From 74ba4f72aa474ae7e86a43c91da9c4d441fda28a Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 18 Mar 2019 15:16:30 -0400 Subject: [PATCH] Prep for release --- CHANGELOG.md | 181 +++++++----------- terraform/aws/variables.tf | 2 +- version/version_base.go | 2 +- website/config.rb | 2 +- website/source/docs/concepts/policies.html.md | 15 ++ 5 files changed, 84 insertions(+), 118 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50ee9dcabe..8584d73336 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,122 +1,41 @@ -## 1.1.0 (Unreleased) +## 1.1.0 (March 18th, 2019) CHANGES: - * agent/caching: Move listeners config out of cache{} block to top level. - Allow running agent with cache enabled and auto-auth disabled. - * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept - any matched audience, as documented and handled in OIDC logins. - [[GH-30]](https://github.com/hashicorp/vault-plugin-auth-jwt/issues/30) - * auth/jwt: Apply `bound_audiences` checks to OIDC paths. - -FEATURES: - - * core: on non-windows platforms a SIGUSR2 will make the server log a dump of - all running goroutines' stack traces for debugging purposes. - -IMPROVEMENTS: - - * agent/caching: Agent Caching will now return `X-Cache` and `Age` headers on - responses to indicates whether a response was a cache hit or miss, and - the freshness of the cached response when applicable. - [[GH-6394]](https://github.com/hashicorp/vault/pull/6394) - * sentinel: add token namespace id and path, available in rules as - token.namespace.id and token.namespace.path. - -BUG FIXES: - - * agent/caching: Non-2xx (e.g. redirects) and non-JSON responses returned by - the server are no longer wrapped and returned by Agent Caching as 500 - Internal Server Error responses. - [[GH-6353]](https://github.com/hashicorp/vault/pull/6353) - * agent/caching: Add locking during cache lookup to prevent identical - non-cached requests made in parallel launch multiple rewener goroutines. - [[GH-6374]](https://github.com/hashicorp/vault/pull/6374) - * auth/jwt: Apply `bound_claims` validation across all login paths. - * core: The `operator migrate` command will no longer hang on empty key names. - [[GH-6371]](https://github.com/hashicorp/vault/pull/6371) - * secret/ssh: Fix for a bug where attempting to delete the last ssh role - in the zeroaddress configuration could fail. - [[GH-6390]](https://github.com/hashicorp/vault/pull/6390) - * secret/totp: Uppercase provided keys so they don't fail base32 validation - [GH-6400] - * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts - that have been filtered. Similarly, `sys/internal/ui/mount/:path` will - return a error response if a filtered mount path is requested. - [[GH-6412]](https://github.com/hashicorp/vault/pull/6412) - * ui: Fix for a bug where you couldn't access the data tab after clicking on - wrap details on the tool > unwrap page [GH-6404] - -## 1.1.0-beta2 (March 5th, 2019) - -CHANGES: - - * agent/caching: Enable the caching of tokens and leases generated by the - auto-auth token when that's in use. - [[GH-6293]](https://github.com/hashicorp/vault/pull/6293) - * auth/jwt: The default listening port for the OIDC login helper is now 8250. - * core: Token creation responses now contain the `orphan` field indicating - whether the new token is orphan. - [[GH-6230]](https://github.com/hashicorp/vault/pull/6320) + * auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the + groups claim is not at the top level, it can now be specified as a + [JSONPointer](https://tools.ietf.org/html/rfc6901). + * auth/jwt: Roles now have a "role type" parameter with a default type of + "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly + specified. + * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI + help/warning output in previous versions of Vault for updated commands. + * core: Vault no longer automatically mounts a K/V backend at the "secret/" + path when initializing Vault + * core: Vault's cluster port will now be open at all times on HA standby nodes + * plugins: Vault no longer supports running netRPC plugins. These were + deprecated in favor of gRPC based plugins and any plugin built since 0.9.4 + defaults to gRPC. Older plugins may need to be recompiled against the latest + Vault dependencies. FEATURES: + * **Vault Agent Caching**: Vault Agent can now be configured to act as a + caching proxy to Vault. Clients can send requests to Vault Agent and the + request will be proxied to the Vault server and cached locally in Agent. + Currently Agent will cache generated leases and tokens and keep them + renewed. The proxy can also use the Auto Auth feature so clients do not need + to authenticate to Vault, but rather can make requests to Agent and have + Agent fully manage token lifecycle. + * **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC + roles. These allow authentication via an OIDC-compliant provider via the + user's browser. The login may be initiated from the Vault UI or through + the `vault login` command. + * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable + wild card matching for a single directory in the path definition. * **Transit Auto Unseal**: Vault can now be configured to use the Transit Secret Engine in another Vault cluster as an auto unseal provider. -IMPROVEMENTS: - - * auth/token: A warning will be printed when 'tls_cipher_suites' includes a - blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2 - specification. - * secrets/transit: Multiple HMAC, Sign or Verify operations can now be performed - with one API call using the new `batch_input` parameter - [[GH-5875]](https://github.com/hashicorp/vault/pull/5875). - -BUG FIXES: - - * namespace (enterprise): Clearing out identity store items upon namespace - deletion [[GH-850]](https://github.com/hashicorp/vault-enterprise/pull/850) - * secrets/kv: Fix issue where a v1→v2 upgrade could run on a performance - standby when using a local mount. - * agent/caching: Do not trigger cache update when renewal of the cached lease - is triggered. [[GH-6303]](https://github.com/hashicorp/vault/pull/6303) - * auth/token: Fix issue where empty values for token role update call were - ignored. [[GH-6314]](https://github.com/hashicorp/vault/pull/6314) - * ui: fix an issue where the policies tab was erroneously hidden [GH-6301] - * ui: fix encoding issues with kv interfaces [GH-6294] - -## 1.1.0-beta1 (February 20th, 2019) - -CHANGES: - - * auth/jwt: The `groups_claim_delimiter_pattern` has been removed. If the groups - claim is not at the top level, it can now be specified as a - [JSONPointer](https://tools.ietf.org/html/rfc6901). - * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To - configure new JWT roles, a role type of "jwt" must be explicitly specified. - * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output - for updated commands. - * core: Vault no longer automatically mounts a k/v backend at the "secret/" path when - initalizing Vault. - * core: Vault's cluster port will now be opened on HA standby nodes. - * plugins: Vault no longer supports running netRPC plugins. These were deprecated in - favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older - plugins may need to be recompiled against the latest Vault dependencies. - -FEATURES: - - * **Vault Agent Caching**: Vault Agent can now be configured to act as a caching proxy - to Vault. Clients can send requests to Vault Agent and the request will be proxied - to the Vault server and cached locally in Agent. Currently Agent will cache - generated leases and tokens and keep them renewed. The proxy can also use the Auto - Auth feature so clients do not need to provide a Vault token with the request. - * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow - authentication via an OIDC-compliant provider via the user's browser. The - login may be initiatated from the Vault UI or through the `vault login` command. - * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable wild card - matching for a single directory in the path definition. - IMPROVEMENTS: * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if @@ -125,18 +44,50 @@ IMPROVEMENTS: * auth/jwt: An arbitrary set of bound claims can now be configured for a role. * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either name may be specified in the `auth enable` command. + * command/server: A warning will be printed when 'tls_cipher_suites' includes a + blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2 + specification [GH-6300] * core/metrics: Prometheus pull support using a new sys/metrics endpoint. [GH-5308] + * core: On non-windows platforms a SIGUSR2 will make the server log a dump of + all running goroutines' stack traces for debugging purposes [GH-6240] * replication: The inital replication indexing process on newly initialized or upgraded - clusters now runs asynchronously. + clusters