All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 16

  • v0.7.0 Changes

    March 21, 2017

    🔒 SECURITY:

    • Common name not being validated when exclude_cn_from_sans option used in pki backend: When using a role in the pki backend that specified the exclude_cn_from_sans option, the common name would not then be properly validated against the role's constraints. This has been fixed. We recommend any users of this feature to upgrade to 0.7 as soon as feasible.

    🗄 DEPRECATIONS/CHANGES:

    • List Operations Always Use Trailing Slash: Any list operation, whether via the GET or LIST HTTP verb, will now internally canonicalize the path to have a trailing slash. This makes policy writing more predictable, as it means clients will no longer work or fail based on which client they're using or which HTTP verb they're using. However, it also means that policies allowing list capability must be carefully checked to ensure that they contain a trailing slash; some policies may need to be split into multiple stanzas to accommodate.
    • PKI Defaults to Unleased Certificates: When issuing certificates from the PKI backend, by default, no leases will be issued. If you want to manually revoke a certificate, its serial number can be used with the pki/revoke endpoint. Issuing leases is still possible by enabling the generate_lease toggle in PKI role entries (this will default to true for upgrades, to keep existing behavior), which will allow using lease IDs to revoke certificates. For installations issuing large numbers of certificates (tens to hundreds of thousands, or millions), this will significantly improve Vault startup time since leases associated with these certificates will not have to be loaded; however note that it also means that revocation of a token used to issue certificates will no longer add these certificates to a CRL. If this behavior is desired or needed, consider keeping leases enabled and ensuring lifetimes are reasonable, and issue long-lived certificates via a different role with leases disabled.

    🔋 FEATURES:

    • Replication (Enterprise): Vault Enterprise now has support for creating a multi-datacenter replication set between clusters. The current replication offering is based on an asynchronous primary/secondary (1:N) model that replicates static data while keeping dynamic data (leases, tokens) cluster-local, focusing on horizontal scaling for high-throughput and high-fanout deployments.
    • Response Wrapping & Replication in the Vault Enterprise UI: Vault Enterprise UI now supports looking up and rotating response wrapping tokens, as well as creating tokens with arbitrary values inside. It also now supports replication functionality, enabling the configuration of a replication set in the UI.
    • Expanded Access Control Policies: Access control policies can now specify allowed and denied parameters -- and, optionally, their values -- to control what a client can and cannot submit during an API call. Policies can also specify minimum/maximum response wrapping TTLs to both enforce the use of response wrapping and control the duration of resultant wrapping tokens. See the policies concepts page for more information.
    • SSH Backend As Certificate Authority: The SSH backend can now be configured to sign host and user certificates. Each mount of the backend acts as an independent signing authority. The CA key pair can be configured for each mount and the public key is accessible via an unauthenticated API call; additionally, the backend can generate a public/private key pair for you. We recommend using separate mounts for signing host and user certificates.

    👌 IMPROVEMENTS:

    • api/request: Passing username and password information in API request [GH-2469]
    • audit: Logging the token's use count with authentication response and logging the remaining uses of the client token with request [GH-2437]
    • auth/approle: Support for restricting the number of uses on the tokens issued [GH-2435]
    • auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID, Subnet ID and Region [GH-2407]
    • auth/ldap: Use the value of the LOGNAME or USER env vars for the username if not explicitly set on the command line when authenticating [GH-2154]
    • audit: Support adding a configurable prefix (such as @cee) before each line [GH-2359]
    • core: Canonicalize list operations to use a trailing slash [GH-2390]
    • core: Add option to disable caching on a per-mount level [GH-2455]
    • core: Add ability to require valid client certs in listener config [GH-2457]
    • physical/dynamodb: Implement a session timeout to avoid having to use recovery mode in the case of an unclean shutdown, which makes HA much safer [GH-2141]
    • secret/pki: O (Organization) values can now be set to role-defined values for issued/signed certificates [GH-2369]
    • secret/pki: Certificates issued/signed from PKI backend do not generate leases by default [GH-2403]
    • secret/pki: When using DER format, still return the private key type [GH-2405]
    • secret/pki: Add an intermediate to the CA chain even if it lacks an authority key ID [GH-2465]
    • secret/pki: Add role option to use CSR SANs [GH-2489]
    • secret/ssh: SSH backend as CA to sign user and host certificates [GH-2208]
    • secret/ssh: Support reading of SSH CA public key from config/ca endpoint and also return it when CA key pair is generated [GH-2483]

    🐛 BUG FIXES:

    • audit: When auditing headers use case-insensitive comparisons [GH-2362]
    • auth/aws-ec2: Return role period in seconds and not nanoseconds [GH-2374]
    • auth/okta: Fix panic if user had no local groups and/or policies set [GH-2367]
    • command/server: Fix parsing of redirect address when port is not mentioned [GH-2354]
    • physical/postgresql: Fix listing returning incorrect results if there were multiple levels of children [GH-2393]

  • v0.6.5 Changes

    February 07, 2017

    🔋 FEATURES:

    • Okta Authentication: A new Okta authentication backend allows you to use Okta usernames and passwords to authenticate to Vault. If provided with an appropriate Okta API token, group membership can be queried to assign policies; users and groups can be defined locally as well.
    • RADIUS Authentication: A new RADIUS authentication backend allows using a RADIUS server to authenticate to Vault. Policies can be configured for specific users or for any authenticated user.
    • Exportable Transit Keys: Keys in transit can now be marked as exportable at creation time. This allows a properly ACL'd user to retrieve the associated signing key, encryption key, or HMAC key. The exportable value is returned on a key policy read and cannot be changed, so if a key is marked exportable it will always be exportable, and if it is not it will never be exportable.
    • Batch Transit Operations: encrypt, decrypt and rewrap operations in the transit backend now support processing multiple input items in one call, returning the output of each item in the response.
    • Configurable Audited HTTP Headers: You can now specify headers that you want to have included in each audit entry, along with whether each header should be HMAC'd or kept plaintext. This can be useful for adding additional client or network metadata to the audit logs.
    • Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit backend, allowing creation, viewing and editing of named keys as well as using those keys to perform supported transit operations directly in the UI.
    • Socket Audit Backend A new socket audit backend allows audit logs to be sent through TCP, UDP, or UNIX Sockets.

    👌 IMPROVEMENTS:

    • auth/aws-ec2: Add support for cross-account auth using STS [GH-2148]
    • auth/aws-ec2: Support issuing periodic tokens [GH-2324]
    • auth/github: Support listing teams and users [GH-2261]
    • auth/ldap: Support adding policies to local users directly, in addition to local groups [GH-2152]
    • command/server: Add ability to select and prefer server cipher suites [GH-2293]
    • core: Add a nonce to unseal operations as a check (useful mostly for support, not as a security principle) [GH-2276]
    • duo: Added ability to supply extra context to Duo pushes [GH-2118]
    • physical/consul: Add option for setting consistency mode on Consul gets [GH-2282]
    • physical/etcd: Full v3 API support; code will autodetect which API version to use. The v3 code path is significantly less complicated and may be much more stable. [GH-2168]
    • secret/pki: Allow specifying OU entries in generated certificate subjects [GH-2251]
    • secret mount ui (Enterprise): the secret mount list now shows all mounted backends even if the UI cannot browse them. Additional backends can now be mounted from the UI as well.

    🐛 BUG FIXES:

    • auth/token: Fix regression in 0.6.4 where using token store roles as a blacklist (with only disallowed_policies set) would not work in most circumstances [GH-2286]
    • physical/s3: Page responses in client so list doesn't truncate [GH-2224]
    • secret/cassandra: Stop a connection leak that could occur on active node failover [GH-2313]
    • secret/pki: When using sign-verbatim, don't require a role and use the CSR's common name [GH-2243]

  • v0.6.4 Changes

    December 16, 2016

    🔒 SECURITY:

    🔒 Further details about these security issues can be found in the 0.6.4 upgrade guide.

    • default Policy Privilege Escalation: If a parent token did not have the default policy attached to its token, it could still create children with the default policy. This is no longer allowed (unless the parent has sudo capability for the creation path). In most cases this is low severity since the access grants in the default policy are meant to be access grants that are acceptable for all tokens to have.
    • Leases Not Expired When Limited Use Token Runs Out of Uses: When using limited-use tokens to create leased secrets, if the limited-use token was revoked due to running out of uses (rather than due to TTL expiration or explicit revocation) it would fail to revoke the leased secrets. These secrets would still be revoked when their TTL expired, limiting the severity of this issue. An endpoint has been added (auth/token/tidy) that can perform housekeeping tasks on the token store; one of its tasks can detect this situation and revoke the associated leases.

    🔋 FEATURES:

    • Policy UI (Enterprise): Vault Enterprise UI now supports viewing, creating, and editing policies.

    👌 IMPROVEMENTS:

    • http: Vault now sets a no-store cache control header to make it more secure in setups that are not end-to-end encrypted [GH-2183]

    🐛 BUG FIXES:

    • auth/ldap: Don't panic if dialing returns an error and starttls is enabled; instead, return the error [GH-2188]
    • ui (Enterprise): Submitting an unseal key now properly resets the form so a browser refresh isn't required to continue.

  • v0.6.3 Changes

    December 06, 2016

    🗄 DEPRECATIONS/CHANGES:

    • Request size limitation: A maximum request size of 32MB is imposed to prevent a denial of service attack with arbitrarily large requests [GH-2108]
    • LDAP denies passwordless binds by default: In new LDAP mounts, or when existing LDAP mounts are rewritten, passwordless binds will be denied by default. The new deny_null_bind parameter can be set to false to allow these. [GH-2103]
    • Any audit backend activated satisfies conditions: Previously, when a new Vault node was taking over service in an HA cluster, all audit backends were required to be loaded successfully to take over active duty. This behavior now matches the behavior of the audit logging system itself: at least one audit backend must successfully be loaded. The server log contains an error when this occurs. This helps keep a Vault HA cluster working when there is a misconfiguration on a standby node. [GH-2083]

    🔋 FEATURES:

    • Web UI (Enterprise): Vault Enterprise now contains a built-in web UI that offers access to a number of features, including init/unsealing/sealing, authentication via userpass or LDAP, and K/V reading/writing. The capability set of the UI will be expanding rapidly in further releases. To enable it, set ui = true in the top level of Vault's configuration file and point a web browser at your Vault address.
    • Google Cloud Storage Physical Backend: You can now use GCS for storing Vault data [GH-2099]

    👌 IMPROVEMENTS:

