CHANGELOG-v0.md
This release contains the three security fixes from 1.0.0 and 1.0.1 and the following bug fixes from 1.0.0/1.0.1:
It is otherwise identical to 0.11.5.
BUG FIXES:
CHANGES:
operator migrate [GH-5503].
We've categorized this as a change, but generally this can be considered
just a bug fix, and no action is needed.FEATURES:
IMPROVEMENTS:
BUG FIXES:
otp to be provided
instead of an empty body [GH-5495]sign-verbatim [GH-5549]varbinary instead of varchar when creating HA tables
[GH-5529]SECURITY:
.) to not be revoked properly. Upon startup
when revocation is tried again these should now revoke successfully.IMPROVEMENTS:
* to allow any value [GH-5459]BUG FIXES:
vault auth was given no parameters [GH-5473]CHANGES:
sys/seal-status now includes an initialized boolean in the output. If
Vault is not initialized, it will return a 200 with this value set false
instead of a 400.passthrough_request_headers will now deny certain headers from being
provided to backends based on a global denylist.FEATURES:
operator migrate command allows offline
migration of data between two storage backendsBUG FIXES:
token parameter if a token was
previously set in the configuration [GH-5409]IMPROVEMENTS:
env parameter when registering plugins to the catalog to allow
operators to include environment variables during plugin execution. [GH-5359]BUG FIXES:
IMPROVEMENTS:
iam_request_headers with IAM auth method [GH-5320]SECURITY:
FEATURES:
IMPROVEMENTS:
SIGHUP, reading the desired value from
Vault's config file [GH-5280]BUG FIXES:
sys/ top-route injection for now [GH-5241]DEPRECATIONS/CHANGES:
sys/ Top Level Injection: For the last two years for backwards
compatibility data for various sys/ routes has been injected into both the
Secret's Data map and into the top level of the JSON response object.
However, this has some subtle issues that pop up from time to time and is
becoming increasingly complicated to maintain, so it's finally being
removed.list operations to always end in a /, as list
operations operates on prefixes, so all list operations by definition end
with /. This was done server-side so affects all clients. However, this
has also led to a lot of confusion for users writing policies that assume
that the path that they use in the CLI is the path used internally. Starting
in 0.11, ACL policies gain a new fallback rule for listing: they will use a
matching path ending in / if available, but if not found, they will look
for the same path without a trailing /. This allows putting list
capabilities in the same path block as most other capabilities for that
path, while not providing any extra access if list wasn't actually
provided there.disable_performance_standby
configuration flag.FEATURES:
IMPROVEMENTS:
exit_after_auth to be able to use the Agent for a single
authentication [GH-5013]vault read operations [GH-5093]BUG FIXES:
aud claim even if bound_audiences isn't set
(IOW, error in this case)mount_path and mount_type on group lookup
[GH-5074]SECURITY:
DEPRECATIONS/CHANGES:
-sync CLI flag or sync API parameter. When in
synchronous mode, if the operation results in failure it is up to the user
to retry.FEATURES:
jwt auth method accepts JWTs and either
validates signatures locally or uses OIDC Discovery to fetch the current set
of keys for signature validation. Various claims can be specified for
validation (in addition to the cryptographic signature) and a user and
optional groups claim can be used to provide Identity information.IMPROVEMENTS:
-description flag to secrets and auth tune subcommands to allow
updating an existing secret engine's or auth method's description. This
change also allows the description to be unset by providing an empty string.max_request_size parameter can now be set per-listener to adjust
the maximum allowed size per request [GH-4824]-field=data to KVv2 when using vault kv [GH-4895]listing_visibility in the auth method edit forms [GH-4854]wrapped_token query parameter [GH-4854]BUG FIXES:
max_retries [GH-4980]DEPRECATIONS/CHANGES:
ldap, okta, and radius. Since the
default policy is added by Vault's core, this would incorrectly reject
valid authentications before they would in fact be granted policies. This
inconsistency has been addressed; valid authentications for these methods
now succeed even if no policy was specifically defined in that method for
that user.FEATURES:
pki backend. Roles can limit which SANs are allowed via globbing.kv rollback Command: You can now use vault kv rollback to roll a KVv2