now runs asynchronously + * sentinel: Add token namespace id and path, available in rules as + token.namespace.id and token.namespace.path * ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms. This means, it will not be necessary to add fields on the go and JS sides in the future. [GH-6209] BUG FIXES: - - * identity: Fix a panic at login when external group has a nil alias. [GH-6230] - * performance standby: Fixed a bug causing performance standbys to wait longer - than necessary after forwarding a write to the active node. + + * auth/jwt: Apply `bound_claims` validation across all login paths + * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept + any matched audience, as documented and handled in OIDC logins [JWT-30] + * auth/token: Fix issue where empty values for token role update call were + ignored [GH-6314] + * core: The `operator migrate` command will no longer hang on empty key names + [GH-6371] + * identity: Fix a panic at login when external group has a nil alias [GH-6230] + * namespaces: Clear out identity store items upon namespace deletion + * replication/perfstandby: Fixed a bug causing performance standbys to wait + longer than necessary after forwarding a write to the active node + * replication/mountfilter: Fix a deadlock that could occur when mount filters + were updated [GH-6426] + * secret/kv: Fix issue where a v1→v2 upgrade could run on a performance + standby when using a local mount + * secret/ssh: Fix for a bug where attempting to delete the last ssh role + in the zeroaddress configuration could fail [GH-6390] + * secret/totp: Uppercase provided keys so they don't fail base32 validation + [GH-6400] + * secret/transit: Multiple HMAC, Sign or Verify operations can now be + performed with one API call using the new `batch_input` parameter [GH-5875] + * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts + that have been filtered. Similarly, `sys/internal/ui/mount/:path` will + return a error response if a filtered mount path is requested. [GH-6412] + * ui: Fix for a bug where you couldn't access the data tab after clicking on + wrap details on the unwrap page [GH-6404] + * ui: Fix an issue where the policies tab was erroneously hidden [GH-6301] + * ui: Fix encoding issues with kv interfaces [GH-6294] ## 1.0.3 (February 12th, 2019) diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index ece9cc78df..5f47a32a8c 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -3,7 +3,7 @@ //------------------------------------------------------------------- variable "download-url" { - default = "https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip" + default = "https://releases.hashicorp.com/vault/1.1.0/vault_1.1.0_linux_amd64.zip" description = "URL to download Vault" } diff --git a/version/version_base.go b/version/version_base.go index 385e7a9ab9..49e38811f9 100644 --- a/version/version_base.go +++ b/version/version_base.go @@ -7,5 +7,5 @@ func init() { // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release // such as "dev" (in development), "beta", "rc1", etc. - VersionPrerelease = "beta2" + VersionPrerelease = "" } diff --git a/website/config.rb b/website/config.rb index bdc8a4a9a7..69a89a724f 100644 --- a/website/config.rb +++ b/website/config.rb @@ -6,7 +6,7 @@ use ReshapeMiddleware, component_file: "assets/reshape.js" activate :hashicorp do |h| h.name = "vault" - h.version = "1.0.3" + h.version = "1.1.0" h.github_slug = "hashicorp/vault" h.website_root = "website" h.releases_enabled = true diff --git a/website/source/docs/concepts/policies.html.md b/website/source/docs/concepts/policies.html.md index c9302d01c2..43b10c27c1 100644 --- a/website/source/docs/concepts/policies.html.md +++ b/website/source/docs/concepts/policies.html.md @@ -150,6 +150,21 @@ path "secret/zip-*" { } ``` +In addition, a `+` can be used to denote any number of characters bounded +within a single path segment (this appeared in Vault 1.1): + +```ruby +# Permit reading the "teamb" path under any top-level path under secret/ +path "secret/+/teamb" { + capabilities = ["read"] +} + +# Permit reading secret/foo/bar/teamb, secret/bar/foo/teamb, etc. +path "secret/+/+/teamb" { + capabilities = ["read"] +} +``` + Vault's architecture is similar to a filesystem. Every action in Vault has a corresponding path and capability - even Vault's internal core configuration endpoints live under the "sys/" path. Policies define access to these paths and