Vault v1.3 Release Notes

Release Date: 2019-11-14 // over 4 years ago
  • ๐Ÿ”„ CHANGES:

    • Secondary cluster activation: There has been a change to the way that activating performance and DR secondary clusters works when using public keys for encryption of the parameters rather than a wrapping token. This flow was experimental and never documented. It is now officially supported and documented but is not backwards compatible with older Vault releases.
    • Cluster cipher suites: On its cluster port, Vault will no longer advertise the full TLS 1.2 cipher suite list by default. Although this port is only used for Vault-to-Vault communication and would always pick a strong cipher, it could cause false flags on port scanners and other security utilities that assumed insecure ciphers were being used. The previous behavior can be achieved by setting the value of the (undocumented) cluster_cipher_suites config flag to tls12.
    • API/Agent Renewal behavior: The API now allows multiple options for how it deals with renewals. The legacy behavior in the Agent/API is for the renewer (now called the lifetime watcher) to exit on a renew error, leading to a reauthentication. The new default behavior is for the lifetime watcher to ignore 5XX errors and simply retry as scheduled, using the existing lease duration. It is also possible, within custom code, to disable renewals entirely, which allows the lifetime watcher to simply return when it believes it is time for your code to renew or reauthenticate.

    ๐Ÿ”‹ FEATURES:

    • Vault Debug: A new top-level subcommand, debug, is added that allows operators to retrieve debugging information related to a particular Vault node. Operators can use this simple workflow to capture triaging information, which can then be consumed programmatically or by support and engineering teams. It has the abilitity to probe for config, host, metrics, pprof, server status, and replication status.
    • Recovery Mode: Vault server can be brought up in recovery mode to resolve outages caused due to data store being in bad state. This is a privileged mode that allows sys/raw API calls to perform surgical corrections to the data store. Bad storage state can be caused by bugs. However, this is usually observed when known (and fixed) bugs are hit by older versions of Vault.
    • Entropy Augmentation (Enterprise): Vault now supports sourcing entropy from external source for critical security parameters. Currently an HSM that supports PKCS#11 is the only supported source.
    • Active Directory Secret Check-In/Check-Out: In the Active Directory secrets engine, users or applications can check out a service account for use, and its password will be rotated when it's checked back in.
    • Vault Agent Template: Vault Agent now supports rendering templates containing Vault secrets to disk, similar to Consul Template [GH-7652]
    • Transit Key Type Support: Signing and verification is now supported with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and encryption and decryption is now supported via AES128-GCM96 [GH-7555]
    • SSRF Protection for Vault Agent: Vault Agent has a configuration option to require a specific header before allowing requests [GH-7627]
    • AWS Auth Method Root Rotation: The credential used by the AWS auth method can now be rotated, to ensure that only Vault knows the credentials it is using [GH-7131]
    • New UI Features: The UI now supports managing users and groups for the Userpass, Cert, Okta, and Radius auth methods.
    • Shamir with Stored Master Key: The on disk format for Shamir seals has changed, allowing for a secondary cluster using Shamir downstream from a primary cluster using Auto Unseal. [GH-7694]
    • Stackdriver Metrics Sink: Vault can now send metrics to Stackdriver. See the configuration documentation for details. [GH-6957]
    • Filtered Paths Replication (Enterprise): Based on the predecessor Filtered Mount Replication, Filtered Paths Replication allows now filtering of namespaces in addition to mounts. With this feature, Filtered Mount Replication should be considered deprecated.
    • Token Renewal via Accessor: Tokens can now be renewed via the accessor value through the new auth/token/renew-accessor endpoint if the caller's token has permission to access that endpoint.
    • Improved Integrated Storage (Beta): Improved raft write performance, added support for non-voter nodes, along with UI support for: using raft storage, joining a raft cluster, and downloading and restoring a snapshot.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • agent: Add ability to set the TLS SNI name used by Agent [GH-7519]
    • agent & api: Change default renewer behavior to ignore 5XX errors [GH-7733]
    • auth/jwt: The redirect callback host may now be specified for CLI logins [GH-71]
    • auth/jwt: Bound claims may now contain boolean values [GH-73]
    • auth/jwt: CLI logins can now open the browser when running in WSL [GH-77]
    • core: Exit ScanView if context has been cancelled [GH-7419]
    • core: re-encrypt barrier and recovery keys if the unseal key is updated [GH-7493]
    • core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster port, even though only strong ciphers were used [GH-7487]
    • core (enterprise): Add background seal re-wrap
    • core/metrics: Add config parameter to allow unauthenticated sys/metrics access. [GH-7550]
    • metrics: Upgrade DataDog library to improve performance [GH-7794]
    • replication (enterprise): Write-Ahead-Log entries will not duplicate the data belonging to the encompassing physical entries of the transaction, thereby improving the performance and storage capacity.
    • replication (enterprise): Added more replication metrics
    • replication (enterprise): Reindex process now compares subpages for a more accurate indexing process.
    • replication (enterprise): Reindex API now accepts a new skip_flush parameter indicating all the changes should not be flushed while the tree is locked.
    • secrets/aws: The root config can now be read [GH-7245]
    • secrets/aws: Role paths may now contain the '@' character [GH-7553]
    • secrets/database/cassandra: Add ability to skip verfication of connection [GH-7614]
    • secrets/gcp: Fix panic during rollback if the roleset has been deleted [GH-52]
    • storage/azure: Add config parameter to Azure storage backend to allow specifying the ARM endpoint [GH-7567]
    • storage/cassandra: Improve storage efficiency by eliminating unnecessary copies of value data [GH-7199]
    • storage/raft: Improve raft write performance by utilizing FSM Batching [GH-7527]
    • storage/raft: Add support for non-voter nodes [GH-7634]
    • sys: Add a new sys/host-info endpoint for querying information about the host [GH-7330]
    • sys: Add a new set of endpoints under sys/pprof/ that allows profiling information to be extracted [GH-7473]
    • sys: Add endpoint that counts the total number of active identity entities [GH-7541]
    • sys: sys/seal-status now has a storage_type field denoting what type of storage the cluster is configured to use
    • sys: Add a new sys/internal/counters/tokens endpoint, that counts the total number of active service token accessors in the shared token storage. [GH-7541]
    • sys/config: Add a new endpoint under sys/config/state/sanitized that returns the configuration state of the server. It excludes config values from storage, ha_storage, and seal stanzas and some values from telemetry due to potential sensitive entries in those fields.
    • ui: when using raft storage, you can now join a raft cluster, download a snapshot, and restore a snapshot from the UI [GH-7410]
    • ui: clarify when secret version is deleted in the secret version history dropdown [GH-7714]

