshold of the new, returned key shares - must be provided to verify that they have been successfully received in - order for the actual master key to be rotated. - * CIDR restrictions for `cert`, `userpass`, and `kubernetes` auth methods: - You can now limit authentication to specific CIDRs; these will also be - encoded in resultant tokens to limit their use. - * Vault UI Browser CLI: The UI now supports usage of read/write/list/delete - commands in a CLI that can be accessed from the nav bar. Complex inputs such - as JSON files are not currently supported. This surfaces features otherwise - unsupported in Vault's UI. - * Azure Key Vault Auto Unseal/Seal Wrap Support (Enterprise): Azure Key Vault - can now be used a support seal for Auto Unseal and Seal Wrapping. - -IMPROVEMENTS: - - * api: Close renewer's doneCh when the renewer is stopped, so that programs - expecting a final value through doneCh behave correctly [GH-4472] - * auth/cert: Break out `allowed_names` into component parts and add - `allowed_uri_sans` [GH-4231] - * auth/ldap: Obfuscate error messages pre-bind for greater security [GH-4700] - * cli: `vault login` now supports a `-no-print` flag to suppress printing - token information but still allow storing into the token helper [GH-4454] - * core/pkcs11 (enterprise): Add support for CKM_AES_CBC_PAD, CKM_RSA_PKCS, and - CKM_RSA_PKCS_OAEP mechanisms - * core/pkcs11 (enterprise): HSM slots can now be selected by token label - instead of just slot number - * core/token: Optimize token revocation by removing unnecessary list call - against the storage backend when calling revoke-orphan on tokens [GH-4465] - * core/token: Refactor token revocation logic to not block on the call when - underlying leases are pending revocation by moving the expiration logic to - the expiration manager [GH-4512] - * expiration: Allow revoke-prefix and revoke-force to work on single leases as - well as prefixes [GH-4450] - * identity: Return parent group info when reading a group [GH-4648] - * identity: Provide more contextual key information when listing entities, - groups, and aliases - * identity: Passthrough EntityID to backends [GH-4663] - * identity: Adds ability to request entity information through system view - [GH_4681] - * secret/pki: Add custom extended key usages [GH-4667] - * secret/pki: Add custom PKIX serial numbers [GH-4694] - * secret/ssh: Use hostname instead of IP in OTP mode, similar to CA mode - [GH-4673] - * storage/file: Attempt in some error conditions to do more cleanup [GH-4684] - * ui: wrapping lookup now distplays the path [GH-4644] - * ui: Identity interface now has more inline actions to make editing and adding - aliases to an entity or group easier [GH-4502] - * ui: Identity interface now lists groups by name [GH-4655] - * ui: Permission denied errors still render the sidebar in the Access section - [GH-4658] - * replication: Improve performance of index page flushes and WAL garbage - collecting - -BUG FIXES: - - * auth/approle: Make invalid role_id a 400 error instead of 500 [GH-4470] - * auth/cert: Fix Identity alias using serial number instead of common name - [GH-4475] - * cli: Fix panic running `vault token capabilities` with multiple paths - [GH-4552] - * core: When using the `use_always` option with PROXY protocol support, do not - require `authorized_addrs` to be set [GH-4065] - * core: Fix panic when certain combinations of policy paths and allowed/denied - parameters were used [GH-4582] - * secret/gcp: Make `bound_region` able to use short names - * secret/kv: Fix response wrapping for KV v2 [GH-4511] - * secret/kv: Fix address flag not being honored correctly [GH-4617] - * secret/pki: Fix `safety_buffer` for tidy being allowed to be negative, - clearing all certs [GH-4641] - * secret/pki: Fix `key_type` not being allowed to be set to `any` [GH-4595] - * secret/pki: Fix path length parameter being ignored when using - `use_csr_values` and signing an intermediate CA cert [GH-4459] - * secret/ssh: Only append UserKnownHostsFile to args when configured with a - value [GH-4674] - * storage/dynamodb: Fix listing when one child is left within a nested path - [GH-4570] - * storage/gcs: Fix swallowing an error on connection close [GH-4691] - * ui: Fix HMAC algorithm in transit [GH-4604] - * ui: Fix unwrap of auth responses via the UI's unwrap tool [GH-4611] - * ui (enterprise): Fix parsing of version string that blocked some users from seeing - enterprise-specific pages in the UI [GH-4547] - * ui: Fix incorrect capabilities path check when viewing policies [GH-4566] - * replication: Fix error while running plugins on a newly created replication - secondary - * replication: Fix issue with token store lookups after a secondary's mount table - is invalidated. - * replication: Improve startup time when a large merkle index is in use. - * replication: Fix panic when storage becomes unreachable during unseal. - -## 0.10.1/0.9.7 (April 25th, 2018) - -The following two items are in both 0.9.7 and 0.10.1. They only affect -Enterprise, and as such 0.9.7 is an Enterprise-only release: - -SECURITY: - - * EGPs: A regression affecting 0.9.6 and 0.10.0 causes EGPs to not be applied - correctly if an EGP is updated in a running Vault after initial write or - after it is loaded on unseal. This has been fixed. - -BUG FIXES: - - * Fixed an upgrade issue affecting performance secondaries when migrating from - a version that did not include Identity to one that did. - -All other content in this release is for 0.10.1 only. - -DEPRECATIONS/CHANGES: - - * `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against - v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server - and CLI versions is required. - * Mount information visibility: Users that have access to any path within a - mount can now see information about that mount, such as its type and - options, via some API calls. - * Identity and Local Mounts: Local mounts would allow creating Identity - entities but these would not be able to be used successfully (even locally) - in replicated scenarios. We have now disallowed entities and groups from - being created for local mounts in the first place. - -FEATURES: - - * X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the - client IP seen by Vault. See the [TCP listener configuration - page](https://www.vaultproject.io/docs/configuration/listener/tcp.html) for - details. - * CIDR IP Binding for Tokens: Tokens now support being bound to specific - CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be - expanded to other authentication backends over time. - * `vault kv patch` command: A new `kv patch` helper command that allows - modifying only some values in existing data at a K/V path, but uses - check-and-set to ensure that this modification happens safely. - * AppRole Local Secret IDs: Roles can now be configured to generate secret IDs - local to the cluster. This enables performance secondaries to generate and - consume secret IDs without contacting the primary. - * AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs, - AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently - only been fully tested on AWS CloudHSM. - * Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal - mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys, - and migration between key and encryption types, such as from AES-CBC to - AES-GCM, can be performed at the same time (where supported). - -IMPROVEMENTS: - - * auth/approle: Support for cluster local secret IDs. This enables secondaries - to generate secret IDs without contacting the primary [GH-4427] - * auth/token: Add to the token lookup response, the policies inherited due to - identity associations [GH-4366] - * auth/token: Add CIDR binding to token roles [GH-815] - * cli: Add `vault kv patch` [GH-4432] - * core: Add X-Forwarded-For support [GH-4380] - * core: Add token CIDR-binding support [GH-815] - * identity: Add the ability to disable an entity. Disabling an entity does not - revoke associated tokens, but while the entity is disabled they cannot be - used. [GH-4353] - * physical/consul: Allow tuning of session TTL and lock wait time [GH-4352] - * replication: Dynamically adjust WAL cleanup over a period of time based on - the rate of writes committed - * secret/ssh: Update dynamic key install script to use shell locking to avoid - concurrent modifications [GH-4358] - * ui: Access to `sys/mounts` is no longer needed to use the UI - the list of - engines will show you the ones you implicitly have access to (because you have - access to to secrets in those engines) [GH-4439] - -BUG FIXES: - - * cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts - [GH-4430] - * identity: Persist entity memberships in external identity groups across - mounts [GH-4365] - * identity: Fix error preventing authentication using local mounts on - performance secondary replication clusters [GH-4407] - * replication: Fix issue causing secondaries to not connect properly to a - pre-0.10 primary until the primary was upgraded - * secret/gcp: Fix panic on rollback when a roleset wasn't created properly - [GH-4344] - * secret/gcp: Fix panic on renewal - * ui: Fix IE11 form submissions in a few parts