path back to a previous non-deleted/non-destroyed version. The previous
version becomes the next/newest version for the path.IMPROVEMENTS:
create/update distinction for connection
configurations [GH-3544]create/update distinction for role configurations
[GH-3544]kv rollback [GH-4774]hidden option to listing_visibility field on sys/mounts
API [GH-4827]BUG FIXES:
vault kv commands
incorrectly operating on a root+mount path instead of being an error
[GH-4726]CKK_SHA256_HMAC to the search list when finding HMAC
keys, fixing lookup on some Thales devicesSECURITY:
transit's
convergent encryption feature is susceptible to offline
plaintext-confirmation attacks. As a result, we are introducing a version 3
algorithm that mitigates this. If you are currently using convergent
encryption, we recommend upgrading, rotating your encryption key (the new
key version will use the new algorithm), and rewrapping your data (the
rewrap endpoint can be used to allow a relatively non-privileged user to
perform the rewrapping while never divulging the plaintext).DEPRECATIONS/CHANGES:
FEATURES:
ad secrets engine has been created
which allows Vault to rotate and provide credentials for configured AD
accounts.cert, userpass, and kubernetes auth methods:
You can now limit authentication to specific CIDRs; these will also be
encoded in resultant tokens to limit their use.IMPROVEMENTS:
allowed_names into component parts and add
allowed_uri_sans [GH-4231]vault login now supports a -no-print flag to suppress printing
token information but still allow storing into the token helper [GH-4454]BUG FIXES:
vault token capabilities with multiple paths
[GH-4552]use_always option with PROXY protocol support, do not
require authorized_addrs to be set [GH-4065]bound_region able to use short namessafety_buffer for tidy being allowed to be negative,
clearing all certs [GH-4641]key_type not being allowed to be set to any [GH-4595]use_csr_values and signing an intermediate CA cert [GH-4459]The following two items are in both 0.9.7 and 0.10.1. They only affect Enterprise, and as such 0.9.7 is an Enterprise-only release:
SECURITY:
BUG FIXES:
All other content in this release is for 0.10.1 only.
DEPRECATIONS/CHANGES:
vault kv and Vault versions: In 0.10.1 some issues with vault kv against
v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
and CLI versions is required.FEATURES:
X-Forwarded-For headers can now be used to set the
client IP seen by Vault. See the TCP listener configuration
page for
details.vault kv patch command: A new kv patch helper command that allows
modifying only some values in existing data at a K/V path, but uses
check-and-set to ensure that this modification happens safely.IMPROVEMENTS:
vault kv patch [GH-4432]sys/mounts is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines) [GH-4439]BUG FIXES:
vault kv backwards compatibility with KV v1 engine mounts
[GH-4430]SECURITY:
DEPRECATIONS/CHANGES:
case_sensitive_names
will need to be explicitly set to true.secret/ mount: In 0.12 we will stop mounting secret/
by default at initialization time (it will still be available in dev
mode).FEATURES:
kv backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
vault kv subcommand allows friendly interactions with it. Existing mounts
of the kv backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
-version=2 flag for the vault secrets enable command.data map on a per-mount basis.IMPROVEMENTS:
BUG FIXES:
-mfa flag and migrate to OSS binary [GH-4223]auth/ in front [GH-4206]DEPRECATIONS/CHANGES:
* to the end of the
ARN. Existing configurations will be upgraded automatically, but when
writing a new role configuration the updated behavior will be used.FEATURES:
IMPROVEMENTS:
tls_disable_client_cert is actually a true value rather
than just set [GH-4049]BUG FIXES:
max_ttl when a corresponding role ttl is not also
set [GH-4107]max_ttl value [GH-4110]vault auth help when there is no CLI
helper for a particular method [GH-4056]key_bits value when reading a role [GH-4098]IMPROVEMENTS:
database/config endpoint
[GH-4026]BUG FIXES:
.SECURITY:
FEATURES:
transit: You can now encrypt and decrypt
with ChaCha20-Poly1305 in transit. Key derivation and convergent
encryption is also supported.IMPROVEMENTS:
-format flag to all subcommands [GH-3897]valid-principles flag to CLI for CA mode [GH-3922]BUG FIXES:
stored-shares parameter [GH-3974]A regression from a feature merge disabled the Nomad secrets backend in 0.9.2. This release re-enables the Nomad secrets backend; it is otherwise identical to 0.9.2.
