SECURITY:
- Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
- Database plugin compatibility: The database plugin interface was enhanced to
support some additional functionality related to root credential rotation
and supporting templated URL strings. The changes were made in a
backwards-compatible way and all builtin plugins were updated with the new
features. Custom plugins not built into Vault will need to be upgraded to
support templated URL strings and root rotation. Additionally, the
Initialize method was deprecated in favor of a new Init method that supports
configuration modifications that occur in the plugin back to the primary
data store.
- Removal of returned secret information: For a long time Vault has returned
configuration given to various secret engines and auth methods with secret
values (such as secret API keys or passwords) still intact, and with a
warning to the user on write that anyone with read access could see the
secret. This was mostly done to make it easy for tools like Terraform to
judge whether state had drifted. However, it also feels quite un-Vault-y to
do this and we've never felt very comfortable doing so. In 0.10 we have gone
through and removed this behavior from the various backends; fields which
contained secret values are simply no longer returned on read. We are
working with the Terraform team to make changes to their provider to
accommodate this as best as possible, and users of other tools may have to
make adjustments, but in the end we felt that the ends did not justify the
means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
configured locally for policy assignment in a case insensitive fashion by
default. Existing configurations will continue to work as they do now;
however, the next time a configuration is written `case_sensitive_names`
will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
the core of Vault to ensure consistency across all backends. Since this was
previously delegated to individual backends, there may be some slight
differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
by default at initialization time (it will still be available in `dev`
mode).
FEATURES:
- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
features are only available with a supporting version of Vault, but the code
base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
`vault kv` subcommand allows friendly interactions with it. Existing mounts
of the `kv` backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
`-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
their own configured admin/root credentials, allowing configured credentials
for a database connection to be rotated immediately after sending them into
Vault, invalidating the old credentials and ensuring only Vault knows the
actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
allows authenticating Azure machines to Vault using Azure's Managed Service
Identity credentials. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
generating secrets to allow access to GCP. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
logs can be turned off for specific keys in the request input map and
response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
through to backends on a per-mount basis. This is useful in various cases
when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
- UI (Enterprise): View and edit Sentinel policies.
IMPROVEMENTS:
- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
operations
- storage/mysql: Allow setting max idle connections and connection lifetime
- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI
BUG FIXES:
- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
parent prefix entry in the underlying storage backend. These operations also
mark corresponding child tokens as orphans by removing the parent/secondary
index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
paths.
- cli: Fix an issue where generating a dr operation token would not output the
token
DEPRECATIONS/CHANGES:
- The AWS authentication backend now allows binds for inputs as either a
comma-delimited string or a string array. However, to keep consistency with
input and output, when reading a role the binds will now be returned as
string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
backend, you now must explicitly opt-in by adding a `*` to the end of the
ARN. Existing configurations will be upgraded automatically, but when
writing a new role configuration the updated behavior will be used.
FEATURES:
- Replication Activation Enhancements: When activating a replication
secondary, a public key can now be fetched first from the target cluster.
This public key can be provided to the primary when requesting the
activation token. If provided, the public key will be used to perform a
Diffie-Hellman key exchange resulting in a shared key that encrypts the
contents of the activation token. The purpose is to protect against
accidental disclosure of the contents of the token if unwrapped by the wrong
party, given that the contents of the token are highly sensitive. If
accidentally unwrapped, the contents of the token are not usable by the
unwrapping party. It is important to note that just as a malicious operator
could unwrap the contents of the token, a malicious operator can pretend to
be a secondary and complete the Diffie-Hellman exchange on their own; this
feature provides defense in depth but still requires due diligence around
replication activation, including multiple eyes on the commands/tokens and
proper auditing.
IMPROVEMENTS:
- api: Update renewer grace period logic. It no longer is static, but rather
dynamically calculates one based on the current lease duration after each
renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
checking
BUG FIXES:
- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
max_lease_ttl configured on the token store mount, truncate it. This matches
renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
helper for a particular method
## 0.9.5 (February 26th, 2018)
IMPROVEMENTS:
- auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling
auth methods.
- secret/database: Add list functionality to `database/config` endpoint
- physical/consul: Allow setting a specific service address
- replication: When bootstrapping a new secondary, if the initial cluster
connection fails, Vault will attempt to roll back state so that
bootstrapping can be tried again, rather than having to recreate the
downstream cluster. This will still require fetching a new secondary
activation token.
BUG FIXES:
- auth/aws: Update libraries to fix regression verifying PKCS#7 identity
documents
- listener: Revert to Go 1.9 for now to allow certificates with non-DNS names
in their DNS SANs to be used for Vault's TLS connections
- replication: Fix issue with a performance secondary/DR primary node losing
its DR primary status when performing an update-primary operation
- replication: Fix issue where performance secondaries could be unable to
automatically connect to a performance primary after that performance
primary has been promoted to a DR primary from a DR secondary
- ui: Fix behavior when a value contains a `.`
## 0.9.4 (February 20th, 2018)
SECURITY:
- Role Tags used with the EC2 style of AWS auth were being improperly parsed;
as a result they were not being used to properly restrict values.
Implementations following our suggestion of using these as defense-in-depth
rather than the only source of restriction should not have significant
impact.
FEATURES:
- ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt
with ChaCha20-Poly1305 in `transit`. Key derivation and convergent
encryption is also supported.
- Okta Push support in Okta Auth Backend: If a user account has MFA
required within Okta, an Okta Push MFA flow can be used to successfully
finish authentication.
- PKI Improvements: Custom OID subject alternate names can now be set,
subject to allow restrictions that support globbing. Additionally, Country,
Locality, Province, Street Address, and Postal Code can now be set in
certificate subjects.
- Manta Storage: Joyent Triton Manta can now be used for Vault storage
- Google Cloud Spanner Storage: Google Cloud Spanner can now be used for
Vault storage
IMPROVEMENTS:
- auth/centrify: Add CLI helper
- audit: Always log failure metrics, even if zero, to ensure the values appear
on dashboards
- cli: Disable color when output is not a TTY
- cli: Add `-format` flag to all subcommands
- cli: Do not display deprecation warnings when the format is not table
- core: If over a predefined lease count (256k), log a warning not more than
once a minute. Too many leases can be problematic for many of the storage
backends and often this number of leases is indicative of a need for
workflow improvements.