of the application [GH-4378] - * ui: Fix IE file saving on policy pages and init screens [GH-4376] - * ui: Fixed an issue where the AWS secret backend would show the wrong menu - [GH-4371] - * ui: Fixed an issue where policies with commas would not render in the - interface properly [GH-4398] - * ui: Corrected the saving of mount tune ttls for auth methods [GH-4431] - * ui: Credentials generation no longer checks capabilities before making - api calls. This should fix needing "update" capabilites to read IAM - credentials in the AWS secrets engine [GH-4446] - -## 0.10.0 (April 10th, 2018) - -SECURITY: - - * Log sanitization for Combined Database Secret Engine: In certain failure - scenarios with incorrectly formatted connection urls, the raw connection - errors were being returned to the user with the configured database - credentials. Errors are now sanitized before being returned to the user. - -DEPRECATIONS/CHANGES: - - * Database plugin compatibility: The database plugin interface was enhanced to - support some additional functionality related to root credential rotation - and supporting templated URL strings. The changes were made in a - backwards-compatible way and all builtin plugins were updated with the new - features. Custom plugins not built into Vault will need to be upgraded to - support templated URL strings and root rotation. Additionally, the - Initialize method was deprecated in favor of a new Init method that supports - configuration modifications that occur in the plugin back to the primary - data store. - * Removal of returned secret information: For a long time Vault has returned - configuration given to various secret engines and auth methods with secret - values (such as secret API keys or passwords) still intact, and with a - warning to the user on write that anyone with read access could see the - secret. This was mostly done to make it easy for tools like Terraform to - judge whether state had drifted. However, it also feels quite un-Vault-y to - do this and we've never felt very comfortable doing so. In 0.10 we have gone - through and removed this behavior from the various backends; fields which - contained secret values are simply no longer returned on read. We are - working with the Terraform team to make changes to their provider to - accommodate this as best as possible, and users of other tools may have to - make adjustments, but in the end we felt that the ends did not justify the - means and we needed to prioritize security over operational convenience. - * LDAP auth method case sensitivity: We now treat usernames and groups - configured locally for policy assignment in a case insensitive fashion by - default. Existing configurations will continue to work as they do now; - however, the next time a configuration is written `case_sensitive_names` - will need to be explicitly set to `true`. - * TTL handling within core: All lease TTL handling has been centralized within - the core of Vault to ensure consistency across all backends. Since this was - previously delegated to individual backends, there may be some slight - differences in TTLs generated from some backends. - * Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/` - by default at initialization time (it will still be available in `dev` - mode). - -FEATURES: - - * OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some - features are only available with a supporting version of Vault, but the code - base is entirely open. - * Versioned K/V: The `kv` backend has been completely revamped, featuring - flexible versioning of values, check-and-set protections, and more. A new - `vault kv` subcommand allows friendly interactions with it. Existing mounts - of the `kv` backend can be upgraded to the new versioned mode (downgrades - are not currently supported). The old "passthrough" mode is still the - default for new mounts; versioning can be turned on by setting the - `-version=2` flag for the `vault secrets enable` command. - * Database Root Credential Rotation: Database configurations can now rotate - their own configured admin/root credentials, allowing configured credentials - for a database connection to be rotated immediately after sending them into - Vault, invalidating the old credentials and ensuring only Vault knows the - actual valid values. - * Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that - allows authenticating Azure machines to Vault using Azure's Managed Service - Identity credentials. See the [plugin - repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more - information. - * GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows - generating secrets to allow access to GCP. See the [plugin - repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more - information. - * Selective Audit HMACing of Request and Response Data Keys: HMACing in audit - logs can be turned off for specific keys in the request input map and - response `data` map on a per-mount basis. - * Passthrough Request Headers: Request headers can now be selectively passed - through to backends on a per-mount basis. This is useful in various cases - when plugins are interacting with external services. - * HA for Google Cloud Storage: The GCS storage type now supports HA. - * UI support for identity: Add and edit entities, groups, and their associated - aliases. - * UI auth method support: Enable, disable, and configure all of the built-in - authentication methods. - * UI (Enterprise): View and edit Sentinel policies. - -IMPROVEMENTS: - - * core: Centralize TTL generation for leases in core [GH-4230] - * identity: API to update group-alias by ID [GH-4237] - * secret/cassandra: Update Cassandra storage delete function to not use batch - operations [GH-4054] - * storage/mysql: Allow setting max idle connections and connection lifetime - [GH-4211] - * storage/gcs: Add HA support [GH-4226] - * ui: Add Nomad to the list of available secret engines - * ui: Adds ability to set static headers to be returned by the UI - -BUG FIXES: - - * api: Fix retries not working [GH-4322] - * auth/gcp: Invalidate clients on config change - * auth/token: Revoke-orphan and tidy operations now correctly cleans up the - parent prefix entry in the underlying storage backend. These operations also - mark corresponding child tokens as orphans by removing the parent/secondary - index from the entries. [GH-4193] - * command: Re-add `-mfa` flag and migrate to OSS binary [GH-4223] - * core: Fix issue occurring from mounting two auth backends with the same path - with one mount having `auth/` in front [GH-4206] - * mfa: Invalidation of MFA configurations (Enterprise) - * replication: Fix a panic on some non-64-bit platforms - * replication: Fix invalidation of policies on performance secondaries - * secret/pki: When tidying if a value is unexpectedly nil, delete it and move - on [GH-4214] - * storage/s3: Fix panic if S3 returns no Content-Length header [GH-4222] - * ui: Fixed an issue where the UI was checking incorrect paths when operating - on transit keys. Capabilities are now checked when attempting to encrypt / - decrypt, etc. - * ui: Fixed IE 11 layout issues and JS errors that would stop the application - from running. - * ui: Fixed the link that gets rendered when a user doesn't have permissions - to view the root of a secret engine. The link now sends them back to the list - of secret engines. - * replication: Fix issue with DR secondaries when using mount specified local - paths. - * cli: Fix an issue where generating a dr operation token would not output the - token [GH-4328] - -## 0.9.6 (March 20th, 2018) - -DEPRECATIONS/CHANGES: - - * The AWS authentication backend now allows binds for inputs as either a - comma-delimited string or a string array. However, to keep consistency with - input and output, when reading a role the binds will now be returned as - string arrays rather than strings. - * In order to prefix-match IAM role and instance profile ARNs in AWS auth - backend, you now must explicitly opt-in by adding a `*` to the end of the - ARN. Existing configurations will be upgraded automatically, but when - writing a new role configuration the updated behavior will be used. - -FEATURES: - - * Replication Activation Enhancements: When activating a replication - secondary, a public key can now be fetched first from the target cluster. - This public key can be provided to the primary when requesting the - activation token. If provided, the public key will be used to perform a - Diffie-Hellman key exchange resulting in a shared key that encrypts the - contents of the activation token. The purpose is to protect against - accidental disclosure of the contents of the token if unwrapped by the wrong - party, given that the contents of the token are highly sensitive. If - accidentally unwrapped, the contents of the token are not usable by the - unwrapping party. It is important to note that just as a malicious operator - could unwrap the contents of the token, a malicious operator can pretend to - be a secondary and complete the Diffie-Hellman exchange on their own; this - feature provides defense in depth but still requires due diligence around - replication activation, including