ยซ Changelog History


Vault v1.3-beta1 Release Notes

Release Date: 2019-10-30 // over 4 years ago

  • ๐Ÿ”„ CHANGES:

    • Cluster cipher suites: On its cluster port, Vault will no longer advertise the full TLS 1.2 cipher suite list by default. Although this port is only used for Vault-to-Vault communication and would always pick a strong cipher, it could cause false flags on port scanners and other security utilities that assumed insecure ciphers were being used. The previous behavior can be achieved by setting the value of the (undocumented) cluster_cipher_suites config flag to tls12.

    ๐Ÿ”‹ FEATURES:

    • Vault Debug: A new top-level subcommand, debug, is added that allows operators to retrieve debugging information related to a particular Vault node. Operators can use this simple workflow to capture triaging information, which can then be consumed programmatically or by support and engineering teams. It has the abilitity to probe for config, host, metrics, pprof, server status, and replication status.
    • Recovery Mode: Vault server can be brought up in recovery mode to resolve outages caused due to data store being in bad state. This is a privileged mode that allows sys/raw API calls to perform surgical corrections to the data store. Bad storage state can be caused by bugs. However, this is usually observed when known (and fixed) bugs are hit by older versions of Vault.
    • Entropy Augmentation (Enterprise): Vault now supports sourcing entropy from external source for critical security parameters. Currently an HSM that supports PKCS#11 is the only supported source.
    • Active Directory Secret Check-In/Check-Out: In the Active Directory secrets engine, users or applications can check out a service account for use, and its password will be rotated when it's checked back in.
    • Vault Agent Template: Vault Agent now supports rendering templates containing Vault secrets to disk, similar to Consul Template [GH-7652]
    • Transit Key Type Support: Signing and verification is now supported with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and encryption and decryption is now supported via AES128-GCM96 [GH-7555]
    • SSRF Protection for Vault Agent: Vault Agent has a configuration option to require a specific header before allowing requests [GH-7627]
    • AWS Auth Method Root Rotation: The credential used by the AWS auth method can now be rotated, to ensure that only Vault knows the credentials it is using [GH-7131]
    • New UI Features The UI now supports managing users and groups for the Userpass, Cert, Okta, and Radius auth methods.
    • Shamir with Stored Master Key The on disk format for Shamir seals has changed, allowing for a secondary cluster using Shamir downstream from a primary cluster using Auto Unseal. [GH-7694]
    • Stackdriver Metrics Sink: Vault can now send metrics to Stackdriver. See the configuration documentation for details. [GH-6957]
    • Filtered Paths Replication (Enterprise): Based on the predecessor Filtered Mount Replication, Filtered Paths Replication allows now filtering of namespaces in addition to mounts.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • agent: Add ability to set the TLS SNI name used by Agent [GH-7519]
    • api: Allow setting a function to control retry behavior [GH-7331]
    • auth/jwt: The redirect callback host may now be specified for CLI logins [JWT-71]
    • auth/jwt: Bound claims may now contain boolean values [JWT-73]
    • auth/jwt: CLI logins can now open the browser when running in WSL [JWT-77]
    • core: Exit ScanView if context has been cancelled [GH-7419]
    • core: re-encrypt barrier and recovery keys if the unseal key is updated [GH-7493]
    • core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster port, even though only strong ciphers were used [GH-7487]
    • core (enterprise): Add background seal re-wrap
    • core/metrics: Add config parameter to allow unauthenticated sys/metrics access. [GH-7550]
    • replication (enterprise): Write-Ahead-Log entries will not duplicate the data belonging to the encompassing physical entries of the transaction, thereby improving the performance and storage capacity.
    • replication (enterprise): Added more replication metrics
    • replication (enterprise): Reindex process now compares subpages for a more accurate indexing process.
    • replication (enterprise): Reindex API now accepts a new skip_flush parameter indicating all the changes should not be flushed while the tree is locked.
    • secrets/aws: The root config can now be read [GH-7245]
    • secrets/aws: Role paths may now contain the '@' character [GH-7553]
    • secrets/database/cassandra: Add ability to skip verfication of connection [GH-7614]
    • storage/azure: Add config parameter to Azure storage backend to allow specifying the ARM endpoint [GH-7567]
    • storage/cassandra: Improve storage efficiency by eliminating unnecessary copies of value data [GH-7199]
    • storage/raft: Improve raft write performance by utilizing FSM Batching [GH-7527]
    • storage/raft: Add support for non-voter nodes [GH-7634]
    • sys: Add a new sys/host-info endpoint for querying information about the host [GH-7330]
    • sys: Add a new set of endpoints under sys/pprof/ that allows profiling information to be extracted [GH-7473]
    • sys: Add endpoint that counts the total number of active identity entities [GH-7541]
    • sys: sys/seal-status now has a storage_type field denoting what type of storage the cluster is configured to use
    • sys: Add a new sys/internal/counters/tokens endpoint, that counts the total number of active service token accessors in the shared token storage. [GH-7541]
    • sys/config: Add a new endpoint under sys/config/state/sanitized that returns the configuration state of the server. It excludes config values from storage, ha_storage, and seal stanzas and some values from telemetry due to potential sensitive entries in those fields.
    • ui: when using raft storage, you can now join a raft cluster, download a snapshot, and restore a snapshot from the UI [GH-7410]
    • ui: clarify when secret version is deleted in the secret version history dropdown [GH-7714]

    ๐Ÿ› BUG FIXES:

    • agent: Fix a data race on the token value for inmemsink [GH-7707]
    • auth/gcp: Fix a bug where region information in instance groups names could cause an authorization attempt to fail [GCP-74]
    • cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token) could cause confusing error messages during vault login [GH-7508]
    • cli: Fix a bug where the namespace list command with JSON formatting always returned an empty object [GH-7705]
    • cli: Command timeouts are now always specified solely by the VAULT_CLIENT_TIMEOUT value. [GH-7469]
    • identity (enterprise): Fixed identity case sensitive loading in secondary cluster [GH-7327]
    • raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [GH-7619]
    • secrets/pki: Don't allow duplicate SAN names in issued certs [GH-7605]
    • sys/health: Pay attention to the values provided for standbyok and perfstandbyok rather than simply using their presence as a key to flip on that behavior [GH-7323]
    • ui: using the wrapped_token query param will work with redirect_to and will automatically log in as intended [GH-7398]
    • ui: fix an error when initializing from the UI using PGP keys [GH-7542]
    • ui: show all active kv v2 secret versions even when delete_version_after is configured [GH-7685]