- secret/nomad: Have generated ACL tokens cap out at 64 characters
- secret/pki: Country, Locality, Province, Street Address, and Postal Code can
now be set on certificates
- secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in
issued certs; allowed values can be set per role and support globbing
- secret/pki: Add a flag to make the common name optional on certs
- secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
properly handle IDNA transformations for these DNS names
- secret/ssh: Add `valid-principles` flag to CLI for CA mode
- storage/manta: Add Manta storage
- ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine.
BUG FIXES:
- api/renewer: Honor increment value in renew auth calls
- auth/approle: Fix inability to use limited-use-count secret IDs on
replication performance secondaries
- auth/approle: Cleanup of secret ID accessors during tidy and removal of
dangling accessor entries
- auth/aws-ec2: Avoid masking of role tag response
- auth/cert: Verify DNS SANs in the authenticating certificate
- auth/okta: Return configured durations as seconds, not nanoseconds
- auth/okta: Get all okta groups for a user vs. default 200 limit
- auth/token: Token creation via the CLI no longer forces periodic token
creation. Passing an explicit zero value for the period no longer create
periodic tokens.
- command: Fix interpreted formatting directives when printing raw fields
- command: Correctly format output when using -field and -format flags at the
same time
- command/rekey: Re-add lost `stored-shares` parameter
- command/ssh: Create and reuse the api client
- command/status: Fix panic when status returns 500 from leadership lookup
- identity: Fix race when creating entities
- plugin/gRPC: Fixed an issue with list requests and raw responses coming from
plugins using gRPC transport
- plugin/gRPC: Fix panic when special paths are not set
- secret/pki: Verify a name is a valid hostname before adding to DNS SANs
- secret/transit: Fix auditing when reading a key after it has been backed up
or restored
- secret/transit: Fix storage/memory consistency when persistence fails
- storage/consul: Validate that service names are RFC 1123 compliant
- storage/etcd3: Fix memory ballooning with standby instances
- storage/etcd3: Fix large lists (like token loading at startup) not being
handled
- storage/postgresql: Fix compatibility with versions using custom string
version tags
- storage/zookeeper: Update vendoring to fix freezing issues
- ui (Enterprise): Decoding the replication token should no longer error and
prevent enabling of a secondary replication cluster via the ui.
- plugin/gRPC: Add connection info to the request object
## 0.9.3 (January 28th, 2018)
A regression from a feature merge disabled the Nomad secrets backend in 0.9.2.
This release re-enables the Nomad secrets backend; it is otherwise identical to
0.9.2.
## 0.9.2 (January 26th, 2018)
SECURITY:
* Okta Auth Backend: While the Okta auth backend was successfully verifying
usernames and passwords, it was not checking the returned state of the
account, so accounts that had been marked locked out could still be used to
log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
the AppRole, AWS, and Cert auth backends would expire when the max TTL for
the backend/mount/system was hit instead of their stated behavior of living
as long as they are renewed. This is now fixed; existing tokens do not have
to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
seal wrapping may not be wrapped on the secondaries. This has been fixed,
and existing values will be wrapped on next read or write. This does not
affect the barrier keys.
DEPRECATIONS/CHANGES:
* `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool
returned by `sys/health` could be misleading since it would be `false` both
when a cluster was not a DR secondary but also when the node is a standby in
the cluster and has not yet fully received state from the active node. This
could cause health checks on LBs to decide that the node was acceptable for
traffic even though DR secondaries cannot handle normal Vault traffic. (In
other words, the bool could only convey "yes" or "no" but not "not sure
yet".) This has been replaced by `replication_dr_mode` and
`replication_perf_mode` which are string values that convey the current
state of the node; a value of `disabled` indicates that replication is
disabled or the state is still being discovered. As a result, an LB check
can positively verify that the node is both not `disabled` and is not a DR
secondary, and avoid sending traffic to it if either is true.
* PKI Secret Backend Roles parameter types: For `ou` and `organization`
in role definitions in the PKI secret backend, input can now be a
comma-separated string or an array of strings. Reading a role will
now return arrays for these parameters.
* Plugin API Changes: The plugin API has been updated to utilize golang's
context.Context package. Many function signatures now accept a context
object as the first parameter. Existing plugins will need to pull in the
latest Vault code and update their function signatures to begin using
context and the new gRPC transport.
FEATURES:
* **gRPC Backend Plugins**: Backend plugins now use gRPC for transport,
allowing them to be written in other languages.
* **Brand New CLI**: Vault has a brand new CLI interface that is significantly
streamlined, supports autocomplete, and is almost entirely backwards
compatible.
* **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends,
create and browse roles and certificates, and issue and sign certificates via
the listed roles.
IMPROVEMENTS:
* auth/aws: Handle IAM headers produced by clients that formulate numbers as
ints rather than strings [GH-3763]
* auth/okta: Support JSON lists when specifying groups and policies [GH-3801]
* autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues,
including HA scenarios for some Gemalto HSMs.
(Enterprise)
* cli: Output password prompts to stderr to make it easier to pipe an output
token to another command [GH-3782]
* core: Report replication status in `sys/health` [GH-3810]
* physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730]
* physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730]
* plugins: Args for plugins can now be specified separately from the command,
allowing the same output format and input format for plugin information
[GH-3778]
* secret/pki: `ou` and `organization` can now be specified as a
comma-separated string or an array of strings [GH-3804]
* plugins: Plugins will fall back to using netrpc as the communication protocol
on older versions of Vault [GH-3833]
BUG FIXES:
* auth/(approle,aws,cert): Fix behavior where periodic tokens generated by
these backends could not have their TTL renewed beyond the system/mount max
TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached
[GH-2030]
DEPRECATIONS/CHANGES:
- AppRole Case Sensitivity: In prior versions of Vault, `list` operations
against AppRole roles would require preserving case in the role name, even
though most other operations within AppRole are case-insensitive with
respect to the role name. This has been fixed; existing roles will behave as
they have in the past, but new roles will act case-insensitively in these
cases.
- Token Auth Backend Roles parameter types: For `allowed_policies` and
`disallowed_policies` in role definitions in the token auth backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.
- Transit key exporting: You can now mark a key in the `transit` backend as
`exportable` at any time, rather than just at creation time; however, once
this value is set, it still cannot be unset.
- PKI Secret Backend Roles parameter types: For `allowed_domains` and
`key_usage` in role definitions in the PKI secret backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.
- SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic
key method in the SSH backend, the default is now to use 2048-bit keys if no
specific key bit size is specified.
