f57a5cfff6
FEATURES: - Okta Authentication: A new Okta authentication backend allows you to use Okta usernames and passwords to authenticate to Vault. If provided with an appropriate Okta API token, group membership can be queried to assign policies; users and groups can be defined locally as well. - RADIUS Authentication: A new RADIUS authentication backend allows using a RADIUS server to authenticate to Vault. Policies can be configured for specific users or for any authenticated user. - Exportable Transit Keys: Keys in `transit` can now be marked as `exportable` at creation time. This allows a properly ACL'd user to retrieve the associated signing key, encryption key, or HMAC key. The `exportable` value is returned on a key policy read and cannot be changed, so if a key is marked `exportable` it will always be exportable, and if it is not it will never be exportable. - Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations in the transit backend now support processing multiple input items in one call, returning the output of each item in the response. - Configurable Audited HTTP Headers: You can now specify headers that you want to have included in each audit entry, along with whether each header should be HMAC'd or kept plaintext. This can be useful for adding additional client or network metadata to the audit logs. - Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit backend, allowing creation, viewing and editing of named keys as well as using those keys to perform supported transit operations directly in the UI. - Socket Audit Backend A new socket audit backend allows audit logs to be sent through TCP, UDP, or UNIX Sockets. IMPROVEMENTS: - auth/aws-ec2: Add support for cross-account auth using STS - auth/aws-ec2: Support issuing periodic tokens - auth/github: Support listing teams and users - auth/ldap: Support adding policies to local users directly, in addition to local groups - command/server: Add ability to select and prefer server cipher suites - core: Add a nonce to unseal operations as a check (useful mostly for support, not as a security principle) - duo: Added ability to supply extra context to Duo pushes - physical/consul: Add option for setting consistency mode on Consul gets - physical/etcd: Full v3 API support; code will autodetect which API version to use. The v3 code path is significantly less complicated and may be much more stable. - secret/pki: Allow specifying OU entries in generated certificate subjects - secret mount ui (Enterprise): the secret mount list now shows all mounted backends even if the UI cannot browse them. Additional backends can now be mounted from the UI as well. BUG FIXES: - auth/token: Fix regression in 0.6.4 where using token store roles as a blacklist (with only `disallowed_policies` set) would not work in most circumstances - physical/s3: Page responses in client so list doesn't truncate - secret/cassandra: Stop a connection leak that could occur on active node failover - secret/pki: When using `sign-verbatim`, don't require a role and use the CSR's common name |
||
---|---|---|
.. | ||
DESCR | ||
distinfo | ||
Makefile | ||
PLIST |