Vault v1.3 Release Notes
Release Date: 2019-11-14 // over 4 years ago-
๐ CHANGES:
- Secondary cluster activation: There has been a change to the way that activating performance and DR secondary clusters works when using public keys for encryption of the parameters rather than a wrapping token. This flow was experimental and never documented. It is now officially supported and documented but is not backwards compatible with older Vault releases.
- Cluster cipher suites: On its cluster port, Vault will no longer advertise
the full TLS 1.2 cipher suite list by default. Although this port is only
used for Vault-to-Vault communication and would always pick a strong cipher,
it could cause false flags on port scanners and other security utilities
that assumed insecure ciphers were being used. The previous behavior can be
achieved by setting the value of the (undocumented)
cluster_cipher_suites
config flag totls12
. - API/Agent Renewal behavior: The API now allows multiple options for how it deals with renewals. The legacy behavior in the Agent/API is for the renewer (now called the lifetime watcher) to exit on a renew error, leading to a reauthentication. The new default behavior is for the lifetime watcher to ignore 5XX errors and simply retry as scheduled, using the existing lease duration. It is also possible, within custom code, to disable renewals entirely, which allows the lifetime watcher to simply return when it believes it is time for your code to renew or reauthenticate.
๐ FEATURES:
- Vault Debug: A new top-level subcommand,
debug
, is added that allows operators to retrieve debugging information related to a particular Vault node. Operators can use this simple workflow to capture triaging information, which can then be consumed programmatically or by support and engineering teams. It has the abilitity to probe for config, host, metrics, pprof, server status, and replication status. - Recovery Mode: Vault server can be brought up in recovery mode to resolve
outages caused due to data store being in bad state. This is a privileged mode
that allows
sys/raw
API calls to perform surgical corrections to the data store. Bad storage state can be caused by bugs. However, this is usually observed when known (and fixed) bugs are hit by older versions of Vault. - Entropy Augmentation (Enterprise): Vault now supports sourcing entropy from external source for critical security parameters. Currently an HSM that supports PKCS#11 is the only supported source.
- Active Directory Secret Check-In/Check-Out: In the Active Directory secrets engine, users or applications can check out a service account for use, and its password will be rotated when it's checked back in.
- Vault Agent Template: Vault Agent now supports rendering templates containing Vault secrets to disk, similar to Consul Template [GH-7652]
- Transit Key Type Support: Signing and verification is now supported with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and encryption and decryption is now supported via AES128-GCM96 [GH-7555]
- SSRF Protection for Vault Agent: Vault Agent has a configuration option to require a specific header before allowing requests [GH-7627]
- AWS Auth Method Root Rotation: The credential used by the AWS auth method can now be rotated, to ensure that only Vault knows the credentials it is using [GH-7131]
- New UI Features: The UI now supports managing users and groups for the Userpass, Cert, Okta, and Radius auth methods.
- Shamir with Stored Master Key: The on disk format for Shamir seals has changed, allowing for a secondary cluster using Shamir downstream from a primary cluster using Auto Unseal. [GH-7694]
- Stackdriver Metrics Sink: Vault can now send metrics to Stackdriver. See the configuration documentation for details. [GH-6957]
- Filtered Paths Replication (Enterprise): Based on the predecessor Filtered Mount Replication, Filtered Paths Replication allows now filtering of namespaces in addition to mounts. With this feature, Filtered Mount Replication should be considered deprecated.
- Token Renewal via Accessor: Tokens can now be renewed via the accessor value through
the new
auth/token/renew-accessor
endpoint if the caller's token has permission to access that endpoint. - Improved Integrated Storage (Beta): Improved raft write performance, added support for non-voter nodes, along with UI support for: using raft storage, joining a raft cluster, and downloading and restoring a snapshot.