- Consul Secret Backend lease handling: The `consul` secret backend can now
accept both strings and integer numbers of seconds for its lease value. The
value returned on a role read will be an integer number of seconds instead
of a human-friendly string.
- Unprintable characters not allowed in API paths: Unprintable characters are
no longer allowed in names in the API (paths and path parameters), with an
extra restriction on whitespace characters. Allowed characters are those
that are considered printable by Unicode plus spaces.
FEATURES:
- Transit Backup/Restore: The `transit` backend now supports a backup
operation that can export a given key, including all key versions and
configuration, as well as a restore operation allowing import into another
Vault.
- gRPC Database Plugins: Database plugins now use gRPC for transport,
allowing them to be written in other languages.
- Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked
using Vault.
- TLS Cert Auth Backend Improvements: The `cert` auth backend can now
match against custom certificate extensions via exact or glob matching, and
additionally supports max_ttl and periodic token toggles.
IMPROVEMENTS:
- auth/cert: Support custom certificate constraints
- auth/cert: Support setting `max_ttl` and `period`
- audit/file: Setting a file mode of `0000` will now disable Vault from
automatically `chmod`ing the log file
- auth/github: The legacy MFA system can now be used with the GitHub auth
backend
- auth/okta: The legacy MFA system can now be used with the Okta auth backend
- auth/token: `allowed_policies` and `disallowed_policies` can now be specified
as a comma-separated string or an array of strings
- command/server: The log level can now be specified with `VAULT_LOG_LEVEL`
- core: Period values from auth backends will now be checked and applied to the
TTL value directly by core on login and renewal requests
- database/mongodb: Add optional `write_concern` parameter, which can be set
during database configuration. This establishes a session-wide write
concern for the lifecycle of the mount
- http: Request path containing non-printable characters will return 400 - Bad
Request
- mfa/okta: Filter a given email address as a login filter, allowing operation
when login email and account email are different
- plugins: Make Vault more resilient when unsealing when plugins are
unavailable
- secret/pki: `allowed_domains` and `key_usage` can now be specified
as a comma-separated string or an array of strings
- secret/ssh: Allow 4096-bit keys to be used in dynamic key method
- secret/consul: The Consul secret backend now uses the value of `lease` set
on the role, if set, when renewing a secret.
- storage/mysql: Don't attempt database creation if it exists, which can help
under certain permissions constraints
BUG FIXES:
- api/status (enterprise): Fix status reporting when using an auto seal
- auth/approle: Fix case-sensitive/insensitive comparison issue
- auth/cert: Return `allowed_names` on role read
- auth/ldap: Fix incorrect control information being sent
- core: Fix seal status reporting when using an autoseal
- core: Add creation path to wrap info for a control group token
- core: Fix potential panic that could occur using plugins when a node
transitioned from active to standby
- core: Fix memory ballooning when a connection would connect to the cluster
port and then go away -- redux!
- core: Replace recursive token revocation logic with depth-first logic, which
can avoid hitting stack depth limits in extreme cases
- core: When doing a read on configured audited-headers, properly handle case
insensitivity
- core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
- database/mysql: Allow the creation statement to use commands that are not yet
supported by the prepare statement protocol
- plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference`
DEPRECATIONS/CHANGES:
- API HTTP client behavior: When calling `NewClient` the API no longer
modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
backend that gets returned along with the authentication response
will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
or update a role with the mutually-exclusive options
`disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
backend, the TTL/max TTL values will now be an integer number of
seconds rather than a string. This better matches the API elsewhere
in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
the API, the response data will additionally return a `key_info` map
that will contain a map of each key with a corresponding object
containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
are still in RFC3339 format but now have a granularity of
nanoseconds.
- High availability related values have been moved out of the
`storage` and `ha_storage` stanzas, and into the top-level
configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
is optional and enables configuration of the seal type to use for
additional data protection, such as using HSM or Cloud KMS solutions
to encrypt and decrypt data.
FEATURES:
- RSA Support for Transit Backend: Transit backend can now generate
RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
enhancements, Identity is an integrated system for understanding
users across tokens and enabling easier management of users directly
and via groups.
- External Groups in Identity: Vault can now automatically assign
users and systems to groups in Identity based on their membership in
external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
take advantage of FIPS 140-2-certified HSMs to ensure that Critical
Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
Sentinel to create extremely flexible access control policies - even
on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
auto-unsealing functionality, the `rekey` operation is now
supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
using Disaster Recovery replication, a token can be created that can
be used to authorize actions such as promotion and updating primary
information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
auto-unsealing, a request to unseal Vault can be triggered by a
threshold of recovery keys, rather than requiring the Vault process to
be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
Enterprise UI. The look and feel has been completely redesigned to
give users a better experience and make managing secrets fast and
easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
backend, create and browse roles. And use them to sign keys or
generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
backend via the Vault Enterprise UI. In addition you can create
roles, browse the roles and Generate IAM Credentials from them
in the UI.
IMPROVEMENTS:
- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
The files themselves were `600` and are all encrypted, but this
doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
or an integer
- secret/transit: Sign and verify operations now support a `none` hash
algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
promoting, and updating primary on DR Secondary clusters
BUG FIXES:
- api: Fix panic when setting a custom HTTP client but with a nil
transport
- api: Fix authing to the `cert` backend when the CA for the client
cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
matching
- physical/etcd3: Fix case where standbys can lose their etcd client
lease
- physical/file: Fix listing when underscores are the first component
of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
this was erroneously removed in a previous release
CHANGES:
- Policy input/output standardization: For all built-in authentication
backends, policies can now be specified as a comma-delimited string or an
array if using JSON as API input; on read, policies will be returned as an
array; and the `default` policy will not be forcefully added to policies
saved in configurations. Please note that the `default` policy will continue
to be added to generated tokens, however, rather than backends adding
`default` to the given set of input policies (in some cases, and not in
others), the stored set will reflect the user-specified set.
- `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the
endpoint would not modify the Issuer in the generated certificate, leaving
the output self-issued. Although theoretically valid, in practice crypto
stacks were unhappy validating paths containing such certs. As a result,
`sign-self-issued` now encodes the signing CA's Subject DN into the Issuer
DN of the generated certificate.
- `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely
useful in break-glass or support scenarios, it is also extremely dangerous.
As of now, a configuration file option `raw_storage_endpoint` must be set in
order to enable this API endpoint. Once set, the available functionality has
been enhanced slightly; it now supports listing and decrypting most of
Vault's core data structures, except for the encryption keyring itself.