    • auth/github: Policies can now be assigned to users as well as to teams [GH-2079]
    • cli: Set the number of retries on 500 down to 0 by default (no retrying). It can be very confusing to users when there is a pause while the retries happen if they haven't explicitly set it. With request forwarding the need for this is lessened anyways. [GH-2093]
    • core: Response wrapping is now allowed to be specified by backend responses (requires backends gaining support) [GH-2088]
    • physical/consul: When announcing service, use the scheme of the Vault server rather than the Consul client [GH-2146]
    • secret/consul: Added listing functionality to roles [GH-2065]
    • secret/postgresql: Added revocation_sql parameter on the role endpoint to enable customization of user revocation SQL statements [GH-2033]
    • secret/transit: Add listing of keys [GH-1987]

    🐛 BUG FIXES:

    • api/unwrap, command/unwrap: Increase compatibility of unwrap command with Vault 0.6.1 and older [GH-2014]
    • api/unwrap, command/unwrap: Fix error when no client token exists [GH-2077]
    • auth/approle: Creating the index for the role_id properly [GH-2004]
    • auth/aws-ec2: Handle the case of multiple upgrade attempts when setting the instance-profile ARN [GH-2035]
    • auth/ldap: Avoid leaking connections on login [GH-2130]
    • command/path-help: Use the actual error generated by Vault rather than always using 500 when there is a path help error [GH-2153]
    • command/ssh: Use temporary file for identity and ensure its deletion before the command returns [GH-2016]
    • cli: Fix error printing values with -field if the values contained formatting directives [GH-2109]
    • command/server: Don't say mlock is supported on OSX when it isn't. [GH-2120]
    • core: Fix bug where a failure to come up as active node (e.g. if an audit backend failed) could lead to deadlock [GH-2083]
    • physical/mysql: Fix potential crash during setup due to a query failure [GH-2105]
    • secret/consul: Fix panic on user error [GH-2145]

  • v0.6.2 Changes

    October 05, 2016

    🗄 DEPRECATIONS/CHANGES:

    • Convergent Encryption v2: New keys in transit using convergent mode will use a new nonce derivation mechanism rather than require the user to supply a nonce. While not explicitly increasing security, it minimizes the likelihood that a user will use the mode improperly and impact the security of their keys. Keys in convergent mode that were created in v0.6.1 will continue to work with the same mechanism (user-supplied nonce).
    • etcd HA off by default: Following in the footsteps of dynamodb, the etcd storage backend now requires that ha_enabled be explicitly specified in the configuration file. The backend currently has known broken HA behavior, so this flag discourages use by default without explicitly enabling it. If you are using this functionality, when upgrading, you should set ha_enabled to "true" before starting the new versions of Vault.
    • Default/Max lease/token TTLs are now 32 days: In previous versions of Vault the default was 30 days, but moving it to 32 days allows some operations (e.g. reauthenticating, renewing, etc.) to be performed via a monthly cron job.
    • AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are no longer part of request URLs. The GET and DELETE operations are now moved to new endpoints (/lookup and /destroy) which consumes the input from the body and not the URL.
    • AppRole requires at least one constraint: previously it was sufficient to turn off all AppRole authentication constraints (secret ID, CIDR block) and use the role ID only. It is now required that at least one additional constraint is enabled. Existing roles are unaffected, but any new roles or updated roles will require this.
    • Reading wrapped responses from cubbyhole/response is deprecated. The sys/wrapping/unwrap endpoint should be used instead as it provides additional security, auditing, and other benefits. The ability to read directly will be removed in a future release.
    • Request Forwarding is now on by default: in 0.6.1 this required toggling on, but is now enabled by default. This can be disabled via the "disable_clustering" parameter in Vault's config, or per-request with the X-Vault-No-Request-Forwarding header.
    • In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2 authentication backend to actually use the instance profile ARN. This has been corrected, but as a result there is a behavior change. To match using the instance profile ARN, a new parameter bound_iam_instance_profile_arn has been added. Existing roles will automatically transfer the value over to the correct parameter, but the next time the role is updated, the new meanings will take effect.

    🔋 FEATURES:

    • Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an approle can now specify a list of CIDR blocks from where the requests to generate secret IDs should originate from. If an approle already has CIDR restrictions specified, the CIDR restrictions on the secret ID should be a subset of those specified on the role [GH-1910]
    • Initial Root Token PGP Encryption: Similar to generate-root, the root token created at initialization time can now be PGP encrypted [GH-1883]
    • Support Chained Intermediate CAs in pki: The pki backend now allows, when a CA cert is being supplied as a signed root or intermediate, a trust chain of arbitrary length. The chain is returned as a parameter at certificate issue/sign time and is retrievable independently as well. [GH-1694]
    • Response Wrapping Enhancements: There are new endpoints to look up response wrapped token parameters; wrap arbitrary values; rotate wrapping tokens; and unwrap with enhanced validation. In addition, list operations can now be response-wrapped. [GH-1927]
    • Transit Features: The transit backend now supports generating random bytes and SHA sums; HMACs; and signing and verification functionality using EC keys (P-256 curve)

    👌 IMPROVEMENTS:

    • api: Return error when an invalid (as opposed to incorrect) unseal key is submitted, rather than ignoring it [GH-1782]
    • api: Add method to call auth/token/create-orphan endpoint [GH-1834]
    • api: Rekey operation now redirects from standbys to master [GH-1862]
    • audit/file: Sending a SIGHUP to Vault now causes Vault to close and re-open the log file, making it easier to rotate audit logs [GH-1953]
    • auth/aws-ec2: EC2 instances can get authenticated by presenting the identity document and its SHA256 RSA digest [GH-1961]
    • auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a prefix match instead of exact match [GH-1943]
    • auth/aws-ec2: Added a new constraint bound_iam_instance_profile_arn to refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn to refer to IAM role ARN instead of the instance profile ARN [GH-1913]
    • auth/aws-ec2: Backend generates the nonce by default and clients can explicitly disable reauthentication by setting empty nonce [GH-1889]
    • auth/token: Added warnings if tokens and accessors are used in URLs [GH-1806]
    • command/format: The format flag on select CLI commands takes yml as an alias for yaml [GH-1899]
    • core: Allow the size of the read cache to be set via the config file, and change the default value to 1MB (from 32KB) [GH-1784]
    • core: Allow single and two-character path parameters for most places [GH-1811]
    • core: Allow list operations to be response-wrapped [GH-1814]
    • core: Provide better protection against timing attacks in Shamir code [GH-1877]
    • core: Unmounting/disabling backends no longer returns an error if the mount didn't exist. This is line with elsewhere in Vault's API where DELETE is an idempotent operation. [GH-1903]
    • credential/approle: At least one constraint is required to be enabled while creating and updating a role [GH-1882]
    • secret/cassandra: Added consistency level for use with roles [GH-1931]
    • secret/mysql: SQL for revoking user can be configured on the role [GH-1914]
    • secret/transit: Use HKDF (RFC 5869) as the key derivation function for new keys [GH-1812]
    • secret/transit: Empty plaintext values are now allowed [GH-1874]

    🐛 BUG FIXES:

    • audit: Fix panic being caused by some values logging as underlying Go types instead of formatted strings [GH-1912]
    • auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920]
    • auth/approle: Not letting secret IDs and secret ID accessors to get logged in plaintext in audit logs [GH-1947]
    • auth/aws-ec2: Allow authentication if the underlying host is in a bad state but the instance is running [GH-1884]
    • auth/token: Fixed metadata getting missed out from token lookup response by gracefully handling token entry upgrade [GH-1924]
    • cli: Don't error on newline in token file [GH-1774]
    • core: Pass back content-type header for forwarded requests [GH-1791]
    • core: Fix panic if the same key was given twice to generate-root [GH-1827]
    • core: Fix potential deadlock on unmount/remount [GH-1793]
    • physical/file: Remove empty directories from the file storage backend [GH-1821]
    • physical/zookeeper: Remove empty directories from the zookeeper storage backend and add a fix to the file storage backend's logic [GH-1964]
    • secret/aws: Added update operation to aws/sts path to consider ttl parameter [39b75c6]
    • secret/aws: Mark STS secrets as non-renewable [GH-1804]
    • secret/cassandra: Properly store session for re-use [GH-1802]
    • secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781]

  • v0.6.1 Changes

    August 22, 2016

    🗄 DEPRECATIONS/CHANGES:

    • Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to connect to the HA cluster. We recommend following our general upgrade instructions in addition to 0.6.1-specific upgrade instructions to ensure that this is not an issue.
    • Status codes for sealed/uninitialized Vaults have changed to 503/501 respectively. See the version-specific upgrade guide for more details.
    • Root tokens (tokens with the root policy) can no longer be created except by another root token or the generate-root endpoint.
    • Issued certificates from the pki backend against new roles created or modified after upgrading will contain a set of default key usages.
    • The dynamodb physical data store no longer supports HA by default. It has some non-ideal behavior around failover that was causing confusion. See the documentation for information on enabling HA mode. It is very important that this configuration is added before upgrading.
    • The ldap backend no longer searches for memberOf groups as part of its normal flow. Instead, the desired group filter must be specified. This fixes some errors and increases speed for directories with different structures, but if this behavior has been relied upon, ensure that you see the upgrade notes before upgrading.
    • app-id is now deprecated with the addition of the new AppRole backend. There are no plans to remove it, but we encourage using AppRole whenever possible, as it offers enhanced functionality and can accommodate many more types of authentication paradigms.

    🔋 FEATURES:

    • AppRole Authentication Backend: The approle backend is a machine-oriented authentication backend that provides a similar concept to App-ID while adding many missing features, including a pull model that allows for the backend to generate authentication credentials rather than requiring operators or other systems to push credentials in. It should be useful in many more situations than App-ID. The inclusion of this backend deprecates App-ID. [GH-1426]
    • Request Forwarding: Vault servers can now forward requests to each other rather than redirecting clients. This feature is off by default in 0.6.1 but will be on by default in the next release. See the HA concepts page for information on enabling and configuring it. [GH-443]
    • Convergent Encryption in Transit: The transit backend now supports a convergent encryption mode where the same plaintext will produce the same ciphertext. Although very useful in some situations, this has potential security implications, which are mostly mitigated by requiring the use of key derivation when convergent encryption is enabled. See the transit backend documentation for more details. [GH-1537]
    • Improved LDAP Group Filters: The ldap auth backend now uses templates to define group filters, providing the capability to support some directories that could not easily be supported before (especially specific Active Directory setups with nested groups). [GH-1388]
    • Key Usage Control in PKI: Issued certificates from roles created or modified after upgrading contain a set of default key usages for increased compatibility with OpenVPN and some other software. This set can be changed when writing a role definition. Existing roles are unaffected. [GH-1552]
    • Request Retrying in the CLI and Go API: Requests that fail with a 5xx error code will now retry after a backoff. The maximum total number of retries (including disabling this functionality) can be set with an environment variable. See the environment variable documentation for more details. [GH-1594]
    • Service Discovery in vault init: The new -auto option on vault init will perform service discovery using Consul. When only one node is discovered, it will be initialized and when more than one node is discovered, they will be output for easy selection. See vault init --help for more details. [GH-1642]
    • MongoDB Secret Backend: Generate dynamic unique MongoDB database credentials based on configured roles. Sponsored by CommerceHub. [GH-1414]
    • Circonus Metrics Integration: Vault can now send metrics to Circonus. See the configuration documentation for details. [GH-1646]