multiple eyes on the commands/tokens and - proper auditing. - -IMPROVEMENTS: - - * api: Update renewer grace period logic. It no longer is static, but rather - dynamically calculates one based on the current lease duration after each - renew. [GH-4090] - * auth/approle: Allow array input for bound_cidr_list [4078] - * auth/aws: Allow using lists in role bind parameters [GH-3907] - * auth/aws: Allow binding by EC2 instance IDs [GH-3816] - * auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs - [GH-4071] - * auth/ldap: Set a very large size limit on queries [GH-4169] - * core: Log info notifications of revoked leases for all leases/reasons, not - just expirations [GH-4164] - * physical/couchdb: Removed limit on the listing of items [GH-4149] - * secret/pki: Support certificate policies [GH-4125] - * secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to - improve compatibility with some ADFS scenarios [GH-3883] - * secret/transit: Allow selecting signature algorithm as well as hash - algorithm when signing/verifying [GH-4018] - * server: Make sure `tls_disable_client_cert` is actually a true value rather - than just set [GH-4049] - * storage/dynamodb: Allow specifying max retries for dynamo client [GH-4115] - * storage/gcs: Allow specifying chunk size for transfers, which can reduce - memory utilization [GH-4060] - * sys/capabilities: Add the ability to use multiple paths for capability - checking [GH-3663] - -BUG FIXES: - - * auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also - set [GH-4107] - * auth/okta: Fix honoring configured `max_ttl` value [GH-4110] - * auth/token: If a periodic token being issued has a period greater than the - max_lease_ttl configured on the token store mount, truncate it. This matches - renewal behavior; before it was inconsistent between issuance and renewal. - [GH-4112] - * cli: Improve error messages around `vault auth help` when there is no CLI - helper for a particular method [GH-4056] - * cli: Fix autocomplete installation when using Fish as the shell [GH-4094] - * secret/database: Properly honor mount-tuned max TTL [GH-4051] - * secret/ssh: Return `key_bits` value when reading a role [GH-4098] - * sys: When writing policies on a performance replication secondary, properly - forward requests to the primary [GH-4129] - -## 0.9.5 (February 26th, 2018) - -IMPROVEMENTS: - - * auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling - auth methods. [GH-4019] - * secret/database: Add list functionality to `database/config` endpoint - [GH-4026] - * physical/consul: Allow setting a specific service address [GH-3971] - * replication: When bootstrapping a new secondary, if the initial cluster - connection fails, Vault will attempt to roll back state so that - bootstrapping can be tried again, rather than having to recreate the - downstream cluster. This will still require fetching a new secondary - activation token. - -BUG FIXES: - - * auth/aws: Update libraries to fix regression verifying PKCS#7 identity - documents [GH-4014] - * listener: Revert to Go 1.9 for now to allow certificates with non-DNS names - in their DNS SANs to be used for Vault's TLS connections [GH-4028] - * replication: Fix issue with a performance secondary/DR primary node losing - its DR primary status when performing an update-primary operation - * replication: Fix issue where performance secondaries could be unable to - automatically connect to a performance primary after that performance - primary has been promoted to a DR primary from a DR secondary - * ui: Fix behavior when a value contains a `.` - -## 0.9.4 (February 20th, 2018) - -SECURITY: - - * Role Tags used with the EC2 style of AWS auth were being improperly parsed; - as a result they were not being used to properly restrict values. - Implementations following our suggestion of using these as defense-in-depth - rather than the only source of restriction should not have significant - impact. - -FEATURES: - - * **ChaCha20-Poly1305 support in `transit`**: You can now encrypt and decrypt - with ChaCha20-Poly1305 in `transit`. Key derivation and convergent - encryption is also supported. - * **Okta Push support in Okta Auth Backend**: If a user account has MFA - required within Okta, an Okta Push MFA flow can be used to successfully - finish authentication. - * **PKI Improvements**: Custom OID subject alternate names can now be set, - subject to allow restrictions that support globbing. Additionally, Country, - Locality, Province, Street Address, and Postal Code can now be set in - certificate subjects. - * **Manta Storage**: Joyent Triton Manta can now be used for Vault storage - * **Google Cloud Spanner Storage**: Google Cloud Spanner can now be used for - Vault storage - -IMPROVEMENTS: - - * auth/centrify: Add CLI helper - * audit: Always log failure metrics, even if zero, to ensure the values appear - on dashboards [GH-3937] - * cli: Disable color when output is not a TTY [GH-3897] - * cli: Add `-format` flag to all subcommands [GH-3897] - * cli: Do not display deprecation warnings when the format is not table - [GH-3897] - * core: If over a predefined lease count (256k), log a warning not more than - once a minute. Too many leases can be problematic for many of the storage - backends and often this number of leases is indicative of a need for - workflow improvements. [GH-3957] - * secret/nomad: Have generated ACL tokens cap out at 64 characters [GH-4009] - * secret/pki: Country, Locality, Province, Street Address, and Postal Code can - now be set on certificates [GH-3992] - * secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in - issued certs; allowed values can be set per role and support globbing - [GH-3889] - * secret/pki: Add a flag to make the common name optional on certs [GH-3940] - * secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally, - properly handle IDNA transformations for these DNS names [GH-3953] - * secret/ssh: Add `valid-principles` flag to CLI for CA mode [GH-3922] - * storage/manta: Add Manta storage [GH-3270] - * ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine. - -BUG FIXES: - * api/renewer: Honor increment value in renew auth calls [GH-3904] - * auth/approle: Fix inability to use limited-use-count secret IDs on - replication performance secondaries - * auth/approle: Cleanup of secret ID accessors during tidy and removal of - dangling accessor entries [GH-3924] - * auth/aws-ec2: Avoid masking of role tag response [GH-3941] - * auth/cert: Verify DNS SANs in the authenticating certificate [GH-3982] - * auth/okta: Return configured durations as seconds, not nanoseconds [GH-3871] - * auth/okta: Get all okta groups for a user vs. default 200 limit [GH-4034] - * auth/token: Token creation via the CLI no longer forces periodic token - creation. Passing an explicit zero value for the period no longer create - periodic tokens. [GH-3880] - * command: Fix interpreted formatting directives when printing raw fields - [GH-4005] - * command: Correctly format output when using -field and -format flags at the - same time [GH-3987] - * command/rekey: Re-add lost `stored-shares` parameter [GH-3974] - * command/ssh: Create and reuse the api client [GH-3909] - * command/status: Fix panic when status returns 500 from leadership lookup - [GH-3998] - * identity: Fix race when creating entities [GH-3932] - * plugin/gRPC: Fixed an issue with list requests and raw responses coming from - plugins using gRPC transport [GH-3881] - * plugin/gRPC: Fix panic when special paths are not set [GH-3946] - * secret/pki: Verify a name is a valid hostname before adding to DNS SANs - [GH-3918] - * secret/transit: Fix auditing when reading a key after it has been backed up - or restored [GH-3919] - * secret/transit: Fix storage/memory consistency when persistence fails - [GH-3959] - * storage/consul: Validate that service names are RFC 1123 compliant [GH-3960] - * storage/etcd3: Fix memory ballooning with standby instances [GH-3798] - * storage/etcd3: Fix large lists (like token loading at startup) not being - handled [GH-3772] - * storage/postgresql: Fix compatibility with versions using custom string - version tags [GH-3949] - * storage/zookeeper: Update vendoring to fix freezing issues [GH-3896] - * ui (Enterprise): Decoding the replication token should no longer error and - prevent enabling of a secondary replication cluster via the ui. - * plugin/gRPC: Add connection info to the request object [GH-3997] - -## 0.9.3 (January 28th, 2018) - -A regression from a feature merge disabled the Nomad secrets backend in 0.9.2. -This release re-enables the Nomad secrets backend; it is otherwise identical to -0.9.2. - -## 0.9.2 (January 26th, 2018) - -SECURITY: - - * Okta Auth Backend: While the Okta auth backend was successfully verifying - usernames and passwords, it was not checking the returned state of the - account, so accounts that had been marked locked out could still be used to - log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed. - * Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by - the AppRole, AWS, and Cert auth backends would expire when the max TTL for - the backend/mount/system was hit instead of their stated behavior of living - as long as they are renewed. This is now fixed; existing tokens do not have - to be reissued as this was purely a regression in the renewal logic. - * Seal Wrapping: During certain replication states values written marked for - seal wrapping may not be wrapped on the secondaries. This has been fixed, - and existing values will be wrapped on next read or write. This does not - affect the barrier keys. - -DEPRECATIONS/CHANGES: - - * `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool - returned by `sys/health` could be misleading since it would be `false` both - when a cluster was not a DR secondary but also when the node is a standby in - the cluster and has not yet fully received state from the active node. This - could cause health checks on LBs to decide that the node was acceptable for - traffic even though DR secondaries cannot handle normal Vault traffic. (In - other words, the bool could only convey "yes" or "no" but not "not sure - yet".) This has been replaced by `replication_dr_mode` and - `replication_perf_mode` which are string values that convey the current - state of the node; a value of `disabled` indicates that replication is - disabled or the state is still being discovered. As a result, an LB check - can positively verify that the node is both not `disabled` and is not a DR - secondary, and avoid sending traffic to it if either is true. - * PKI Secret Backend Roles parameter types: For `ou` and `organization` - in role definitions in the PKI secret backend, input can now be a - comma-separated string or an array of strings. Reading a role will - now return arrays for these parameters. - * Plugin API Changes: The plugin API has been updated to utilize golang's - context.Context package. Many function signatures now accept a context - object as the first parameter. Existing plugins will need to pull in the - latest Vault code and update their function signatures to begin using - context and the new gRPC transport. - -FEATURES: - - * **gRPC Backend Plugins**: Backend plugins now use gRPC for transport, - allowing them to be written in other languages. - * **Brand New CLI**: Vault has a brand new CLI interface that is significantly - streamlined, supports autocomplete, and is almost entirely backwards - compatible. - * **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends, - create and browse roles and certificates, and issue and sign certificates via - the listed roles. - -IMPROVEMENTS: - - * auth/aws: Handle IAM headers produced by clients that formulate numbers as - ints rather than strings [GH-3763] - * auth/okta: Support JSON lists when specifying groups and policies [GH-3801] - * autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues, - including HA scenarios for some Gemalto HSMs. - (Enterprise) - * cli: Output password prompts to stderr to make it easier to pipe an output - token to another command [GH-3782] - * core: Report replication status in `sys/health` [GH-3810] - * physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730] - * physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730] - * plugins: Args for plugins can now be specified separately from the command, - allowing the same output format and input format for plugin information - [GH-3778] - * secret/pki: `ou` and `organization` can now be specified as a - comma-separated string or an array of strings [GH-3804] - * plugins: Plugins will fall back to using netrpc as the communication protocol - on older versions of Vault [GH-3833] - -BUG FIXES: - - * auth/(approle,aws,cert): Fix behavior where periodic tokens generated by - these backends could not have their TTL renewed beyond the system/mount max - TTL value [GH-3803] - * auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an - existing role update [GH-3843] - * core/sealwrap: Speed improvements and bug fixes (Enterprise) - * identity: Delete group alias when an external group is deleted [GH-3773] - * legacymfa/duo: Fix intermittent panic when Duo could not be reached - [GH-2030] - * secret/database: Fix a location where a lock could potentially not be - released, leading to deadlock [GH-3774] - * secret/(all databases) Fix behavior where if a max TTL was specified but no - default TTL was specified the system/mount default TTL would be used but not - be capped by the local max TTL [GH-3814] - * secret/database: Fix an issue where plugins were not closed properly if they - failed to initialize [GH-3768] - * ui: mounting a secret backend will now properly set `max_lease_ttl` and - `default_lease_ttl` when specified - previously both fields set - `default_lease_ttl`. - -## 0.9.1 (December 21st, 2017) - -DEPRECATIONS/CHANGES: - - * AppRole Case Sensitivity: In prior versions of Vault, `list` operations - against AppRole roles would require preserving case in the role name, even - though most other operations within AppRole are case-insensitive with - respect to the role name. This has been fixed; existing roles will behave as - they have in the past, but new roles will act case-insensitively in these - cases. - * Token Auth Backend Roles parameter types: For `allowed_policies` and - `disallowed_policies` in role definitions in the token auth backend, input - can now be a comma-separated string or an array of strings. Reading a role - will now return arrays for these parameters. - * Transit key exporting: You can now mark a key in the `transit` backend as - `exportable` at any time, rather than just at creation time; however, once - this value is set, it still cannot be unset. - * PKI Secret Backend Roles parameter types: For `allowed_domains` and - `key_usage` in role definitions in the PKI secret backend, input - can now be a comma-separated string or an array of strings. Reading a role - will now return arrays for these parameters. - * SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic - key method in the SSH backend, the default is now to use 2048-bit keys if no - specific key bit size is specified. - * Consul Secret Backend lease handling: The `consul` secret backend can now - accept both strings and integer numbers of seconds for its lease value. The - value returned on a role read will be an integer number of seconds instead - of a human-friendly string. - * Unprintable characters not allowed in API paths: Unprintable characters are - no longer allowed in names in the API (paths and path parameters), with an - extra restriction on whitespace characters. Allowed characters are those - that are considered printable by Unicode plus spaces. - -FEATURES: - - * **Transit Backup/Restore**: The `transit` backend now supports a backup - operation that can export a given key, including all key versions and - configuration, as well as a restore operation allowing import into another - Vault. - * **gRPC Database Plugins**: Database plugins now use gRPC for transport, - allowing them to be written in other languages. - * **Nomad Secret Backend**: Nomad ACL tokens can now be generated and revoked - using Vault. - * **TLS Cert Auth Backend Improvements**: The `cert` auth backend can now - match against custom certificate extensions via exact or glob matching, and - additionally supports max_ttl and periodic token toggles. - -IMPROVEMENTS: - - * auth/cert: Support custom certificate constraints [GH-3634] - * auth/cert: Support setting `max_ttl` and `period` [GH-3642] - * audit/file: Setting a file mode of `0000` will now disable Vault from - automatically `chmod`ing the log file [GH-3649] - * auth/github: The legacy MFA system can now be used with the GitHub auth - backend [GH-3696] - * auth/okta: The legacy MFA system can now be used with the Okta auth backend - [GH-3653] - * auth/token: `allowed_policies` and `disallowed_policies` can now be specified - as a comma-separated string or an array of strings [GH-3641] - * command/server: The log level can now be specified with `VAULT_LOG_LEVEL` - [GH-3721] - * core: Period values from auth backends will now be checked and applied to the - TTL value directly by core on login and renewal requests [GH-3677] - * database/mongodb: Add optional `write_concern` parameter, which can be set - during database configuration. This establishes a session-wide [write - concern](https://docs.mongodb.com/manual/reference/write-concern/) for the - lifecycle of the mount [GH-3646] - * http: Request path containing non-printable characters will return 400 - Bad - Request [GH-3697] - * mfa/okta: Filter a given email address as a login filter, allowing operation - when login email and account email are different - * plugins: Make Vault more resilient when unsealing when plugins are - unavailable [GH-3686] - * secret/pki: `allowed_domains` and `key_usage` can now be specified - as a comma-separated string or an array of strings [GH-3642] - * secret/ssh: Allow 4096-bit keys to be used in dynamic key method [GH-3593] - * secret/consul: The Consul secret backend now uses the value of `lease` set - on the role, if set, when renewing a secret. [GH-3796] - * storage/mysql: Don't attempt database creation if it exists, which can help - under certain permissions constraints [GH-3716] - -BUG FIXES: - - * api/status (enterprise): Fix status reporting when using