- `generic` is now `kv`: To better reflect its actual use, the `generic`
backend is now `kv`. Using `generic` will still work for backwards
compatibility.
FEATURES:
- GCE Support for GCP Auth: GCE instances can now authenticate to Vault
using machine credentials.
- Support for Kubernetes Service Account Auth: Kubernetes Service Accounts
can now authenticate to vault using JWT tokens.
IMPROVEMENTS:
- configuration: Provide a config option to store Vault server's process ID
(PID) in a file
- mfa (Enterprise): Add the ability to use identity metadata in username
format
- mfa/okta (Enterprise): Add support for configuring base_url for API calls
- secret/pki: `sign-intermediate` will now allow specifying a `ttl` value
longer than the signing CA certificate's NotAfter value.
- sys/raw: Raw storage access is now disabled by default
BUG FIXES:
- auth/okta: Fix regression that removed the ability to set base_url
- core: Fix panic while loading leases at startup on ARM processors
- secret/pki: Fix `sign-self-issued` encoding the wrong subject public key
SECURITY:
- In prior versions of Vault, if authenticating via AWS IAM and
requesting a periodic token, the period was not properly respected.
This could lead to tokens expiring unexpectedly, or a token lifetime
being longer than expected. Upon token renewal with Vault 0.8.2 the
period will be properly enforced.
DEPRECATIONS/CHANGES:
- `vault ssh` users should supply `-mode` and `-role` to reduce the
number of API calls. A future version of Vault will mark these
optional values are required. Failure to supply `-mode` or `-role`
will result in a warning.
- Vault plugins will first briefly run a restricted version of the
plugin to fetch metadata, and then lazy-load the plugin on first
request to prevent crash/deadlock of Vault during the unseal process.
Plugins will need to be built with the latest changes in order for them
to run properly.
FEATURES:
- Lazy Lease Loading: On startup, Vault will now load leases from
storage in a lazy fashion (token checks and revocation/renewal
requests still force an immediate load). For larger installations this
can significantly reduce downtime when switching active nodes or
bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
backend for authenticating to machines. It also supports remote host
key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
signing self-issued CA certs. This is useful when switching root CAs.
IMPROVEMENTS:
- audit/file: Allow specifying `stdout` as the `file_path` to log to
standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
case-preserving
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
-autocomplete-install`
- cli: Add ability to handle wrapped responses when using `vault auth`.
What is output depends on the other given flags; see the help output
for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
`cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
of the parameter or within the `config` object when mounting a secret
or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
of seconds
- secret/pki: Self-issued certs can now be signed via
`pki/root/sign-self-issued`
- storage/gcp: Use application default credentials if they exist
BUG FIXES:
- auth/aws: Properly use role-set period values for IAM-derived token
renewals
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
case-insensitively
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
address
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
process.
- plugins: Skip mounting plugin-based secret and credential mounts when
setting up mounts if the plugin is no longer present in the catalog.
DEPRECATIONS/CHANGES:
- PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already
exists will now return a `204` instead of overwriting an existing root. If
you want to recreate the root, first run a delete operation on `pki/root`
(requires `sudo` capability), then generate it again.
FEATURES:
- Oracle Secret Backend: There is now an external plugin to support leased
credentials for Oracle databases (distributed separately).
- GCP IAM Auth Backend: There is now an authentication backend that allows
using GCP IAM credentials to retrieve Vault tokens. This is available as
both a plugin and built-in to Vault.
- PingID Push Support for Path-Baased MFA (Enterprise): PingID Push can
now be used for MFA with the new path-based MFA introduced in Vault
Enterprise 0.8.
- Permitted DNS Domains Support in PKI: The `pki` backend now supports
specifying permitted DNS domains for CA certificates, allowing you to
narrowly scope the set of domains for which a CA can issue or sign child
certificates.
- Plugin Backend Reload Endpoint: Plugin backends can now be triggered to
reload using the `sys/plugins/reload/backend` endpoint and providing either
the plugin name or the mounts to reload.
- Self-Reloading Plugins: The plugin system will now attempt to reload a
crashed or stopped plugin, once per request.
IMPROVEMENTS:
- auth/approle: Allow array input for policies in addition to comma-delimited
strings
- auth/aws: Allow using root credentials for IAM authentication
- plugins: Send logs through Vault's logger rather than stdout
- secret/pki: Add `pki/root` delete operation
- secret/pki: Don't overwrite an existing root cert/key when calling generate
BUG FIXES:
- aws: Don't prefer a nil HTTP client over an existing one
- core: If there is an error when checking for create/update existence, return
500 instead of 400
- secret/database: Avoid creating usernames that are too long for legacy MySQL
SECURITY:
- We've added a note to the docs about the way the GitHub auth backend works
as it may not be readily apparent that GitHub personal access tokens, which
are used by the backend, can be used for unauthorized access if they are
stolen from third party services and access to Vault is public.
DEPRECATIONS/CHANGES:
- Database Plugin Backends: Passwords generated for these backends now
enforce stricter password requirements, as opposed to the previous behavior
of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
is now unauthenticated.
FEATURES:
- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
plugins.
- PROXY Protocol Support Vault listeners can now be configured to honor
PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
now supports lookup and listing of leases and the associated actions from the
'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
blacklists of mounts can be defined per-secondary to control which mounts
are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
replication mode, Disaster Recovery (DR), that performs full real-time
replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
Replication features in Vault Enterprise UI has expanded to include new DR
Replication mode and management of Filtered Mounts in Performance Replication
mode.
- Vault Identity (Enterprise Only): Vault's new Identity system allows
correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
Only): A brand new MFA system built on top of Identity allows MFA
(currently Duo Push, Okta Push, and TOTP) for any authenticated path within
Vault.
IMPROVEMENTS:
- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
hostname
- audit/socket: Enhance reconnection logic and don't require the connection to
be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
var
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
wildcard
- secret/ssh: Allow specifying the key ID format using template values for CA
type
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
client certificate verification when 'tls_require_and_verify_client_cert' is
enabled
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD
BUG FIXES:
- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
silently
- auth/token: Don't allow using the same token ID twice when manually
specifying
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options
## 0.7.3 (June 7th, 2017)
SECURITY:
- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2
DEPRECATIONS/CHANGES:
- Step-Down is Forwarded
FEATURES:
- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)
IMPROVEMENTS:
- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret
backends
BUG FIXES:
- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
authentication
- auth/aws: Check that a bound IAM principal is not empty (in the
current state of the role) before requiring it match the previously
authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
scenarios
- secret/database: Increase wrapping token TTL; in a loaded scenario
it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading
0.7.2 (May 8th, 2017)
BUG FIXES:
- audit: Fix auditing entries containing certain kinds of time values
0.7.1 (May 5th, 2017)
DEPRECATIONS/CHANGES:
- LDAP Auth Backend: Group membership queries will now run as the
binddn user when binddn/bindpass are configured, rather than as the
authenticating user as was the case previously.
