From d3edb9a7a5ced69f8751d1f4e43de37171e44899 Mon Sep 17 00:00:00 2001 From: fhajny Date: Wed, 11 Apr 2018 15:35:49 +0000 Subject: [PATCH] security/vault: Update to 0.10.0. SECURITY: - Log sanitization for Combined Database Secret Engine: In certain failure scenarios with incorrectly formatted connection urls, the raw connection errors were being returned to the user with the configured database credentials. Errors are now sanitized before being returned to the user. DEPRECATIONS/CHANGES: - Database plugin compatibility: The database plugin interface was enhanced to support some additional functionality related to root credential rotation and supporting templated URL strings. The changes were made in a backwards-compatible way and all builtin plugins were updated with the new features. Custom plugins not built into Vault will need to be upgraded to support templated URL strings and root rotation. Additionally, the Initialize method was deprecated in favor of a new Init method that supports configuration modifications that occur in the plugin back to the primary data store. - Removal of returned secret information: For a long time Vault has returned configuration given to various secret engines and auth methods with secret values (such as secret API keys or passwords) still intact, and with a warning to the user on write that anyone with read access could see the secret. This was mostly done to make it easy for tools like Terraform to judge whether state had drifted. However, it also feels quite un-Vault-y to do this and we've never felt very comfortable doing so. In 0.10 we have gone through and removed this behavior from the various backends; fields which contained secret values are simply no longer returned on read. We are working with the Terraform team to make changes to their provider to accommodate this as best as possible, and users of other tools may have to make adjustments, but in the end we felt that the ends did not justify the means and we needed to prioritize security over operational convenience. - LDAP auth method case sensitivity: We now treat usernames and groups configured locally for policy assignment in a case insensitive fashion by default. Existing configurations will continue to work as they do now; however, the next time a configuration is written `case_sensitive_names` will need to be explicitly set to `true`. - TTL handling within core: All lease TTL handling has been centralized within the core of Vault to ensure consistency across all backends. Since this was previously delegated to individual backends, there may be some slight differences in TTLs generated from some backends. - Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/` by default at initialization time (it will still be available in `dev` mode). FEATURES: - OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some features are only available with a supporting version of Vault, but the code base is entirely open. - Versioned K/V: The `kv` backend has been completely revamped, featuring flexible versioning of values, check-and-set protections, and more. A new `vault kv` subcommand allows friendly interactions with it. Existing mounts of the `kv` backend can be upgraded to the new versioned mode (downgrades are not currently supported). The old "passthrough" mode is still the default for new mounts; versioning can be turned on by setting the `-version=2` flag for the `vault secrets enable` command. - Database Root Credential Rotation: Database configurations can now rotate their own configured admin/root credentials, allowing configured credentials for a database connection to be rotated immediately after sending them into Vault, invalidating the old credentials and ensuring only Vault knows the actual valid values. - Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that allows authenticating Azure machines to Vault using Azure's Managed Service Identity credentials. See the [plugin repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more information. - GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows generating secrets to allow access to GCP. See the [plugin repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more information. - Selective Audit HMACing of Request and Response Data Keys: HMACing in audit logs can be turned off for specific keys in the request input map and response `data` map on a per-mount basis. - Passthrough Request Headers: Request headers can now be selectively passed through to backends on a per-mount basis. This is useful in various cases when plugins are interacting with external services. - HA for Google Cloud Storage: The GCS storage type now supports HA. - UI support for identity: Add and edit entities, groups, and their associated aliases. - UI auth method support: Enable, disable, and configure all of the built-in authentication methods. - UI (Enterprise): View and edit Sentinel policies. IMPROVEMENTS: - core: Centralize TTL generation for leases in core - identity: API to update group-alias by ID - secret/cassandra: Update Cassandra storage delete function to not use batch operations - storage/mysql: Allow setting max idle connections and connection lifetime - storage/gcs: Add HA support - ui: Add Nomad to the list of available secret engines - ui: Adds ability to set static headers to be returned by the UI BUG FIXES: - api: Fix retries not working - auth/gcp: Invalidate clients on config change - auth/token: Revoke-orphan and tidy operations now correctly cleans up the parent prefix entry in the underlying storage backend. These operations also mark corresponding child tokens as orphans by removing the parent/secondary index from the entries. - command: Re-add `-mfa` flag and migrate to OSS binary - core: Fix issue occurring from mounting two auth backends with the same path with one mount having `auth/` in front - mfa: Invalidation of MFA configurations (Enterprise) - replication: Fix a panic on some non-64-bit platforms - replication: Fix invalidation of policies on performance secondaries - secret/pki: When tidying if a value is unexpectedly nil, delete it and move on - storage/s3: Fix panic if S3 returns no Content-Length header - ui: Fixed an issue where the UI was checking incorrect paths when operating on transit keys. Capabilities are now checked when attempting to encrypt / decrypt, etc. - ui: Fixed IE 11 layout issues and JS errors that would stop the application from running. - ui: Fixed the link that gets rendered when a user doesn't have permissions to view the root of a secret engine. The link now sends them back to the list of secret engines. - replication: Fix issue with DR secondaries when using mount specified local paths. - cli: Fix an issue where generating a dr operation token would not output the token --- security/vault/Makefile | 5 ++--- security/vault/distinfo | 10 +++++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/security/vault/Makefile b/security/vault/Makefile index 29e3fb3a7932..1a2bd804e391 100644 --- a/security/vault/Makefile +++ b/security/vault/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.26 2018/03/30 11:56:25 bsiegert Exp $ +# $NetBSD: Makefile,v 1.27 2018/04/11 15:35:49 fhajny Exp $ -DISTNAME= vault-0.9.6 -PKGREVISION= 1 +DISTNAME= vault-0.10.0 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/} diff --git a/security/vault/distinfo b/security/vault/distinfo index 1605bdd41aaf..87f3ed308d7d 100644 --- a/security/vault/distinfo +++ b/security/vault/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.17 2018/03/23 12:00:12 fhajny Exp $ +$NetBSD: distinfo,v 1.18 2018/04/11 15:35:49 fhajny Exp $ -SHA1 (vault-0.9.6.tar.gz) = 715a361a0547fb1d771a227393c3dd6df9e35fe5 -RMD160 (vault-0.9.6.tar.gz) = 61785d65c3ed311ede75e24a51e1ed5a48f07024 -SHA512 (vault-0.9.6.tar.gz) = 31c6a39f2a5ebce79660f9ba7b673f95042ab283681de016a9540da17b6a938a45762cf4b4625cf35545fe80716e212a9ee362abe5c6fca52eafd5322b6b0de4 -Size (vault-0.9.6.tar.gz) = 10464094 bytes +SHA1 (vault-0.10.0.tar.gz) = 4bd141705c1704fbe309382ee8eb0e68786495a0 +RMD160 (vault-0.10.0.tar.gz) = 1d768b101d360c3b2a65d5ec19726c39cdca9549 +SHA512 (vault-0.10.0.tar.gz) = 204f6f7b36802befc6749a064f217817cdd1bbe634517dc6146a9a4a32bf70ea341634a7a4399f901bb2a63a1b096982f258e365244b01ab4ace833a799fa5bd +Size (vault-0.10.0.tar.gz) = 12533158 bytes