an auto seal - * auth/approle: Fix case-sensitive/insensitive comparison issue [GH-3665] - * auth/cert: Return `allowed_names` on role read [GH-3654] - * auth/ldap: Fix incorrect control information being sent [GH-3402] [GH-3496] - [GH-3625] [GH-3656] - * core: Fix seal status reporting when using an autoseal - * core: Add creation path to wrap info for a control group token - * core: Fix potential panic that could occur using plugins when a node - transitioned from active to standby [GH-3638] - * core: Fix memory ballooning when a connection would connect to the cluster - port and then go away -- redux! [GH-3680] - * core: Replace recursive token revocation logic with depth-first logic, which - can avoid hitting stack depth limits in extreme cases [GH-2348] - * core: When doing a read on configured audited-headers, properly handle case - insensitivity [GH-3701] - * core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable - * database/mysql: Allow the creation statement to use commands that are not yet - supported by the prepare statement protocol [GH-3619] - * plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference` [VPAG-19] - -## 0.9.0.1 (November 21st, 2017) (Enterprise Only) - -IMPROVEMENTS: - - * auth/gcp: Support seal wrapping of configuration parameters - * auth/kubernetes: Support seal wrapping of configuration parameters - -BUG FIXES: - - * Fix an upgrade issue with some physical backends when migrating from legacy - HSM stored key support to the new Seal Wrap mechanism (Enterprise) - * mfa: Add the 'mfa' flag that was removed by mistake [GH-4223] - -## 0.9.0 (November 14th, 2017) - -DEPRECATIONS/CHANGES: - - * HSM config parameter requirements: When using Vault with an HSM, a new - parameter is required: `hmac_key_label`. This performs a similar function to - `key_label` but for the HMAC key Vault will use. Vault will generate a - suitable key if this value is specified and `generate_key` is set true. - * API HTTP client behavior: When calling `NewClient` the API no longer - modifies the provided client/transport. In particular this means it will no - longer enable redirection limiting and HTTP/2 support on custom clients. It - is suggested that if you want to make changes to an HTTP client that you use - one created by `DefaultConfig` as a starting point. - * AWS EC2 client nonce behavior: The client nonce generated by the backend - that gets returned along with the authentication response will be audited in - plaintext. If this is undesired, the clients can choose to supply a custom - nonce to the login endpoint. The custom nonce set by the client will from - now on, not be returned back with the authentication response, and hence not - audit logged. - * AWS Auth role options: The API will now error when trying to create or - update a role with the mutually-exclusive options - `disallow_reauthentication` and `allow_instance_migration`. - * SSH CA role read changes: When reading back a role from the `ssh` backend, - the TTL/max TTL values will now be an integer number of seconds rather than - a string. This better matches the API elsewhere in Vault. - * SSH role list changes: When listing roles from the `ssh` backend via the API, - the response data will additionally return a `key_info` map that will contain - a map of each key with a corresponding object containing the `key_type`. - * More granularity in audit logs: Audit request and response entries are still - in RFC3339 format but now have a granularity of nanoseconds. - * High availability related values have been moved out of the `storage` and - `ha_storage` stanzas, and into the top-level configuration. `redirect_addr` - has been renamed to `api_addr`. The stanzas still support accepting - HA-related values to maintain backward compatibility, but top-level values - will take precedence. - * A new `seal` stanza has been added to the configuration file, which is - optional and enables configuration of the seal type to use for additional - data protection, such as using HSM or Cloud KMS solutions to encrypt and - decrypt data. - -FEATURES: - - * **RSA Support for Transit Backend**: Transit backend can now generate RSA - keys which can be used for encryption and signing. [GH-3489] - * **Identity System**: Now in open source and with significant enhancements, - Identity is an integrated system for understanding users across tokens and - enabling easier management of users directly and via groups. - * **External Groups in Identity**: Vault can now automatically assign users - and systems to groups in Identity based on their membership in external - groups. - * **Seal Wrap / FIPS 140-2 Compatibility (Enterprise)**: Vault can now take - advantage of FIPS 140-2-certified HSMs to ensure that Critical Security - Parameters are protected in a compliant fashion. Vault's implementation has - received a statement of compliance from Leidos. - * **Control Groups (Enterprise)**: Require multiple members of an Identity - group to authorize a requested action before it is allowed to run. - * **Cloud Auto-Unseal (Enterprise)**: Automatically unseal Vault using AWS KMS - and GCP CKMS. - * **Sentinel Integration (Enterprise)**: Take advantage of HashiCorp Sentinel - to create extremely flexible access control policies -- even on - unauthenticated endpoints. - * **Barrier Rekey Support for Auto-Unseal (Enterprise)**: When using auto-unsealing - functionality, the `rekey` operation is now supported; it uses recovery keys - to authorize the master key rekey. - * **Operation Token for Disaster Recovery Actions (Enterprise)**: When using - Disaster Recovery replication, a token can be created that can be used to - authorize actions such as promotion and updating primary information, rather - than using recovery keys. - * **Trigger Auto-Unseal with Recovery Keys (Enterprise)**: When using - auto-unsealing, a request to unseal Vault can be triggered by a threshold of - recovery keys, rather than requiring the Vault process to be restarted. - * **UI Redesign (Enterprise)**: All new experience for the Vault Enterprise - UI. The look and feel has been completely redesigned to give users a better - experience and make managing secrets fast and easy. - * **UI: SSH Secret Backend (Enterprise)**: Configure an SSH secret backend, - create and browse roles. And use them to sign keys or generate one time - passwords. - * **UI: AWS Secret Backend (Enterprise)**: You can now configure the AWS - backend via the Vault Enterprise UI. In addition you can create roles, - browse the roles and Generate IAM Credentials from them in the UI. - -IMPROVEMENTS: - - * api: Add ability to set custom headers on each call [GH-3394] - * command/server: Add config option to disable requesting client certificates - [GH-3373] - * auth/aws: Max retries can now be customized for the AWS client [GH-3965] - * core: Disallow mounting underneath an existing path, not just over [GH-2919] - * physical/file: Use `700` as permissions when creating directories. The files - themselves were `600` and are all encrypted, but this doesn't hurt. - * secret/aws: Add ability to use custom IAM/STS endpoints [GH-3416] - * secret/aws: Max retries can now be customized for the AWS client [GH-3965] - * secret/cassandra: Work around Cassandra ignoring consistency levels for a - user listing query [GH-3469] - * secret/pki: Private keys can now be marshalled as PKCS#8 [GH-3518] - * secret/pki: Allow entering URLs for `pki` as both comma-separated strings and JSON - arrays [GH-3409] - * secret/ssh: Role TTL/max TTL can now be specified as either a string or an - integer [GH-3507] - * secret/transit: Sign and verify operations now support a `none` hash - algorithm to allow signing/verifying pre-hashed data [GH-3448] - * secret/database: Add the ability to glob allowed roles in the Database Backend [GH-3387] - * ui (enterprise): Support for RSA keys in the transit backend - * ui (enterprise): Support for DR Operation Token generation, promoting, and - updating primary on DR Secondary clusters - -BUG FIXES: - - * api: Fix panic when setting a custom HTTP client but with a nil transport - [GH-3435] [GH-3437] - * api: Fix authing to the `cert` backend when the CA for the client cert is - not known to the server's listener [GH-2946] - * auth/approle: Create role ID index during read if a role is missing one [GH-3561] - * auth/aws: Don't allow mutually exclusive options [GH-3291] - * auth/radius: Fix logging in in some situations [GH-3461] - * core: Fix memleak when a connection would connect to the cluster port and - then go away [GH-3513] - * core: Fix panic if a single-use token is used to step-down or seal [GH-3497] - * core: Set rather than add headers to prevent some duplicated headers in - responses when requests were forwarded to the active node [GH-3485] - * physical/etcd3: Fix some listing issues due to how etcd3 does prefix - matching [GH-3406] - * physical/etcd3: Fix case where standbys can lose their etcd client lease - [GH-3031] - * physical/file: Fix listing when underscores are the first component of a - path [GH-3476] - * plugins: Allow response errors to be returned from backend plugins [GH-3412] - * secret/transit: Fix panic if the