FEATURES:
- AWS IAM Authentication
- MSSQL Physical Backend
- Lease Listing and Lookup
- TOTP Secret Backend
- Database Secret Backend & Secure Plugins (Beta)
IMPROVEMENTS:
- auth/cert: Support for constraints on subject Common Name and
DNS/email Subject Alternate Names in certificates
- auth/ldap: Use the binding credentials to search group membership
rather than the user credentials
- cli/revoke: Add -self option to allow revoking the currently active
token
- core: Randomize x coordinate in Shamir shares
- tidy: Improvements to auth/token/tidy and sys/leases/tidy to handle
more cleanup cases
- secret/pki: Add no_store option that allows certificates to be
issued without being stored. This removes the ability to look up
and/or add to a CRL but helps with scaling to very large numbers of
certificates.
- secret/pki: If used with a role parameter, the sign-verbatim/<role>
endpoint honors the values of generate_lease, no_store, ttl and
max_ttl from the given role
- secret/pki: Add role parameter allow_glob_domains that enables
defining names in allowed_domains containing * glob patterns
- secret/pki: Update certificate storage to not use characters that
are not supported on some filesystems
- storage/etcd3: Add discovery_srv option to query for SRV records to
find servers
- storage/s3: Support max_parallel option to limit concurrent
outstanding requests
- storage/s3: Use pooled transport for http client
- storage/swift: Allow domain values for V3 authentication
BUG FIXES:
- api: Respect a configured path in Vault's address
- auth/aws-ec2: New bounds added as criteria to allow role creation
- auth/ldap: Don't lowercase groups attached to users
- cli: Don't panic if vault write is used with the force flag but no
path
- core: Help operations should request forward since standbys may not
have appropriate info
- replication: Fix enabling secondaries when certain mounts already
existed on the primary
- secret/mssql: Update mssql driver to support queries with colons
- secret/pki: Don't lowercase O/OU values in certs
- secret/pki: Don't attempt to validate IP SANs if none are provided
SECURITY:
* Common name not being validated when `exclude_cn_from_sans` option used in
`pki` backend
DEPRECATIONS/CHANGES:
* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates
FEATURES:
* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority
IMPROVEMENTS:
* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
issued
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
line
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
and also return it when CA key pair is generated
BUG FIXES:
* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
multiple levels of children
Full changelog:
https://github.com/hashicorp/vault/blob/v0.7.0/CHANGELOG.md
FEATURES:
- Okta Authentication: A new Okta authentication backend allows you to use
Okta usernames and passwords to authenticate to Vault. If provided with an
appropriate Okta API token, group membership can be queried to assign
policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
a RADIUS server to authenticate to Vault. Policies can be configured for
specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
`exportable` at creation time. This allows a properly ACL'd user to retrieve
the associated signing key, encryption key, or HMAC key. The `exportable`
value is returned on a key policy read and cannot be changed, so if a key is
marked `exportable` it will always be exportable, and if it is not it will
never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
in the transit backend now support processing multiple input items in one
call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
want to have included in each audit entry, along with whether each header
should be HMAC'd or kept plaintext. This can be useful for adding additional
client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
backend, allowing creation, viewing and editing of named keys as well as using
those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
through TCP, UDP, or UNIX Sockets.
IMPROVEMENTS:
- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
to use. The v3 code path is significantly less complicated and may be much
more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
backends even if the UI cannot browse them. Additional backends can now be
mounted from the UI as well.
BUG FIXES:
- auth/token: Fix regression in 0.6.4 where using token store roles as a
blacklist (with only `disallowed_policies` set) would not work in most
circumstances
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
failover
- secret/pki: When using `sign-verbatim`, don't require a role and use the
CSR's common name
SECURITY:
- default Policy Privilege Escalation: If a parent token did not have
the default policy attached to its token, it could still create
children with the default policy. This is no longer allowed (unless
the parent has sudo capability for the creation path). In most cases
this is low severity since the access grants in the default policy are
meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
using limited-use tokens to create leased secrets, if the
limited-use token was revoked due to running out of uses (rather than
due to TTL expiration or explicit revocation) it would fail to revoke
the leased secrets. These secrets would still be revoked when their
TTL expired, limiting the severity of this issue. An endpoint has been
added (auth/token/tidy) that can perform housekeeping tasks on the
token store; one of its tasks can detect this situation and revoke the
associated leases.
FEATURES:
- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
creating, and editing policies.
IMPROVEMENTS:
- http: Vault now sets a no-store cache control header to make it more
secure in setups that are not end-to-end encrypted
BUG FIXES:
- auth/ldap: Don't panic if dialing returns an error and starttls is
enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
form so a browser refresh isn't required to continue.
0.6.3 (December 6, 2016)
DEPRECATIONS/CHANGES:
- Request size limitation: A maximum request size of 32MB is imposed
to prevent a denial of service attack with arbitrarily large
requests
- LDAP denies passwordless binds by default: In new LDAP mounts, or
when existing LDAP mounts are rewritten, passwordless binds will be
denied by default. The new deny_null_bind parameter can be set to
false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
new Vault node was taking over service in an HA cluster, all audit
backends were required to be loaded successfully to take over active
duty. This behavior now matches the behavior of the audit logging
system itself: at least one audit backend must successfully be loaded.
The server log contains an error when this occurs. This helps keep a
Vault HA cluster working when there is a misconfiguration on a standby
node.
