ยซ Changelog History


Vault v0.4.0 Release Notes

Release Date: 2015-12-10 // over 8 years ago

  • ๐Ÿ—„ DEPRECATIONS/CHANGES:

    • Policy Name Casing: Policy names are now normalized to lower-case on write, helping prevent accidental case mismatches. For backwards compatibility, policy names are not currently normalized when reading or deleting. [GH-676]
    • Default etcd port number: the default connection string for the etcd physical store uses port 2379 instead of port 4001, which is the port used by the supported version 2.x of etcd. [GH-753]
    • As noted below in the FEATURES section, if your Vault installation contains a policy called default, new tokens created will inherit this policy automatically.
    • In the PKI backend there have been a few minor breaking changes:
      • The token display name is no longer a valid option for providing a base domain for issuance. Since this name is prepended with the name of the authentication backend that issued it, it provided a faulty use-case at best and a confusing experience at worst. We hope to figure out a better per-token value in a future release.
      • The allowed_base_domain parameter has been changed to allowed_domains, which accepts a comma-separated list of domains. This allows issuing certificates with DNS subjects across multiple domains. If you had a configured allowed_base_domain parameter, it will be migrated automatically when the role is read (either via a normal read, or via issuing a certificate).

    ๐Ÿ”‹ FEATURES:

    • Significantly Enhanced PKI Backend: The pki backend can now generate and sign root CA certificates and intermediate CA CSRs. It can also now sign submitted client CSRs, as well as a significant number of other enhancements. See the updated documentation for the full API. [GH-666]
    • CRL Checking for Certificate Authentication: The cert backend now supports pushing CRLs into the mount and using the contained serial numbers for revocation checking. See the documentation for the cert backend for more info. [GH-330]
    • Default Policy: Vault now ensures that a policy named default is added to every token. This policy cannot be deleted, but it can be modified (including to an empty policy). There are three endpoints allowed in the default default policy, related to token self-management: lookup-self, which allows a token to retrieve its own information, and revoke-self and renew-self, which are self-explanatory. If your existing Vault installation contains a policy called default, it will not be overridden, but it will be added to each new token created. You can override this behavior when using manual token creation (i.e. not via an authentication backend) by setting the "no_default_policy" flag to true. [GH-732]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • api: API client now uses a 60 second timeout instead of indefinite [GH-681]
    • api: Implement LookupSelf, RenewSelf, and RevokeSelf functions for auth tokens [GH-739]
    • api: Standardize environment variable reading logic inside the API; the CLI now uses this but can still override via command-line parameters [GH-618]
    • audit: HMAC-SHA256'd client tokens are now stored with each request entry. Previously they were only displayed at creation time; this allows much better traceability of client actions. [GH-713]
    • audit: There is now a sys/audit-hash endpoint that can be used to generate an HMAC-SHA256'd value from provided data using the given audit backend's salt [GH-784]
    • core: The physical storage read cache can now be disabled via "disable_cache" [GH-674]
    • core: The unsealing process can now be reset midway through (this feature was documented before, but not enabled) [GH-695]
    • core: Tokens can now renew themselves [GH-455]
    • core: Base64-encoded PGP keys can be used with the CLI for init and rekey operations [GH-653]
    • core: Print version on startup [GH-765]
    • core: Access to sys/policy and sys/mounts now uses the normal ACL system instead of requiring a root token [GH-769]
    • credential/token: Display whether or not a token is an orphan in the output of a lookup call [GH-766]
    • logical: Allow . in path-based variables in many more locations [GH-244]
    • logical: Responses now contain a "warnings" key containing a list of warnings returned from the server. These are conditions that did not require failing an operation, but of which the client should be aware. [GH-676]
    • physical/(consul,etcd): Consul and etcd now use a connection pool to limit the number of outstanding operations, improving behavior when a lot of operations must happen at once [GH-677] [GH-780]
    • physical/consul: The datacenter parameter was removed; It could not be effective unless the Vault node (or the Consul node it was connecting to) was in the datacenter specified, in which case it wasn't needed [GH-816]
    • physical/etcd: Support TLS-encrypted connections and use a connection pool to limit the number of outstanding operations [GH-780]
    • physical/s3: The S3 endpoint can now be configured, allowing using S3-API-compatible storage solutions [GH-750]
    • physical/s3: The S3 bucket can now be configured with the AWS_S3_BUCKET environment variable [GH-758]
    • secret/consul: Management tokens can now be created [GH-714]

    ๐Ÿ› BUG FIXES:

    • api: API client now checks for a 301 response for redirects. Vault doesn't generate these, but in certain conditions Go's internal HTTP handler can generate them, leading to client errors.
    • cli: token-create now supports the ttl parameter in addition to the deprecated lease parameter. [GH-688]
    • core: Return data from generic backends on the last use of a limited-use token [GH-615]
    • core: Fix upgrade path for leases created in generic prior to 0.3 [GH-673]
    • core: Stale leader entries will now be reaped [GH-679]
    • core: Using mount-tune on the auth/token path did not take effect. [GH-688]
    • core: Fix a potential race condition when (un)sealing the vault with metrics enabled [GH-694]
    • core: Fix an error that could happen in some failure scenarios where Vault could fail to revert to a clean state [GH-733]
    • core: Ensure secondary indexes are removed when a lease is expired [GH-749]
    • core: Ensure rollback manager uses an up-to-date mounts table [GH-771]
    • everywhere: Don't use http.DefaultClient, as it shares state implicitly and is a source of hard-to-track-down bugs [GH-700]
    • credential/token: Allow creating orphan tokens via an API path [GH-748]
    • secret/generic: Validate given duration at write time, not just read time; if stored durations are not parseable, return a warning and the default duration rather than an error [GH-718]
    • secret/generic: Return 400 instead of 500 when generic backend is written to with no data fields [GH-825]
    • secret/postgresql: Revoke permissions before dropping a user or revocation may fail [GH-699]

    MISC:

    • Various documentation fixes and improvements [GH-685] [GH-688] [GH-697] [GH-710] [GH-715] [GH-831]