length of the input ciphertext was less - than the expected nonce length [GH-3521] - * ui (enterprise): Reinstate support for generic secret backends - this was - erroneously removed in a previous release - -## 0.8.3 (September 19th, 2017) - -CHANGES: - - * Policy input/output standardization: For all built-in authentication - backends, policies can now be specified as a comma-delimited string or an - array if using JSON as API input; on read, policies will be returned as an - array; and the `default` policy will not be forcefully added to policies - saved in configurations. Please note that the `default` policy will continue - to be added to generated tokens, however, rather than backends adding - `default` to the given set of input policies (in some cases, and not in - others), the stored set will reflect the user-specified set. - * `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the - endpoint would not modify the Issuer in the generated certificate, leaving - the output self-issued. Although theoretically valid, in practice crypto - stacks were unhappy validating paths containing such certs. As a result, - `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer - DN of the generated certificate. - * `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely - useful in break-glass or support scenarios, it is also extremely dangerous. - As of now, a configuration file option `raw_storage_endpoint` must be set in - order to enable this API endpoint. Once set, the available functionality has - been enhanced slightly; it now supports listing and decrypting most of - Vault's core data structures, except for the encryption keyring itself. - * `generic` is now `kv`: To better reflect its actual use, the `generic` - backend is now `kv`. Using `generic` will still work for backwards - compatibility. - -FEATURES: - - * **GCE Support for GCP Auth**: GCE instances can now authenticate to Vault - using machine credentials. - * **Support for Kubernetes Service Account Auth**: Kubernetes Service Accounts - can now authenticate to vault using JWT tokens. - -IMPROVEMENTS: - - * configuration: Provide a config option to store Vault server's process ID - (PID) in a file [GH-3321] - * mfa (Enterprise): Add the ability to use identity metadata in username format - * mfa/okta (Enterprise): Add support for configuring base_url for API calls - * secret/pki: `sign-intermediate` will now allow specifying a `ttl` value - longer than the signing CA certificate's NotAfter value. [GH-3325] - * sys/raw: Raw storage access is now disabled by default [GH-3329] - -BUG FIXES: - - * auth/okta: Fix regression that removed the ability to set base_url [GH-3313] - * core: Fix panic while loading leases at startup on ARM processors - [GH-3314] - * secret/pki: Fix `sign-self-issued` encoding the wrong subject public key - [GH-3325] - -## 0.8.2.1 (September 11th, 2017) (Enterprise Only) - -BUG FIXES: - - * Fix an issue upgrading to 0.8.2 for Enterprise customers. - -## 0.8.2 (September 5th, 2017) - -SECURITY: - -* In prior versions of Vault, if authenticating via AWS IAM and requesting a - periodic token, the period was not properly respected. This could lead to - tokens expiring unexpectedly, or a token lifetime being longer than expected. - Upon token renewal with Vault 0.8.2 the period will be properly enforced. - -DEPRECATIONS/CHANGES: - -* `vault ssh` users should supply `-mode` and `-role` to reduce the number of - API calls. A future version of Vault will mark these optional values are - required. Failure to supply `-mode` or `-role` will result in a warning. -* Vault plugins will first briefly run a restricted version of the plugin to - fetch metadata, and then lazy-load the plugin on first request to prevent - crash/deadlock of Vault during the unseal process. Plugins will need to be - built with the latest changes in order for them to run properly. - -FEATURES: - -* **Lazy Lease Loading**: On startup, Vault will now load leases from storage - in a lazy fashion (token checks and revocation/renewal requests still force - an immediate load). For larger installations this can significantly reduce - downtime when switching active nodes or bringing Vault up from cold start. -* **SSH CA Login with `vault ssh`**: `vault ssh` now supports the SSH CA - backend for authenticating to machines. It also supports remote host key - verification through the SSH CA backend, if enabled. -* **Signing of Self-Issued Certs in PKI**: The `pki` backend now supports - signing self-issued CA certs. This is useful when switching root CAs. - -IMPROVEMENTS: - - * audit/file: Allow specifying `stdout` as the `file_path` to log to standard - output [GH-3235] - * auth/aws: Allow wildcards in `bound_iam_principal_arn` [GH-3213] - * auth/okta: Compare groups case-insensitively since Okta is only - case-preserving [GH-3240] - * auth/okta: Standardize Okta configuration APIs across backends [GH-3245] - * cli: Add subcommand autocompletion that can be enabled with - `vault -autocomplete-install` [GH-3223] - * cli: Add ability to handle wrapped responses when using `vault auth`. What - is output depends on the other given flags; see the help output for that - command for more information. [GH-3263] - * core: TLS cipher suites used for cluster behavior can now be set via - `cluster_cipher_suites` in configuration [GH-3228] - * core: The `plugin_name` can now either be specified directly as part of the - parameter or within the `config` object when mounting a secret or auth backend - via `sys/mounts/:path` or `sys/auth/:path` respectively [GH-3202] - * core: It is now possible to update the `description` of a mount when - mount-tuning, although this must be done through the HTTP layer [GH-3285] - * secret/databases/mongo: If an EOF is encountered, attempt reconnecting and - retrying the operation [GH-3269] - * secret/pki: TTLs can now be specified as a string or an integer number of - seconds [GH-3270] - * secret/pki: Self-issued certs can now be signed via - `pki/root/sign-self-issued` [GH-3274] - * storage/gcp: Use application default credentials if they exist [GH-3248] - -BUG FIXES: - - * auth/aws: Properly use role-set period values for IAM-derived token renewals - [GH-3220] - * auth/okta: Fix updating organization/ttl/max_ttl after initial setting - [GH-3236] - * core: Fix PROXY when underlying connection is TLS [GH-3195] - * core: Policy-related commands would sometimes fail to act case-insensitively - [GH-3210] - * storage/consul: Fix parsing TLS configuration when using a bare IPv6 address - [GH-3268] - * plugins: Lazy-load plugins to prevent crash/deadlock during unseal process. - [GH-3255] - * plugins: Skip mounting plugin-based secret and credential mounts when setting - up mounts if the plugin is no longer present in the catalog. [GH-3255] - -## 0.8.1 (August 16th, 2017) - -DEPRECATIONS/CHANGES: - - * PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already - exists will now return a `204` instead of overwriting an existing root. If - you want to recreate the root, first run a delete operation on `pki/root` - (requires `sudo` capability), then generate it again. - -FEATURES: - - * **Oracle Secret Backend**: There is now an external plugin to support leased - credentials for Oracle databases (distributed separately). - * **GCP IAM Auth Backend**: There is now an authentication backend that allows - using GCP IAM credentials to retrieve Vault tokens. This is available as - both a plugin and built-in to Vault. - * **PingID Push Support for Path-Based MFA (Enterprise)**: PingID Push can - now be used for MFA with the new path-based MFA introduced in Vault - Enterprise 0.8. - * **Permitted DNS Domains Support in PKI**: The `pki` backend now supports - specifying permitted DNS domains for CA certificates, allowing you to - narrowly scope the set of domains for which a CA can issue or sign child - certificates. - * **Plugin Backend Reload Endpoint**: Plugin backends can now be triggered to - reload using the `sys/plugins/reload/backend` endpoint and providing either - the plugin name or the mounts to reload. - * **Self-Reloading Plugins**: The plugin system will now attempt to reload a - crashed or stopped plugin, once per request. - -IMPROVEMENTS: - - * auth/approle: Allow array input for policies in addition to comma-delimited - strings [GH-3163] - * plugins: Send logs through Vault's logger rather than stdout [GH-3142] - * secret/pki: Add `pki/root` delete operation [GH-3165] - * secret/pki: Don't overwrite an existing root cert/key when calling generate - [GH-3165] - -BUG FIXES: - - * aws: Don't prefer a nil HTTP client over an existing one [GH-3159] - * core: If there is an error when checking for create/update existence, return - 500 instead of 400 [GH-3162] - * secret/database: Avoid creating usernames that are too long for legacy MySQL - [GH-3138] - -## 0.8.0 (August 9th, 2017) - -SECURITY: - - * We've added a note to the docs about the way the GitHub auth backend works - as it may not be readily apparent that GitHub personal access tokens, which - are used by the backend, can be used for unauthorized access if they are - stolen from third party services and access to Vault is