FEATURES:
- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
that offers access to a number of features, including
init/unsealing/sealing, authentication via userpass or LDAP, and K/V
reading/writing. The capability set of the UI will be expanding
rapidly in further releases. To enable it, set ui = true in the top
level of Vault's configuration file and point a web browser at your
Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
storing Vault data
IMPROVEMENTS:
- auth/github: Policies can now be assigned to users as well as to
teams
- cli: Set the number of retries on 500 down to 0 by default (no
retrying). It can be very confusing to users when there is a pause
while the retries happen if they haven't explicitly set it. With
request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys
BUG FIXES:
- api/unwrap, command/unwrap: Increase compatibility of unwrap command
with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
before the command returns
- cli: Fix error printing values with -field if the values contained
formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
failure
- secret/consul: Fix panic on user error
DEPRECATIONS/CHANGES:
- Convergent Encryption v2: New keys in transit using convergent mode will
use a new nonce derivation mechanism rather than require the user to
supply a nonce. While not explicitly increasing security, it minimizes the
likelihood that a user will use the mode improperly and impact the security
of their keys. Keys in convergent mode that were created in v0.6.1 will
continue to work with the same mechanism (user-supplied nonce).
- etcd HA off by default: Following in the footsteps of dynamodb, the etcd
storage backend now requires that ha_enabled be explicitly specified in
the configuration file. The backend currently has known broken HA behavior,
so this flag discourages use by default without explicitly enabling it. If
you are using this functionality, when upgrading, you should set ha_enabled
to "true" before starting the new versions of Vault.
- Default/Max lease/token TTLs are now 32 days: In previous versions of
Vault the default was 30 days, but moving it to 32 days allows some
operations (e.g. reauthenticating, renewing, etc.) to be performed via a
monthly cron job.
- AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are
no longer part of request URLs. The GET and DELETE operations are now
moved to new endpoints (/lookup and /destroy) which consumes the input from
the body and not the URL.
- AppRole requires at least one constraint: previously it was sufficient to
turn off all AppRole authentication constraints (secret ID, CIDR block)
and use the role ID only. It is now required that at least one additional
constraint is enabled. Existing roles are unaffected, but any new roles or
updated roles will require this.
- Reading wrapped responses from cubbyhole/response is deprecated. The
sys/wrapping/unwrap endpoint should be used instead as it provides
additional security, auditing, and other benefits. The ability to read
directly will be removed in a future release.
- Request Forwarding is now on by default: in 0.6.1 this required toggling
on, but is now enabled by default. This can be disabled via the
"disable_clustering" parameter in Vault's config, or per-request with the
X-Vault-No-Request-Forwarding header.
- In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2
authentication backend to actually use the instance profile ARN. This has
been corrected, but as a result there is a behavior change. To match using
the instance profile ARN, a new parameter bound_iam_instance_profile_arn has
been added. Existing roles will automatically transfer the value over to the
correct parameter, but the next time the role is updated, the new meanings
will take effect.
FEATURES:
- Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an
approle can now specify a list of CIDR blocks from where the requests to
generate secret IDs should originate from. If an approle already has CIDR
restrictions specified, the CIDR restrictions on the secret ID should be a
subset of those specified on the role [GH-1910]
- Initial Root Token PGP Encryption: Similar to generate-root, the root
token created at initialization time can now be PGP encrypted [GH-1883]
- Support Chained Intermediate CAs in pki: The pki backend now allows, when
a CA cert is being supplied as a signed root or intermediate, a trust
chain of arbitrary length. The chain is returned as a parameter at
certificate issue/sign time and is retrievable independently as well.
[GH-1694]
- Response Wrapping Enhancements: There are new endpoints to look up
response wrapped token parameters; wrap arbitrary values; rotate wrapping
tokens; and unwrap with enhanced validation. In addition, list operations
can now be response-wrapped. [GH-1927]
- Transit features: The transit backend now supports generating random bytes
and SHA sums; HMACs; and signing and verification functionality using EC
keys (P-256 curve)
IMPROVEMENTS:
- api: Return error when an invalid (as opposed to incorrect) unseal key is
submitted, rather than ignoring it [GH-1782]
- api: Add method to call auth/token/create-orphan endpoint [GH-1834]
- api: Rekey operation now redirects from standbys to master [GH-1862]
- audit/file: Sending a SIGHUP to Vault now causes Vault to close and
re-open the log file, making it easier to rotate audit logs [GH-1953]
- auth/aws-ec2: EC2 instances can get authenticated by presenting the
identity document and its SHA256 RSA digest [GH-1961]
- auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a
prefix match instead of exact match [GH-1943]
- auth/aws-ec2: Added a new constraint bound_iam_instance_profile_arn to
refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn
to refer to IAM role ARN instead of the instance profile ARN [GH-1913]
- auth/aws-ec2: Backend generates the nonce by default and clients can
explicitly disable reauthentication by setting empty nonce [GH-1889]
- auth/token: Added warnings if tokens and accessors are used in URLs
[GH-1806]
- command/format: The format flag on select CLI commands takes yml as an
alias for yaml [GH-1899]
- core: Allow the size of the read cache to be set via the config file, and
change the default value to 1MB (from 32KB) [GH-1784]
- core: Allow single and two-character path parameters for most places
[GH-1811]
- core: Allow list operations to be response-wrapped [GH-1814]
- core: Provide better protection against timing attacks in Shamir code
[GH-1877]
- core: Unmounting/disabling backends no longer returns an error if the
mount didn't exist. This is line with elsewhere in Vault's API where
DELETE is an idempotent operation. [GH-1903]
- credential/approle: At least one constraint is required to be enabled
while creating and updating a role [GH-1882]
- secret/cassandra: Added consistency level for use with roles [GH-1931]
- secret/mysql: SQL for revoking user can be configured on the role
[GH-1914]
- secret/transit: Use HKDF (RFC 5869) as the key derivation function for new
keys [GH-1812]
- secret/transit: Empty plaintext values are now allowed [GH-1874]
BUG FIXES:
- audit: Fix panic being caused by some values logging as underlying Go
types instead of formatted strings [GH-1912]
- auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920]
- auth/approle: Not letting secret IDs and secret ID accessors to get logged
in plaintext in audit logs [GH-1947]
- auth/aws-ec2: Allow authentication if the underlying host is in a bad
state but the instance is running [GH-1884]
- auth/token: Fixed metadata getting missed out from token lookup response
by gracefully handling token entry upgrade [GH-1924]
- cli: Don't error on newline in token file [GH-1774]
- core: Pass back content-type header for forwarded requests [GH-1791]
- core: Fix panic if the same key was given twice to generate-root [GH-1827]
- core: Fix potential deadlock on unmount/remount [GH-1793]
- physical/file: Remove empty directories from the file storage backend
[GH-1821]
- physical/zookeeper: Remove empty directories from the zookeeper storage
backend and add a fix to the file storage backend's logic [GH-1964]
- secret/aws: Added update operation to aws/sts path to consider ttl
parameter [39b75c6]
- secret/aws: Mark STS secrets as non-renewable [GH-1804]
- secret/cassandra: Properly store session for re-use [GH-1802]
- secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781]
0.6.1 (August 22, 2016)
DEPRECATIONS/BREAKING CHANGES:
- Once the active node is 0.6.1, standby nodes must also be 0.6.1
in order to connect to the HA cluster.
