cb73ef5c2a
SECURITY: - In prior versions of Vault, if authenticating via AWS IAM and requesting a periodic token, the period was not properly respected. This could lead to tokens expiring unexpectedly, or a token lifetime being longer than expected. Upon token renewal with Vault 0.8.2 the period will be properly enforced. DEPRECATIONS/CHANGES: - `vault ssh` users should supply `-mode` and `-role` to reduce the number of API calls. A future version of Vault will mark these optional values are required. Failure to supply `-mode` or `-role` will result in a warning. - Vault plugins will first briefly run a restricted version of the plugin to fetch metadata, and then lazy-load the plugin on first request to prevent crash/deadlock of Vault during the unseal process. Plugins will need to be built with the latest changes in order for them to run properly. FEATURES: - Lazy Lease Loading: On startup, Vault will now load leases from storage in a lazy fashion (token checks and revocation/renewal requests still force an immediate load). For larger installations this can significantly reduce downtime when switching active nodes or bringing Vault up from cold start. - SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA backend for authenticating to machines. It also supports remote host key verification through the SSH CA backend, if enabled. - Signing of Self-Issued Certs in PKI: The `pki` backend now supports signing self-issued CA certs. This is useful when switching root CAs. IMPROVEMENTS: - audit/file: Allow specifying `stdout` as the `file_path` to log to standard output - auth/aws: Allow wildcards in `bound_iam_principal_id` - auth/okta: Compare groups case-insensitively since Okta is only case-preserving - auth/okta: Standarize Okta configuration APIs across backends - cli: Add subcommand autocompletion that can be enabled with `vault -autocomplete-install` - cli: Add ability to handle wrapped responses when using `vault auth`. What is output depends on the other given flags; see the help output for that command for more information. - core: TLS cipher suites used for cluster behavior can now be set via `cluster_cipher_suites` in configuration - core: The `plugin_name` can now either be specified directly as part of the parameter or within the `config` object when mounting a secret or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively - core: It is now possible to update the `description` of a mount when mount-tuning, although this must be done through the HTTP layer - secret/databases/mongo: If an EOF is encountered, attempt reconnecting and retrying the operation - secret/pki: TTLs can now be specified as a string or an integer number of seconds - secret/pki: Self-issued certs can now be signed via `pki/root/sign-self-issued` - storage/gcp: Use application default credentials if they exist BUG FIXES: - auth/aws: Properly use role-set period values for IAM-derived token renewals - auth/okta: Fix updating organization/ttl/max_ttl after initial setting - core: Fix PROXY when underlying connection is TLS - core: Policy-related commands would sometimes fail to act case-insensitively - storage/consul: Fix parsing TLS configuration when using a bare IPv6 address - plugins: Lazy-load plugins to prevent crash/deadlock during unseal process. - plugins: Skip mounting plugin-based secret and credential mounts when setting up mounts if the plugin is no longer present in the catalog. |
||
|---|---|---|
| .. | ||
| DESCR | ||
| distinfo | ||
| Makefile | ||
| PLIST | ||