๐ IMPROVEMENTS:
- agent: Add ability to set the TLS SNI name used by Agent [GH-7519]
- agent & api: Change default renewer behavior to ignore 5XX errors [GH-7733]
- auth/jwt: The redirect callback host may now be specified for CLI logins [GH-71]
- auth/jwt: Bound claims may now contain boolean values [GH-73]
- auth/jwt: CLI logins can now open the browser when running in WSL [GH-77]
- core: Exit ScanView if context has been cancelled [GH-7419]
- core: re-encrypt barrier and recovery keys if the unseal key is updated [GH-7493]
- core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster port, even though only strong ciphers were used [GH-7487]
- core (enterprise): Add background seal re-wrap
- core/metrics: Add config parameter to allow unauthenticated sys/metrics access. [GH-7550]
- metrics: Upgrade DataDog library to improve performance [GH-7794]
- replication (enterprise): Write-Ahead-Log entries will not duplicate the data belonging to the encompassing physical entries of the transaction, thereby improving the performance and storage capacity.
- replication (enterprise): Added more replication metrics
- replication (enterprise): Reindex process now compares subpages for a more accurate indexing process.
- replication (enterprise): Reindex API now accepts a new
skip_flush
parameter indicating all the changes should not be flushed while the tree is locked. - secrets/aws: The root config can now be read [GH-7245]
- secrets/aws: Role paths may now contain the '@' character [GH-7553]
- secrets/database/cassandra: Add ability to skip verfication of connection [GH-7614]
- secrets/gcp: Fix panic during rollback if the roleset has been deleted [GH-52]
- storage/azure: Add config parameter to Azure storage backend to allow specifying the ARM endpoint [GH-7567]
- storage/cassandra: Improve storage efficiency by eliminating unnecessary copies of value data [GH-7199]
- storage/raft: Improve raft write performance by utilizing FSM Batching [GH-7527]
- storage/raft: Add support for non-voter nodes [GH-7634]
- sys: Add a new
sys/host-info
endpoint for querying information about the host [GH-7330] - sys: Add a new set of endpoints under
sys/pprof/
that allows profiling information to be extracted [GH-7473] - sys: Add endpoint that counts the total number of active identity entities [GH-7541]
- sys:
sys/seal-status
now has astorage_type
field denoting what type of storage the cluster is configured to use - sys: Add a new
sys/internal/counters/tokens
endpoint, that counts the total number of active service token accessors in the shared token storage. [GH-7541] - sys/config: Add a new endpoint under
sys/config/state/sanitized
that returns the configuration state of the server. It excludes config values fromstorage
,ha_storage
, andseal
stanzas and some values fromtelemetry
due to potential sensitive entries in those fields. - ui: when using raft storage, you can now join a raft cluster, download a snapshot, and restore a snapshot from the UI [GH-7410]
- ui: clarify when secret version is deleted in the secret version history dropdown [GH-7714]
๐ BUG FIXES:
- agent: Fix a data race on the token value for inmemsink [GH-7707]
- api: Fix Go API using lease revocation via URL instead of body [GH-7777]
- api: Allow setting a function to control retry behavior [GH-7331]
- auth/gcp: Fix a bug where region information in instance groups names could cause an authorization attempt to fail [GH-74]
- cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
could cause confusing error messages during
vault login
[GH-7508] - cli: Fix a bug where the
namespace list
command with JSON formatting always returned an empty object [GH-7705] - cli: Command timeouts are now always specified solely by the
VAULT_CLIENT_TIMEOUT
value. [GH-7469] - core: Don't allow registering a non-root zero TTL token lease. This is purely defense in depth as the lease would be revoked immediately anyways, but there's no real reason to allow registration. [GH-7524]
- core: Correctly revoke the token that's present in the response auth from a auth/token/ request if there's partial failure during the process. [GH-7835]
- identity (enterprise): Fixed identity case sensitive loading in secondary cluster [GH-7327]
- identity: Ensure only replication primary stores the identity case sensitivity state [GH-7820]
- raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [GH-7619]
- secrets/pki: Don't allow duplicate SAN names in issued certs [GH-7605]
- sys/health: Pay attention to the values provided for
standbyok
andperfstandbyok
rather than simply using their presence as a key to flip on that behavior [GH-7323] - ui: using the
wrapped_token
query param will work withredirect_to
and will automatically log in as intended [GH-7398] - ui: fix an error when initializing from the UI using PGP keys [GH-7542]
- ui: show all active kv v2 secret versions even when
delete_version_after
is configured [GH-7685] - ui: Ensure that items in the top navigation link to pages that users have access to [GH-7590]