- Status codes for sealed/uninitialized Vaults have changed to
503/501 respectively.
- Root tokens (tokens with the root policy) can no longer be
created except by another root token or the generate-root
endpoint.
- Issued certificates from the pki backend against new roles
created or modified after upgrading will contain a set of
default key usages.
- The dynamodb physical data store no longer supports HA by
default.
- The ldap backend no longer searches for memberOf groups as part
of its normal flow. Instead, the desired group filter must be
specified.
- app-id is now deprecated with the addition of the new AppRole
backend.
FEATURES:
- AppRole Authentication Backend: The approle backend is a
machine-oriented authentication backend that provides a similar
concept to App-ID while adding many missing features, including a
pull model that allows for the backend to generate authentication
credentials rather than requiring operators or other systems to
push credentials in.
- Request Forwarding: Vault servers can now forward requests to
each other rather than redirecting clients. This feature is off
by default in 0.6.1 but will be on by default in the next release.
- Convergent Encryption in Transit: The transit backend now
supports a convergent encryption mode where the same plaintext
will produce the same ciphertext.
- Improved LDAP Group Filters: The ldap auth backend now uses
templates to define group filters, providing the capability to
support some directories that could not easily be supported before
(especially specific Active Directory setups with nested groups).
- Key Usage Control in PKI: Issued certificates from roles created
or modified after upgrading contain a set of default key usages
for increased compatibility with OpenVPN and some other software.
- Request Retrying in the CLI and Go API: Requests that fail with
a 5xx error code will now retry after a backoff. The maximum
total number of retries (including disabling this functionality)
can be set with an environment variable.
- Service Discovery in vault init: The new -auto option on vault
init will perform service discovery using Consul.
- MongoDB Secret Backend: Generate dynamic unique MongoDB database
credentials based on configured roles.
- Circonus Metrics Integration: Vault can now send metrics to
Circonus.
IMPROVEMENTS:
- audit: Added a unique identifier to each request which will also
be found in the request portion of the response.
- auth/aws-ec2: Added a new constraint bound_account_id to the
role
- auth/aws-ec2: Added a new constraint bound_iam_role_arn to the
role
- auth/aws-ec2: Added ttl field for the role
- auth/ldap, secret/cassandra, physical/consul: Clients with
tls.Config have the minimum TLS version set to 1.2 by default.
- auth/token: Added endpoint to list accessors
- auth/token: Added disallowed_policies option to token store
roles
- auth/token: root or sudo tokens can now create periodic tokens
via auth/token/create; additionally, the same token can now be
periodic and have an explicit max TTL
- build: Add support for building on Solaris/Illumos
- cli: Output formatting in the presence of warnings in the
response object
- cli: vault auth command supports a -path option to take in the
path at which the auth backend is enabled, thereby allowing
authenticating against different paths using the command options
- cli: vault auth -methods will now display the config settings of
the mount
- cli: vault read/write/unwrap -field now allows selecting token
response fields
- cli: vault write -field now allows selecting wrapped response
fields
- command/status: Version information and cluster details added to
the output of vault status command
- core: Response wrapping is now enabled for login endpoints
- core: The duration of leadership is now exported via events
through telemetry
- core: sys/capabilities-self is now accessible as part of the
default policy
- core: sys/renew is now accessible as part of the default policy
- core: Unseal keys will now be returned in both hex and base64
forms, and either can be used
- core: Responses from most /sys endpoints now return normal
api.Secret structs in addition to the values they carried
before.
- physical/etcd: Support ETCD_ADDR env var for specifying
addresses
- physical/consul: Allowing additional tags to be added to Consul
service registration via service_tags option
- secret/aws: Listing of roles is supported now
- secret/cassandra: Add connect_timeout value for Cassandra
connection configuration
- secret/mssql,mysql,postgresql: Reading of connection settings is
supported in all the sql backends
- secret/mysql: Added optional maximum idle connections value to
MySQL connection configuration
- secret/mysql: Use a combination of the role name and token
display name in generated user names and allow the length to be
controlled
- secret/{cassandra,mssql,mysql,postgresql}: SQL statements can
now be passed in via one of four ways: a semicolon-delimited
string, a base64-delimited string, a serialized JSON string array,
or a base64-encoded serialized JSON string array
- secret/ssh: Added allowed_roles to vault-ssh-helper's config and
returning role name as part of response of verify API
- secret/ssh: Added passthrough of command line arguments to ssh
- sys/health: Added version information to the response of health
status endpoint
- sys/health: Cluster information isbe returned as part of health
status when Vault is unsealed
- sys/mounts: MountTable data is compressed before serializing to
accommodate thousands of mounts
- website: The token concepts page has been completely rewritten
BUG FIXES:
- auth/aws-ec2: Added a nil check for stored whitelist identity
object during renewal
- auth/cert: Fix panic if no client certificate is supplied
- auth/token: Don't report that a non-expiring root token is
renewable, as attempting to renew it results in an error
- cli: Don't retry a command when a redirection is received
- core: Fix regression causing status codes to be 400 in most
non-5xx error cases
- core: Fix panic that could occur during a leadership transition
- physical/postgres: Remove use of prepared statements as this
causes connection multiplexing software to break
- physical/consul: Multiple Vault nodes on the same machine
leading to check ID collisions were resulting in incorrect
health check responses
- physical/consul: Fix deregistration of health checks on exit
- secret/postgresql: Check for existence of role before attempting
deletion
- secret/postgresql: Handle revoking roles that have privileges on
sequences
- secret/postgresql(,mysql,mssql): Fix incorrect use of database
over transaction object which could lead to connection
exhaustion
- secret/pki: Fix parsing CA bundle containing trailing whitespace
- secret/pki: Fix adding email addresses as SANs
- secret/pki: Ensure that CRL values are always UTC, per RFC
- sys/seal-status: Fixed nil Cluster object while checking seal
status
0.6.0 (June 14th, 2016)
SECURITY:
Although sys/revoke-prefix was intended to revoke prefixes of
secrets (via lease IDs, which incorporate path information) and
auth/token/revoke-prefix was intended to revoke prefixes of tokens
(using the tokens' paths and, since 0.5.2, role information), in
implementation they both behaved exactly the same way since a
single component in Vault is responsible for managing lifetimes of
both, and the type of the tracked lifetime was not being checked.