    ๐Ÿ› BUG FIXES:

    • agent: Fix a data race on the token value for inmemsink [GH-7707]
    • api: Fix Go API using lease revocation via URL instead of body [GH-7777]
    • api: Allow setting a function to control retry behavior [GH-7331]
    • auth/gcp: Fix a bug where region information in instance groups names could cause an authorization attempt to fail [GH-74]
    • cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token) could cause confusing error messages during vault login [GH-7508]
    • cli: Fix a bug where the namespace list command with JSON formatting always returned an empty object [GH-7705]
    • cli: Command timeouts are now always specified solely by the VAULT_CLIENT_TIMEOUT value. [GH-7469]
    • core: Don't allow registering a non-root zero TTL token lease. This is purely defense in depth as the lease would be revoked immediately anyways, but there's no real reason to allow registration. [GH-7524]
    • core: Correctly revoke the token that's present in the response auth from a auth/token/ request if there's partial failure during the process. [GH-7835]
    • identity (enterprise): Fixed identity case sensitive loading in secondary cluster [GH-7327]
    • identity: Ensure only replication primary stores the identity case sensitivity state [GH-7820]
    • raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [GH-7619]
    • secrets/pki: Don't allow duplicate SAN names in issued certs [GH-7605]
    • sys/health: Pay attention to the values provided for standbyok and perfstandbyok rather than simply using their presence as a key to flip on that behavior [GH-7323]
    • ui: using the wrapped_token query param will work with redirect_to and will automatically log in as intended [GH-7398]
    • ui: fix an error when initializing from the UI using PGP keys [GH-7542]
    • ui: show all active kv v2 secret versions even when delete_version_after is configured [GH-7685]
    • ui: Ensure that items in the top navigation link to pages that users have access to [GH-7590]