    👌 IMPROVEMENTS:

    • audit: Added a unique identifier to each request which will also be found in the request portion of the response. [GH-1650]
    • auth/aws-ec2: Added a new constraint bound_account_id to the role [GH-1523]
    • auth/aws-ec2: Added a new constraint bound_iam_role_arn to the role [GH-1522]
    • auth/aws-ec2: Added ttl field for the role [GH-1703]
    • auth/ldap, secret/cassandra, physical/consul: Clients with tls.Config have the minimum TLS version set to 1.2 by default. This is configurable.
    • auth/token: Added endpoint to list accessors [GH-1676]
    • auth/token: Added disallowed_policies option to token store roles [GH-1681]
    • auth/token: root or sudo tokens can now create periodic tokens via auth/token/create; additionally, the same token can now be periodic and have an explicit max TTL [GH-1725]
    • build: Add support for building on Solaris/Illumos [GH-1726]
    • cli: Output formatting in the presence of warnings in the response object [GH-1533]
    • cli: vault auth command supports a -path option to take in the path at which the auth backend is enabled, thereby allowing authenticating against different paths using the command options [GH-1532]
    • cli: vault auth -methods will now display the config settings of the mount [GH-1531]
    • cli: vault read/write/unwrap -field now allows selecting token response fields [GH-1567]
    • cli: vault write -field now allows selecting wrapped response fields [GH-1567]
    • command/status: Version information and cluster details added to the output of vault status command [GH-1671]
    • core: Response wrapping is now enabled for login endpoints [GH-1588]
    • core: The duration of leadership is now exported via events through telemetry [GH-1625]
    • core: sys/capabilities-self is now accessible as part of the default policy [GH-1695]
    • core: sys/renew is now accessible as part of the default policy [GH-1701]
    • core: Unseal keys will now be returned in both hex and base64 forms, and either can be used [GH-1734]
    • core: Responses from most /sys endpoints now return normal api.Secret structs in addition to the values they carried before. This means that response wrapping can now be used with most authenticated /sys operations [GH-1699]
    • physical/etcd: Support ETCD_ADDR env var for specifying addresses [GH-1576]
    • physical/consul: Allowing additional tags to be added to Consul service registration via service_tags option [GH-1643]
    • secret/aws: Listing of roles is supported now [GH-1546]
    • secret/cassandra: Add connect_timeout value for Cassandra connection configuration [GH-1581]
    • secret/mssql,mysql,postgresql: Reading of connection settings is supported in all the sql backends [GH-1515]
    • secret/mysql: Added optional maximum idle connections value to MySQL connection configuration [GH-1635]
    • secret/mysql: Use a combination of the role name and token display name in generated user names and allow the length to be controlled [GH-1604]
    • secret/{cassandra,mssql,mysql,postgresql}: SQL statements can now be passed in via one of four ways: a semicolon-delimited string, a base64-delimited string, a serialized JSON string array, or a base64-encoded serialized JSON string array [GH-1686]
    • secret/ssh: Added allowed_roles to vault-ssh-helper's config and returning role name as part of response of verify API
    • secret/ssh: Added passthrough of command line arguments to ssh [GH-1680]
    • sys/health: Added version information to the response of health status endpoint [GH-1647]
    • sys/health: Cluster information isbe returned as part of health status when Vault is unsealed [GH-1671]
    • sys/mounts: MountTable data is compressed before serializing to accommodate thousands of mounts [GH-1693]
    • website: The token concepts page has been completely rewritten [GH-1725]

    🐛 BUG FIXES:

    • auth/aws-ec2: Added a nil check for stored whitelist identity object during renewal [GH-1542]
    • auth/cert: Fix panic if no client certificate is supplied [GH-1637]
    • auth/token: Don't report that a non-expiring root token is renewable, as attempting to renew it results in an error [GH-1692]
    • cli: Don't retry a command when a redirection is received [GH-1724]
    • core: Fix regression causing status codes to be 400 in most non-5xx error cases [GH-1553]
    • core: Fix panic that could occur during a leadership transition [GH-1627]
    • physical/postgres: Remove use of prepared statements as this causes connection multiplexing software to break [GH-1548]
    • physical/consul: Multiple Vault nodes on the same machine leading to check ID collisions were resulting in incorrect health check responses [GH-1628]
    • physical/consul: Fix deregistration of health checks on exit [GH-1678]
    • secret/postgresql: Check for existence of role before attempting deletion [GH-1575]
    • secret/postgresql: Handle revoking roles that have privileges on sequences [GH-1573]
    • secret/postgresql(,mysql,mssql): Fix incorrect use of database over transaction object which could lead to connection exhaustion [GH-1572]
    • secret/pki: Fix parsing CA bundle containing trailing whitespace [GH-1634]
    • secret/pki: Fix adding email addresses as SANs [GH-1688]
    • secret/pki: Ensure that CRL values are always UTC, per RFC [GH-1727]
    • sys/seal-status: Fixed nil Cluster object while checking seal status [GH-1715]

  • v0.6.0 Changes

    June 14, 2016

    🔒 SECURITY:

    • Although sys/revoke-prefix was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and auth/token/revoke-prefix was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require sudo capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be meant for both leases and tokens instead.