The end result was that either endpoint could revoke both secret
leases and tokens. We consider this a very minor security issue as
there are a number of mitigating factors: both endpoints require
sudo capability in addition to write capability, preventing
blanket ACL path globs from providing access; both work by using
the prefix to revoke as a part of the endpoint path, allowing them
to be properly ACL'd; and both are intended for emergency
scenarios and users should already not generally have access to
either one. In order to prevent confusion, we have simply removed
auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be
meant for both leases and tokens instead.
DEPRECATIONS/BREAKING CHANGES:
- auth/token/revoke-prefix has been removed. See the security
notice for details.
- Vault will now automatically register itself as the vault
service when using the consul backend and will perform its own
health checks.
- List operations that do not find any keys now return a 404
status code rather than an empty response object
- CA certificates issued from the pki backend no longer have
associated leases, and any CA certs already issued will ignore
revocation requests from the lease manager.
FEATURES:
- AWS EC2 Auth Backend: Provides a secure introduction mechanism
for AWS EC2 instances allowing automated retrieval of Vault
tokens.
- Response Wrapping: Nearly any response within Vault can now be
wrapped inside a single-use, time-limited token's cubbyhole,
taking the Cubbyhole Authentication Principles mechanism to its
logical conclusion.
- Azure Physical Backend: You can now use Azure blob object
storage as your Vault physical data store
- Swift Physical Backend: You can now use Swift blob object
storage as your Vault physical data store
- Consul Backend Health Checks: The Consul backend will
automatically register a vault service and perform its own
health checking.
- Explicit Maximum Token TTLs: You can now set explicit maximum
TTLs on tokens that do not honor changes in the system- or
mount-set values.
- Non-Renewable Tokens: When creating tokens directly through the
token authentication backend, you can now specify in both token
store roles and the API whether or not a token should be
renewable, defaulting to true.
- RabbitMQ Secret Backend: Vault can now generate credentials for
RabbitMQ. Vhosts and tags can be defined within roles.
IMPROVEMENTS:
- audit: Add the DisplayName value to the copy of the Request
object embedded in the associated Response, to match the
original Request object
- audit: Enable auditing of the seal and step-down commands
- backends: Remove most root/sudo paths in favor of normal ACL
mechanisms.
- command/auth: Restore the previous authenticated token if the
auth command fails to authenticate the provided token
- command/write: -format and -field can now be used with the write
command
- core: Add mlock support for FreeBSD, OpenBSD, and Darwin
- core: Don't keep lease timers around when tokens are revoked
- core: If using the disable_cache option, caches for the policy
store and the transit backend are now disabled as well
- credential/cert: Renewal requests are rejected if the set of
policies has changed since the token was issued
- credential/cert: Check CRLs for specific non-CA certs configured
in the backend
- credential/ldap: If groupdn is not configured, skip searching
LDAP and only return policies for local groups, plus a warning
- credential/ldap: vault list support for users and groups
- credential/ldap: Support for the memberOf attribute for group
membership searching
- credential/userpass: Add list support for users
- credential/userpass: Remove user configuration paths from
requiring sudo, in favor of normal ACL mechanisms
- credential/token: Sanitize policies and add default policies in
appropriate places
- credential/token: Setting the renewable status of a token is now
possible via vault token-create and the API.
- secret/aws: Use chain credentials to allow environment/EC2
instance/shared providers
- secret/aws: Support for STS AssumeRole functionality
- secret/consul: Reading consul access configuration supported.
- secret/pki: Added exclude_cn_from_sans field to prevent adding
the CN to DNS or Email Subject Alternate Names
- secret/pki: Added list support for certificates
- sys/capabilities: Enforce ACL checks for requests that query the
capabilities of a token on a given path
- sys/health: Status information can now be retrieved with HEAD
BUG FIXES:
- command/read: Fix panic when using -field with a non-string
value
- command/token-lookup: Fix TTL showing as 0 depending on how a
token was created.
- command/various: Tell the JSON decoder to not convert all
numbers to floats; fixes some various places where numbers were
showing up in scientific notation
- command/server: Prioritized devRootTokenID and devListenAddress
flags over their respective env vars
- command/ssh: Provided option to disable host key checking.
- core: Properly persist mount-tuned TTLs for auth backends
- core: Don't accidentally crosswire SIGINT to the reload handler
- credential/github: Make organization comparison case-insensitive
during login
- credential/github: Fix panic when renewing a token created with
some earlier versions of Vault
- credential/github: The token used to log in via vault auth can
now be specified in the VAULT_AUTH_GITHUB_TOKEN environment
variable
- credential/ldap: Fix problem where certain error conditions when
configuring or opening LDAP connections would cause a panic
instead of return a useful error message
- credential/token: Fall back to normal parent-token semantics if
allowed_policies is empty for a role.
- credential/token: Fix issues renewing tokens when using the
"suffix" capability of token roles
- credential/token: Fix lookup via POST showing the request token
instead of the desired token
- credential/various: Fix renewal conditions when default policy
is not contained in the backend config
- physical/s3: Don't panic in certain error cases from bad S3
responses
- secret/consul: Use non-pooled Consul API client to avoid leaving
files open
- secret/pki: Don't check whether a certificate is destined to be
a CA certificate if sign-verbatim endpoint is used
0.5.3 (May 27th, 2016)
SECURITY:
Consul ACL Token Revocation: An issue was reported to us
indicating that generated Consul ACL tokens were not being
properly revoked. Upon investigation, we found that this behavior
was reproducible in a specific scenario: when a generated lease
for a Consul ACL token had been renewed prior to revocation. In
this case, the generated token was not being properly persisted
internally through the renewal function, leading to an error
during revocation due to the missing token. Unfortunately, this
was coded as a user error rather than an internal error, and the
revocation logic was expecting internal errors if revocation
failed. As a result, the revocation logic believed the revocation
to have succeeded when it in fact failed, causing the lease to be
dropped while the token was still valid within Consul. In this
release, the Consul backend properly persists the token through
renewals, and the revocation logic has been changed to consider
any error type to have been a failure to revoke, causing the lease
to persist and attempt to be revoked later.
Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.
fhajny
bsiegert
wiz