--- - branch: MAIN date: Mon Sep 3 18:59:08 UTC 2018 files: - new: '1.31' old: '1.30' path: pkgsrc/security/vault/Makefile pathrev: pkgsrc/security/vault/Makefile@1.31 type: modified - new: '1.20' old: '1.19' path: pkgsrc/security/vault/distinfo pathrev: pkgsrc/security/vault/distinfo@1.20 type: modified id: 20180903T185908Z.17615a1a4046005c1a2d3c99e7f3a7ae2c897ae1 log: | security/vault: Update to 0.11.0. DEPRECATIONS/CHANGES: - Request Timeouts: A default request timeout of 90s is now enforced. This setting can be overwritten in the config file. If you anticipate requests taking longer than 90s this setting should be updated before upgrading. - (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There will be some further guidelines around when this will be removed again.) * `sys/` Top Level Injection: For the last two years for backwards compatibility data for various `sys/` routes has been injected into both the Secret's Data map and into the top level of the JSON response object. However, this has some subtle issues that pop up from time to time and is becoming increasingly complicated to maintain, so it's finally being removed. - Path Fallback for List Operations: For a very long time Vault has automatically adjusted `list` operations to always end in a `/`, as list operations operates on prefixes, so all list operations by definition end with `/`. This was done server-side so affects all clients. However, this has also led to a lot of confusion for users writing policies that assume that the path that they use in the CLI is the path used internally. Starting in 0.11, ACL policies gain a new fallback rule for listing: they will use a matching path ending in `/` if available, but if not found, they will look for the same path without a trailing `/`. This allows putting `list` capabilities in the same path block as most other capabilities for that path, while not providing any extra access if `list` wasn't actually provided there. - Performance Standbys On By Default: If you flavor/license of Vault Enterprise supports Performance Standbys, they are on by default. You can disable this behavior per-node with the `disable_performance_standby` configuration flag. - AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about the type of AWS credential they are generating; this reduces reduce ambiguity that existed previously as well as enables new features for specific credential types. Writing role data and generating credentials remain backwards compatible; however, the data returned when reading a role's configuration has changed in backwards-incompatible ways. Anything that depended on reading role data from the AWS secret engine will break until it is updated to work with the new format. FEATURES: - Namespaces (Enterprise): A set of features within Vault Enterprise that allows Vault environments to support *Secure Multi-tenancy* within a single Vault Enterprise infrastructure. Through namespaces, Vault administrators can support tenant isolation for teams and individuals as well as empower those individuals to self-manage their own tenant environment. - Performance Standbys (Enterprise): Standby nodes can now service requests that do not modify storage. This provides near-horizontal scaling of a cluster in some workloads, and is the intra-cluster analogue of the existing Performance Replication feature, which replicates to distinct clusters in other datacenters, geos, etc. - AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage. - AliCloud Auth Plugin: AliCloud's identity services can now be used to grant access to Vault. See the plugin repository for more information. - Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that allows generating credentials to allow access to Azure. See the plugin repository for more information. - HA Support for MySQL Storage: MySQL storage now supports HA. - ACL Templating: ACL policies can now be templated using identity Entity, Groups, and Metadata. - UI Onboarding wizards: The Vault UI can provide contextual help and guidance, linking out to relevant links or guides on vaultproject.io for various workflows in Vault. IMPROVEMENTS: - agent: Add `exit_after_auth` to be able to use the Agent for a single authentication - auth/approle: Add ability to set token bound CIDRs on individual Secret IDs - cli: Add support for passing parameters to `vault read` operations - secrets/aws: Make credential types more explicit - secrets/nomad: Support for longer token names - secrets/pki: Allow disabling CRL generation - storage/azure: Add support for different Azure environments - storage/file: Sort keys in list responses - storage/mysql: Support special characters in database and table names. BUG FIXES: - auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set (IOW, error in this case) - core: Prevent Go's HTTP library from interspersing logs in a different format and/or interleaved - identity: Properly populate `mount_path` and `mount_type` on group lookup - identity: Fix persisting alias metadata - identity: Fix carryover issue from previously fixed race condition that could cause Vault not to start up due to two entities referencing the same alias. These entities are now merged. - replication: Fix issue causing some pages not to flush to storage - secrets/database: Fix inability to update custom SQL statements on database roles. - secrets/pki: Disallow putting the CA's serial on its CRL. While technically legal, doing so inherently means the CRL can't be trusted anyways, so it's not useful and easy to footgun. - storage/gcp,spanner: Fix data races module: pkgsrc subject: 'CVS commit: pkgsrc/security/vault' unixtime: '1536001148' user: fhajny