public. - -DEPRECATIONS/CHANGES: - - * Database Plugin Backends: Passwords generated for these backends now - enforce stricter password requirements, as opposed to the previous behavior - of returning a randomized UUID. Passwords are of length 20, and have a `A1a-` - characters prepended to ensure stricter requirements. No regressions are - expected from this change. (For database backends that were previously - substituting underscores for hyphens in passwords, this will remain the - case.) - * Lease Endpoints: The endpoints `sys/renew`, `sys/revoke`, `sys/revoke-prefix`, - `sys/revoke-force` have been deprecated and relocated under `sys/leases`. - Additionally, the deprecated path `sys/revoke-force` now requires the `sudo` - capability. - * Response Wrapping Lookup Unauthenticated: The `sys/wrapping/lookup` endpoint - is now unauthenticated. This allows introspection of the wrapping info by - clients that only have the wrapping token without then invalidating the - token. Validation functions/checks are still performed on the token. - -FEATURES: - - * **Cassandra Storage**: Cassandra can now be used for Vault storage - * **CockroachDB Storage**: CockroachDB can now be used for Vault storage - * **CouchDB Storage**: CouchDB can now be used for Vault storage - * **SAP HANA Database Plugin**: The `databases` backend can now manage users - for SAP HANA databases - * **Plugin Backends**: Vault now supports running secret and auth backends as - plugins. Plugins can be mounted like normal backends and can be developed - independently from Vault. - * **PROXY Protocol Support** Vault listeners can now be configured to honor - PROXY protocol v1 information to allow passing real client IPs into Vault. A - list of authorized addresses (IPs or subnets) can be defined and - accept/reject behavior controlled. - * **Lease Lookup and Browsing in the Vault Enterprise UI**: Vault Enterprise UI - now supports lookup and listing of leases and the associated actions from the - `sys/leases` endpoints in the API. These are located in the new top level - navigation item "Leases". - * **Filtered Mounts for Performance Mode Replication**: Whitelists or - blacklists of mounts can be defined per-secondary to control which mounts - are actually replicated to that secondary. This can allow targeted - replication of specific sets of data to specific geolocations/datacenters. - * **Disaster Recovery Mode Replication (Enterprise Only)**: There is a new - replication mode, Disaster Recovery (DR), that performs full real-time - replication (including tokens and leases) to DR secondaries. DR secondaries - cannot handle client requests, but can be promoted to primary as needed for - failover. - * **Manage New Replication Features in the Vault Enterprise UI**: Support for - Replication features in Vault Enterprise UI has expanded to include new DR - Replication mode and management of Filtered Mounts in Performance Replication - mode. - * **Vault Identity (Enterprise Only)**: Vault's new Identity system allows - correlation of users across tokens. At present this is only used for MFA, - but will be the foundation of many other features going forward. - * **Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise - Only)**: A brand new MFA system built on top of Identity allows MFA - (currently Duo Push, Okta Push, and TOTP) for any authenticated path within - Vault. MFA methods can be configured centrally, and TOTP keys live within - the user's Identity information to allow using the same key across tokens. - Specific MFA method(s) required for any given path within Vault can be - specified in normal ACL path statements. - -IMPROVEMENTS: - - * api: Add client method for a secret renewer background process [GH-2886] - * api: Add `RenewTokenAsSelf` [GH-2886] - * api: Client timeout can now be adjusted with the `VAULT_CLIENT_TIMEOUT` env - var or with a new API function [GH-2956] - * api/cli: Client will now attempt to look up SRV records for the given Vault - hostname [GH-3035] - * audit/socket: Enhance reconnection logic and don't require the connection to - be established at unseal time [GH-2934] - * audit/file: Opportunistically try re-opening the file on error [GH-2999] - * auth/approle: Add role name to token metadata [GH-2985] - * auth/okta: Allow specifying `ttl`/`max_ttl` inside the mount [GH-2915] - * cli: Client timeout can now be adjusted with the `VAULT_CLIENT_TIMEOUT` env - var [GH-2956] - * command/auth: Add `-token-only` flag to `vault auth` that returns only the - token on stdout and does not store it via the token helper [GH-2855] - * core: CORS allowed origins can now be configured [GH-2021] - * core: Add metrics counters for audit log failures [GH-2863] - * cors: Allow setting allowed headers via the API instead of always using - wildcard [GH-3023] - * secret/ssh: Allow specifying the key ID format using template values for CA - type [GH-2888] - * server: Add `tls_client_ca_file` option for specifying a CA file to use for - client certificate verification when `tls_require_and_verify_client_cert` is - enabled [GH-3034] - * storage/cockroachdb: Add CockroachDB storage backend [GH-2713] - * storage/couchdb: Add CouchDB storage backend [GH-2880] - * storage/mssql: Add `max_parallel` [GH-3026] - * storage/postgresql: Add `max_parallel` [GH-3026] - * storage/postgresql: Improve listing speed [GH-2945] - * storage/s3: More efficient paging when an object has a lot of subobjects - [GH-2780] - * sys/wrapping: Make `sys/wrapping/lookup` unauthenticated [GH-3084] - * sys/wrapping: Wrapped tokens now store the original request path of the data - [GH-3100] - * telemetry: Add support for DogStatsD [GH-2490] - -BUG FIXES: - - * api/health: Don't treat standby `429` codes as an error [GH-2850] - * api/leases: Fix lease lookup returning lease properties at the top level - * audit: Fix panic when audit logging a read operation on an asymmetric - `transit` key [GH-2958] - * auth/approle: Fix panic when secret and cidr list not provided in role - [GH-3075] - * auth/aws: Look up proper account ID on token renew [GH-3012] - * auth/aws: Store IAM header in all cases when it changes [GH-3004] - * auth/ldap: Verify given certificate is PEM encoded instead of failing - silently [GH-3016] - * auth/token: Don't allow using the same token ID twice when manually - specifying [GH-2916] - * cli: Fix issue with parsing keys that start with special characters [GH-2998] - * core: Relocated `sys/leases/renew` returns same payload as original - `sys/leases` endpoint [GH-2891] - * secret/ssh: Fix panic when signing with incorrect key type [GH-3072] - * secret/totp: Ensure codes can only be used once. This makes some automated - workflows harder but complies with the RFC. [GH-2908] - * secret/transit: Fix locking when creating a key with unsupported options - [GH-2974] - -## 0.7.3 (June 7th, 2017) - -SECURITY: - - * Cert auth backend now checks validity of individual certificates: In - previous versions of Vault, validity (e.g. expiration) of individual leaf - certificates added for authentication was not checked. This was done to make - it easier for administrators to control lifecycles of individual - certificates added to the backend, e.g. the authentication material being - checked was access to that specific certificate's private key rather than - all private keys signed by a CA. However, this behavior is often unexpected - and as a result can lead to insecure deployments, so we are now validating - these certificates as well. - * App-ID path salting was skipped in 0.7.1/0.7.2: A regression in 0.7.1/0.7.2 - caused the HMACing of any App-ID information stored in paths (including - actual app-IDs and user-IDs) to be unsalted and written as-is from the API. - In 0.7.3 any such paths will be automatically changed to salted versions on - access (e.g. login or read); however, if you created new app-IDs or user-IDs - in 0.7.1/0.7.2, you may want to consider whether any users with access to - Vault's underlying data store may have intercepted these values, and - revoke/roll them. - -DEPRECATIONS/CHANGES: - - * Step-Down is Forwarded: When a step-down is issued against a non-active node - in an HA cluster, it will now forward the request to the active node. - -FEATURES: - - * **ed25519 Signing/Verification in Transit with Key Derivation**: The - `transit` backend now supports generating - [ed25519](https://ed25519.cr.yp.to/) keys for signing and verification - functionality. These keys support derivation, allowing you to modify the - actual encryption key used by supplying a `context` value. - * **Key Version Specification for Encryption in Transit**: You can now specify - the version of a key you use to wish to generate a signature, ciphertext, or - HMAC. This can be controlled by the `min_encryption_version` key - configuration property. - * **Replication Primary Discovery (Enterprise)**: Replication primaries will - now advertise the addresses of their local HA cluster members to replication - secondaries. This helps recovery if the primary active node goes down and - neither service discovery nor load balancers are in use to steer clients. - -IMPROVEMENTS: - - * api/health: Add