    🗄 DEPRECATIONS/CHANGES:

    • auth/token/revoke-prefix has been removed. See the security notice for details. [GH-1280]
    • Vault will now automatically register itself as the vault service when using the consul backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.
    • List operations that do not find any keys now return a 404 status code rather than an empty response object [GH-1365]
    • CA certificates issued from the pki backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.

    🔋 FEATURES:

    • AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. Vault Enterprise customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.
    • Response Wrapping: Nearly any response within Vault can now be wrapped inside a single-use, time-limited token's cubbyhole, taking the Cubbyhole Authentication Principles mechanism to its logical conclusion. Retrieving the original response is as simple as a single API command or the new vault unwrap command. This makes secret distribution easier and more secure, including secure introduction.
    • Azure Physical Backend: You can now use Azure blob object storage as your Vault physical data store [GH-1266]
    • Swift Physical Backend: You can now use Swift blob object storage as your Vault physical data store [GH-1425]
    • Consul Backend Health Checks: The Consul backend will automatically register a vault service and perform its own health checking. By default the active node can be found at active.vault.service.consul and all with standby nodes are standby.vault.service.consul. Sealed vaults are marked critical and are not listed by default in Consul's service discovery. See the documentation for details. [GH-1349]
    • Explicit Maximum Token TTLs: You can now set explicit maximum TTLs on tokens that do not honor changes in the system- or mount-set values. This is useful, for instance, when the max TTL of the system or the auth/token mount must be set high to accommodate certain needs but you want more granular restrictions on tokens being issued directly from the Token authentication backend at auth/token. [GH-1399]
    • Non-Renewable Tokens: When creating tokens directly through the token authentication backend, you can now specify in both token store roles and the API whether or not a token should be renewable, defaulting to true.
    • RabbitMQ Secret Backend: Vault can now generate credentials for RabbitMQ. Vhosts and tags can be defined within roles. [GH-788]

    👌 IMPROVEMENTS:

    • audit: Add the DisplayName value to the copy of the Request object embedded in the associated Response, to match the original Request object [GH-1387]
    • audit: Enable auditing of the seal and step-down commands [GH-1435]
    • backends: Remove most root/sudo paths in favor of normal ACL mechanisms. A particular exception are any current MFA paths. A few paths in token and sys also require root or sudo. [GH-1478]
    • command/auth: Restore the previous authenticated token if the auth command fails to authenticate the provided token [GH-1233]
    • command/write: -format and -field can now be used with the write command [GH-1228]
    • core: Add mlock support for FreeBSD, OpenBSD, and Darwin [GH-1297]
    • core: Don't keep lease timers around when tokens are revoked [GH-1277]
    • core: If using the disable_cache option, caches for the policy store and the transit backend are now disabled as well [GH-1346]
    • credential/cert: Renewal requests are rejected if the set of policies has changed since the token was issued [GH-477]
    • credential/cert: Check CRLs for specific non-CA certs configured in the backend [GH-1404]
    • credential/ldap: If groupdn is not configured, skip searching LDAP and only return policies for local groups, plus a warning [GH-1283]
    • credential/ldap: vault list support for users and groups [GH-1270]
    • credential/ldap: Support for the memberOf attribute for group membership searching [GH-1245]
    • credential/userpass: Add list support for users [GH-911]
    • credential/userpass: Remove user configuration paths from requiring sudo, in favor of normal ACL mechanisms [GH-1312]
    • credential/token: Sanitize policies and add default policies in appropriate places [GH-1235]
    • credential/token: Setting the renewable status of a token is now possible via vault token-create and the API. The default is true, but tokens can be specified as non-renewable. [GH-1499]
    • secret/aws: Use chain credentials to allow environment/EC2 instance/shared providers [GH-307]
    • secret/aws: Support for STS AssumeRole functionality [GH-1318]
    • secret/consul: Reading consul access configuration supported. The response will contain non-sensitive information only [GH-1445]
    • secret/pki: Added exclude_cn_from_sans field to prevent adding the CN to DNS or Email Subject Alternate Names [GH-1220]
    • secret/pki: Added list support for certificates [GH-1466]
    • sys/capabilities: Enforce ACL checks for requests that query the capabilities of a token on a given path [GH-1221]
    • sys/health: Status information can now be retrieved with HEAD [GH-1509]

    🐛 BUG FIXES:

    • command/read: Fix panic when using -field with a non-string value [GH-1308]
    • command/token-lookup: Fix TTL showing as 0 depending on how a token was created. This only affected the value shown at lookup, not the token behavior itself. [GH-1306]
    • command/various: Tell the JSON decoder to not convert all numbers to floats; fixes some various places where numbers were showing up in scientific notation
    • command/server: Prioritized devRootTokenID and devListenAddress flags over their respective env vars [GH-1480]
    • command/ssh: Provided option to disable host key checking. The automated variant of vault ssh command uses sshpass which was failing to handle host key checking presented by the ssh binary. [GH-1473]
    • core: Properly persist mount-tuned TTLs for auth backends [GH-1371]
    • core: Don't accidentally crosswire SIGINT to the reload handler [GH-1372]
    • credential/github: Make organization comparison case-insensitive during login [GH-1359]
    • credential/github: Fix panic when renewing a token created with some earlier versions of Vault [GH-1510]
    • credential/github: The token used to log in via vault auth can now be specified in the VAULT_AUTH_GITHUB_TOKEN environment variable [GH-1511]
    • credential/ldap: Fix problem where certain error conditions when configuring or opening LDAP connections would cause a panic instead of return a useful error message [GH-1262]
    • credential/token: Fall back to normal parent-token semantics if allowed_policies is empty for a role. Using allowed_policies of default resulted in the same behavior anyways. [GH-1276]
    • credential/token: Fix issues renewing tokens when using the "suffix" capability of token roles [GH-1331]
    • credential/token: Fix lookup via POST showing the request token instead of the desired token [GH-1354]
    • credential/various: Fix renewal conditions when default policy is not contained in the backend config [GH-1256]
    • physical/s3: Don't panic in certain error cases from bad S3 responses [GH-1353]
    • secret/consul: Use non-pooled Consul API client to avoid leaving files open [GH-1428]
    • secret/pki: Don't check whether a certificate is destined to be a CA certificate if sign-verbatim endpoint is used [GH-1250]

  • v0.5.3 Changes

    May 27, 2016

    🔒 SECURITY:

    • Consul ACL Token Revocation: An issue was reported to us indicating that generated Consul ACL tokens were not being properly revoked. Upon investigation, we found that this behavior was reproducible in a specific scenario: when a generated lease for a Consul ACL token had been renewed prior to revocation. In this case, the generated token was not being properly persisted internally through the renewal function, leading to an error during revocation due to the missing token. Unfortunately, this was coded as a user error rather than an internal error, and the revocation logic was expecting internal errors if revocation failed. As a result, the revocation logic believed the revocation to have succeeded when it in fact failed, causing the lease to be dropped while the token was still valid within Consul. In this release, the Consul backend properly persists the token through renewals, and the revocation logic has been changed to consider any error type to have been a failure to revoke, causing the lease to persist and attempt to be revoked later.

    We have written an example shell script that searches through Consul's ACL tokens and looks for those generated by Vault, which can be used as a template 🔒 for a revocation script as deemed necessary for any particular security response. The script is available at https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0

    Please note that any outstanding leases for Consul tokens produced prior to 0.5.3 that have been renewed will continue to exhibit this behavior. As a result, we recommend either revoking all tokens produced by the backend and issuing new ones, or if needed, a more advanced variant of the provided example could use the timestamp embedded in each generated token's name to decide which tokens are too old and should be deleted. This could then be run periodically up until the maximum lease time for any outstanding pre-0.5.3 tokens has expired.

    🚀 This is a security-only release. There are no other code changes since 0.5.2. The binaries have one additional change: they are built against Go 1.6.1 rather 🔒 than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming language itself.

  • v0.5.2 Changes

    March 16, 2016

    🔋 FEATURES:

    • MSSQL Backend: Generate dynamic unique MSSQL database credentials based on configured roles [GH-998]
    • Token Accessors: Vault now provides an accessor with each issued token. This accessor is an identifier that can be used for a limited set of actions, notably for token revocation. This value can be logged in plaintext to audit logs, and in combination with the plaintext metadata logged to audit logs, provides a searchable and straightforward way to revoke particular users' or services' tokens in many cases. To enable plaintext audit logging of these accessors, set hmac_accessor=false when enabling an audit backend.
    • Token Credential Backend Roles: Roles can now be created in the token credential backend that allow modifying token behavior in ways that are not otherwise exposed or easily delegated. This allows creating tokens with a fixed set (or subset) of policies (rather than a subset of the calling token's), periodic tokens with a fixed TTL but no expiration, specified prefixes, and orphans.
    • Listener Certificate Reloading: Vault's configured listeners now reload their TLS certificate and private key when the Vault process receives a SIGHUP.

    👌 IMPROVEMENTS:

    • auth/token: Endpoints optionally accept tokens from the HTTP body rather than just from the URLs [GH-1211]
    • auth/token,sys/capabilities: Added new endpoints auth/token/lookup-accessor, auth/token/revoke-accessor and sys/capabilities-accessor, which enables performing the respective actions with just the accessor of the tokens, without having access to the actual token [GH-1188]
    • core: Ignore leading / in policy paths [GH-1170]
    • core: Ignore leading / in mount paths [GH-1172]
    • command/policy-write: Provided HCL is now validated for format violations and provides helpful information around where the violation occurred [GH-1200]
    • command/server: The initial root token ID when running in -dev mode can now be specified via -dev-root-token-id or the environment variable VAULT_DEV_ROOT_TOKEN_ID [GH-1162]
    • command/server: The listen address when running in -dev mode can now be specified via -dev-listen-address or the environment variable VAULT_DEV_LISTEN_ADDRESS [GH-1169]
    • command/server: The configured listeners now reload their TLS certificates/keys when Vault is SIGHUP'd [GH-1196]
    • command/step-down: New vault step-down command and API endpoint to force the targeted node to give up active status, but without sealing. The node will wait ten seconds before attempting to grab the lock again. [GH-1146]
    • command/token-renew: Allow no token to be passed in; use renew-self in this case. Change the behavior for any token being passed in to use renew. [GH-1150]
    • credential/app-id: Allow app-id parameter to be given in the login path; this causes the app-id to be part of the token path, making it easier to use with revoke-prefix [GH-424]
    • credential/cert: Non-CA certificates can be used for authentication. They must be matched exactly (issuer and serial number) for authentication, and the certificate must carry the client authentication or 'any' extended usage attributes. [GH-1153]
    • credential/cert: Subject and Authority key IDs are output in metadata; this allows more flexible searching/revocation in the audit logs [GH-1183]
    • credential/cert: Support listing configured certs [GH-1212]
    • credential/userpass: Add support for create/update capability distinction in user path, and add user-specific endpoints to allow changing the password and policies [GH-1216]
    • credential/token: Add roles [GH-1155]
    • secret/mssql: Add MSSQL backend [GH-998]
    • secret/pki: Add revocation time (zero or Unix epoch) to pki/cert/SERIAL endpoint [GH-1180]
    • secret/pki: Sanitize serial number in pki/revoke endpoint to allow some other formats [GH-1187]
    • secret/ssh: Added documentation for ssh/config/zeroaddress endpoint. [GH-1154]
    • sys: Added new endpoints sys/capabilities and sys/capabilities-self to fetch the capabilities of a token on a given path [GH-1171]
    • sys: Added sys/revoke-force, which enables a user to ignore backend errors when revoking a lease, necessary in some emergency/failure scenarios [GH-1168]
    • sys: The return codes from sys/health can now be user-specified via query parameters [GH-1199]

    🐛 BUG FIXES:

    • logical/cassandra: Apply hyphen/underscore replacement to the entire generated username, not just the UUID, in order to handle token display name hyphens [GH-1140]
    • physical/etcd: Output actual error when cluster sync fails [GH-1141]
    • vault/expiration: Not letting the error responses from the backends to skip during renewals [GH-1176]

  • v0.5.1 Changes

    February 25, 2016

    🗄 DEPRECATIONS/CHANGES:

    • RSA keys less than 2048 bits are no longer supported in the PKI backend. 1024-bit keys are considered unsafe and are disallowed in the Internet PKI. The pki backend has enforced SHA256 hashes in signatures from the beginning, and software that can handle these hashes should be able to handle larger key sizes. [GH-1095]
    • The PKI backend now does not automatically delete expired certificates, including from the CRL. Doing so could lead to a situation where a time mismatch between the Vault server and clients could result in a certificate that would not be considered expired by a client being removed from the CRL. The new pki/tidy endpoint can be used to trigger expirations. [GH-1129]
    • The cert backend now performs a variant of channel binding at renewal time for increased security. In order to not overly burden clients, a notion of identity is used. This functionality can be disabled. See the 0.5.1 upgrade guide for more specific information [GH-1127]

    🔋 FEATURES:

    • Codebase Audit: Vault's 0.5 codebase was audited by iSEC. (The terms of the audit contract do not allow us to make the results public.) [GH-220]

    👌 IMPROVEMENTS:

    • api: The VAULT_TLS_SERVER_NAME environment variable can be used to control the SNI header during TLS connections [GH-1131]
    • api/health: Add the server's time in UTC to health responses [GH-1117]
    • command/rekey and command/generate-root: These now return the status at attempt initialization time, rather than requiring a separate fetch for the nonce [GH-1054]
    • credential/cert: Don't require root/sudo tokens for the certs/ and crls/ paths; use normal ACL behavior instead [GH-468]
    • credential/github: The validity of the token used for login will be checked at renewal time [GH-1047]
    • credential/github: The config endpoint no longer requires a root token; normal ACL path matching applies
    • deps: Use the standardized Go 1.6 vendoring system
    • secret/aws: Inform users of AWS-imposed policy restrictions around STS tokens if they attempt to use an invalid policy [GH-1113]
    • secret/mysql: The MySQL backend now allows disabling verification of the connection_url [GH-1096]
    • secret/pki: Submitted CSRs are now verified to have the correct key type and minimum number of bits according to the role. The exception is intermediate CA signing and the sign-verbatim path [GH-1104]
    • secret/pki: New tidy endpoint to allow expunging expired certificates. [GH-1129]
    • secret/postgresql: The PostgreSQL backend now allows disabling verification of the connection_url [GH-1096]
    • secret/ssh: When verifying an OTP, return 400 if it is not valid instead of 204 [GH-1086]
    • credential/app-id: App ID backend will check the validity of app-id and user-id during renewal time [GH-1039]
    • credential/cert: TLS Certificates backend, during renewal, will now match the client identity with the client identity used during login [GH-1127]

    🐛 BUG FIXES:

    • credential/ldap: Properly escape values being provided to search filters [GH-1100]
    • secret/aws: Capping on length of usernames for both IAM and STS types [GH-1102]
    • secret/pki: If a cert is not found during lookup of a serial number, respond with a 400 rather than a 500 [GH-1085]
    • secret/postgresql: Add extra revocation statements to better handle more permission scenarios [GH-1053]
    • secret/postgresql: Make connection_url work properly [GH-1112]