From 5ce55a2ebcb9428fd3dba3b29dc3e8152b369a76 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 4 Oct 2016 22:35:56 -0400 Subject: [PATCH] Update website with breaking change information --- .../docs/install/upgrade-to-0.6.2.html.md | 67 +++++++++++++++++-- 1 file changed, 60 insertions(+), 7 deletions(-) diff --git a/website/source/docs/install/upgrade-to-0.6.2.html.md b/website/source/docs/install/upgrade-to-0.6.2.html.md index 6d1a109d14..66365a1c36 100644 --- a/website/source/docs/install/upgrade-to-0.6.2.html.md +++ b/website/source/docs/install/upgrade-to-0.6.2.html.md @@ -8,13 +8,66 @@ description: |- # Overview -This page contains the list of breaking changes for Vault 0.6.2. Please read it -carefully. +This page contains the list of deprecations and important or breaking changes +for Vault 0.6.2. Please read it carefully. + +## Request Forwarding On By Default + +In 0.6.1 this feature was in beta and required opting-in, but is now enabled by +default. This can be disabled via the `"disable_clustering"` parameter in +Vault's [config](https://www.vaultproject.io/docs/config/index.html), or +per-request with the `X-Vault-No-Request-Forwarding` header. ## AppRole Role Constraints -Creating or updating a role now requires at least one constraint to be enabled. -Currently there are only 2 constraints: `bind_secret_id` and `bound_cidr_list`. -`bind_secret_id` is enabled by default. Roles which had `bind_secret_id` -disabled and `bound_cidr_list` not set, will require a constraint to be -speficied during further updates. +Creating or updating a role now requires at least one constraint to be enabled, +whereas previously it was sufficient to require only the role ID by itself. +Currently there are two constraints: `bind_secret_id` and `bound_cidr_list`. +`bind_secret_id` is enabled by default. Roles which were previously using only +the role ID for authentication will continue to work but will require a +constraint to be specified if updated. + +## Convergent Encryption v2 + +New keys in `transit` using convergent mode will use a new nonce derivation +mechanism rather than require the user to supply a nonce. While not explicitly +increasing security, it minimizes the likelihood that a user will use the mode +improperly and impact the security of their keys. Keys in convergent mode that +were created in 0.6.1 will continue to work with the same mechanism +(user-supplied nonce). + +## `etcd` HA Off By Default + +Following in the footsteps of `dynamodb`, the `etcd` storage backend now +requires that `ha_enabled` be explicitly specified in the configuration file. +The backend currently has known broken HA behavior, so this flag discourages +use by default without explicitly enabling it. If you are using this +functionality, when upgrading, you should set `ha_enabled` to `"true"` *before* +starting the new versions of Vault. + +## Reading Wrapped Responses From `cubbyhole/response` Is Deprecated + +The `sys/wrapping/unwrap` endpoint should be used instead as it provides +additional security, auditing, and other benefits. The ability to read directly +will be removed in a future release. + +## Default/Max Lease/Token TTLs Now 32 Days + +In previous versions of Vault the default was 30 days, but changing it to 32 +days allows some operations (e.g. reauthenticating, renewing, etc.) to be +performed via a monthly cron job. + +## AppRole Secret ID Endpoints Changed + +Secret ID and Secret ID accessors are no longer part of request URLs. The `GET` +and `DELETE` operations are now moved to new endpoints (`/lookup` and +`/destroy`) which consumes the input from the body via `POST` (or `PUT`) and +not the URL. + +## Behavior Change for `bound_iam_role_arn` in AWS-EC2 Backend + +In prior versions a bug caused the `bound_iam_role_arn` value in the `aws-ec2` +authentication backend to actually use the instance profile ARN. This has been +corrected, but as a result there is a behavior change. To match using the +instance profile ARN, a new parameter `bound_iam_instance_profile_arn` has been +added.