Sys().Health() [GH-2805] - * audit: Add auth information to requests that error out [GH-2754] - * command/auth: Add `-no-store` option that prevents the auth command from - storing the returned token into the configured token helper [GH-2809] - * core/forwarding: Request forwarding now heartbeats to prevent unused - connections from being terminated by firewalls or proxies - * plugins/databases: Add MongoDB as an internal database plugin [GH-2698] - * storage/dynamodb: Add a method for checking the existence of children, - speeding up deletion operations in the DynamoDB storage backend [GH-2722] - * storage/mysql: Add max_parallel parameter to MySQL backend [GH-2760] - * secret/databases: Support listing connections [GH-2823] - * secret/databases: Support custom renewal statements in Postgres database - plugin [GH-2788] - * secret/databases: Use the role name as part of generated credentials - [GH-2812] - * ui (Enterprise): Transit key and secret browsing UI handle large lists better - * ui (Enterprise): root tokens are no longer persisted - * ui (Enterprise): support for mounting Database and TOTP secret backends - -BUG FIXES: - - * auth/app-id: Fix regression causing loading of salts to be skipped - * auth/aws: Improve EC2 describe instances performance [GH-2766] - * auth/aws: Fix lookup of some instance profile ARNs [GH-2802] - * auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at various - points (e.g. renewal time) more robust [GH-2814] - * auth/aws: Properly honor configured period when using IAM authentication - [GH-2825] - * auth/aws: Check that a bound IAM principal is not empty (in the current - state of the role) before requiring it match the previously authenticated - client [GH-2781] - * auth/cert: Fix panic on renewal [GH-2749] - * auth/cert: Certificate verification for non-CA certs [GH-2761] - * core/acl: Prevent race condition when compiling ACLs in some scenarios - [GH-2826] - * secret/database: Increase wrapping token TTL; in a loaded scenario it could - be too short - * secret/generic: Allow integers to be set as the value of `ttl` field as the - documentation claims is supported [GH-2699] - * secret/ssh: Added host key callback to ssh client config [GH-2752] - * storage/s3: Avoid a panic when some bad data is returned [GH-2785] - * storage/dynamodb: Fix list functions working improperly on Windows [GH-2789] - * storage/file: Don't leak file descriptors in some error cases - * storage/swift: Fix pre-v3 project/tenant name reading [GH-2803] - -## 0.7.2 (May 8th, 2017) - -BUG FIXES: - - * audit: Fix auditing entries containing certain kinds of time values - [GH-2689] - -## 0.7.1 (May 5th, 2017) - -DEPRECATIONS/CHANGES: - - * LDAP Auth Backend: Group membership queries will now run as the `binddn` - user when `binddn`/`bindpass` are configured, rather than as the - authenticating user as was the case previously. - -FEATURES: - - * **AWS IAM Authentication**: IAM principals can get Vault tokens - automatically, opening AWS-based authentication to users, ECS containers, - Lambda instances, and more. Signed client identity information retrieved - using the AWS API `sts:GetCallerIdentity` is validated against the AWS STS - service before issuing a Vault token. This backend is unified with the - `aws-ec2` authentication backend under the name `aws`, and allows additional - EC2-related restrictions to be applied during the IAM authentication; the - previous EC2 behavior is also still available. [GH-2441] - * **MSSQL Physical Backend**: You can now use Microsoft SQL Server as your - Vault physical data store [GH-2546] - * **Lease Listing and Lookup**: You can now introspect a lease to get its - creation and expiration properties via `sys/leases/lookup`; with `sudo` - capability you can also list leases for lookup, renewal, or revocation via - that endpoint. Various lease functions (renew, revoke, revoke-prefix, - revoke-force) have also been relocated to `sys/leases/`, but they also work - at the old paths for compatibility. Reading (but not listing) leases via - `sys/leases/lookup` is now a part of the current `default` policy. [GH-2650] - * **TOTP Secret Backend**: You can now store multi-factor authentication keys - in Vault and use the API to retrieve time-based one-time use passwords on - demand. The backend can also be used to generate a new key and validate - passwords generated by that key. [GH-2492] - * **Database Secret Backend & Secure Plugins (Beta)**: This new secret backend - combines the functionality of the MySQL, PostgreSQL, MSSQL, and Cassandra - backends. It also provides a plugin interface for extendability through - custom databases. [GH-2200] - -IMPROVEMENTS: - - * auth/cert: Support for constraints on subject Common Name and DNS/email - Subject Alternate Names in certificates [GH-2595] - * auth/ldap: Use the binding credentials to search group membership rather - than the user credentials [GH-2534] - * cli/revoke: Add `-self` option to allow revoking the currently active token - [GH-2596] - * core: Randomize x coordinate in Shamir shares [GH-2621] - * replication: Fix a bug when enabling `approle` on a primary before - secondaries were connected - * replication: Add heartbeating to ensure firewalls don't kill connections to - primaries - * secret/pki: Add `no_store` option that allows certificates to be issued - without being stored. This removes the ability to look up and/or add to a - CRL but helps with scaling to very large numbers of certificates. [GH-2565] - * secret/pki: If used with a role parameter, the `sign-verbatim/` - endpoint honors the values of `generate_lease`, `no_store`, `ttl` and - `max_ttl` from the given role [GH-2593] - * secret/pki: Add role parameter `allow_glob_domains` that enables defining - names in `allowed_domains` containing `*` glob patterns [GH-2517] - * secret/pki: Update certificate storage to not use characters that are not - supported on some filesystems [GH-2575] - * storage/etcd3: Add `discovery_srv` option to query for SRV records to find - servers [GH-2521] - * storage/s3: Support `max_parallel` option to limit concurrent outstanding - requests [GH-2466] - * storage/s3: Use pooled transport for http client [GH-2481] - * storage/swift: Allow domain values for V3 authentication [GH-2554] - * tidy: Improvements to `auth/token/tidy` and `sys/leases/tidy` to handle more - cleanup cases [GH-2452] - -BUG FIXES: - - * api: Respect a configured path in Vault's address [GH-2588] - * auth/aws-ec2: New bounds added as criteria to allow role creation [GH-2600] - * auth/ldap: Don't lowercase groups attached to users [GH-2613] - * cli: Don't panic if `vault write` is used with the `force` flag but no path - [GH-2674] - * core: Help operations should request forward since standbys may not have - appropriate info [GH-2677] - * replication: Fix enabling secondaries when certain mounts already existed on - the primary - * secret/mssql: Update mssql driver to support queries with colons [GH-2610] - * secret/pki: Don't lowercase O/OU values in certs [GH-2555] - * secret/pki: Don't attempt to validate IP SANs if none are provided [GH-2574] - * secret/ssh: Don't automatically lowercase principles in issued SSH certs - [GH-2591] - * storage/consul: Properly handle state events rather than timing out - [GH-2548] - * storage/etcd3: Ensure locks are released if client is improperly shut down - [GH-2526] - -## 0.7.0 (March 21th, 2017) - -SECURITY: - - * Common name not being validated when `exclude_cn_from_sans` option used in - `pki` backend: When using a role in the `pki` backend that specified the - `exclude_cn_from_sans` option, the common name would not then be properly - validated against the role's constraints. This has been fixed. We recommend - any users of this feature to upgrade to 0.7 as soon as feasible. - -DEPRECATIONS/CHANGES: - - * List Operations Always Use Trailing Slash: Any list operation, whether via - the `GET` or `LIST` HTTP verb, will now internally canonicalize the path to - have a trailing slash. This makes policy writing more predictable, as it - means clients will no longer work or fail based on which client they're - using or which HTTP verb they're using. However, it also means that policies - allowing `list` capability must be carefully checked to ensure that they - contain a trailing slash; some policies may need to be split into multiple - stanzas to accommodate. - * PKI Defaults to Unleased Certificates: When issuing certificates from the - PKI backend, by default, no leases will be issued. If you want to manually - revoke a certificate, its serial number can be used with the `pki/revoke` - endpoint. Issuing leases is still possible by enabling the `generate_lease` - toggle in PKI role entries (this will default to `true` for upgrades, to - keep existing behavior), which will allow using lease IDs to revoke - certificates. For installations issuing large numbers of certificates (tens - to hundreds of thousands, or millions), this will significantly improve - Vault startup time since leases associated with these certificates will not - have to be loaded; however note that it also means that revocation of a - token used to issue + guidance, linking out to relevant