SECURITY:
DEPRECATIONS/CHANGES:
sys/health DR Secondary Reporting: The replication_dr_secondary bool
returned by sys/health could be misleading since it would be false both
when a cluster was not a DR secondary but also when the node is a standby in
the cluster and has not yet fully received state from the active node. This
could cause health checks on LBs to decide that the node was acceptable for
traffic even though DR secondaries cannot handle normal Vault traffic. (In
other words, the bool could only convey "yes" or "no" but not "not sure
yet".) This has been replaced by replication_dr_mode and
replication_perf_mode which are string values that convey the current
state of the node; a value of disabled indicates that replication is
disabled or the state is still being discovered. As a result, an LB check
can positively verify that the node is both not disabled and is not a DR
secondary, and avoid sending traffic to it if either is true.ou and organization
in role definitions in the PKI secret backend, input can now be a
comma-separated string or an array of strings. Reading a role will
now return arrays for these parameters.FEATURES:
IMPROVEMENTS:
sys/health [GH-3810]ou and organization can now be specified as a
comma-separated string or an array of strings [GH-3804]BUG FIXES:
bound_iam_principal_arn was given to an
existing role update [GH-3843]max_lease_ttl and
default_lease_ttl when specified - previously both fields set
default_lease_ttl.DEPRECATIONS/CHANGES:
list operations
against AppRole roles would require preserving case in the role name, even
though most other operations within AppRole are case-insensitive with
respect to the role name. This has been fixed; existing roles will behave as
they have in the past, but new roles will act case-insensitively in these
cases.allowed_policies and
disallowed_policies in role definitions in the token auth backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.transit backend as
exportable at any time, rather than just at creation time; however, once
this value is set, it still cannot be unset.allowed_domains and
key_usage in role definitions in the PKI secret backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.consul secret backend can now
accept both strings and integer numbers of seconds for its lease value. The
value returned on a role read will be an integer number of seconds instead
of a human-friendly string.FEATURES:
transit backend now supports a backup
operation that can export a given key, including all key versions and
configuration, as well as a restore operation allowing import into another
Vault.cert auth backend can now
match against custom certificate extensions via exact or glob matching, and
additionally supports max_ttl and periodic token toggles.IMPROVEMENTS:
max_ttl and period [GH-3642]0000 will now disable Vault from
automatically chmoding the log file [GH-3649]allowed_policies and disallowed_policies can now be specified
as a comma-separated string or an array of strings [GH-3641]VAULT_LOG_LEVEL
[GH-3721]write_concern parameter, which can be set
during database configuration. This establishes a session-wide write
concern for the
lifecycle of the mount [GH-3646]allowed_domains and key_usage can now be specified
as a comma-separated string or an array of strings [GH-3642]lease set
on the role, if set, when renewing a secret. [GH-3796]BUG FIXES:
allowed_names on role read [GH-3654]allow_gce_inference [VPAG-19]IMPROVEMENTS:
BUG FIXES:
DEPRECATIONS/CHANGES:
hmac_key_label. This performs a similar function to
key_label but for the HMAC key Vault will use. Vault will generate a
suitable key if this value is specified and generate_key is set true.NewClient the API no longer
modifies the provided client/transport. In particular this means it will no
longer enable redirection limiting and HTTP/2 support on custom clients. It
is suggested that if you want to make changes to an HTTP client that you use
one created by DefaultConfig as a starting point.disallow_reauthentication and allow_instance_migration.ssh backend,
the TTL/max TTL values will now be an integer number of seconds rather than
a string. This better matches the API elsewhere in Vault.ssh backend via the API,
the response data will additionally return a key_info map that will contain
a map of each key with a corresponding object containing the key_type.storage and
ha_storage stanzas, and into the top-level configuration. redirect_addr
has been renamed to api_addr. The stanzas still support accepting
HA-related values to maintain backward compatibility, but top-level values
will take precedence.seal stanza has been added to the configuration file, which is
optional and enables configuration of the seal type to use for additional
data protection, such as using HSM or Cloud KMS solutions to encrypt and
decrypt data.FEATURES:
rekey operation is now supported; it uses recovery keys
to authorize the master key rekey.IMPROVEMENTS:
700 as permissions when creating directories. The files
themselves were 600 and are all encrypted, but this doesn't hurt.pki as both comma-separated strings and JSON
arrays [GH-3409]none hash
algorithm to allow signing/verifying pre-hashed data [GH-3448]BUG FIXES:
cert backend when the CA for the client cert is
not known to the server's listener [GH-2946]CHANGES:
default policy will not be forcefully added to policies
saved in configurations. Please note that the default policy will continue
to be added to generated tokens, however, rather than backends adding
default to the given set of input policies (in some cases, and not in
others), the stored set will reflect the user-specified set.sign-self-issued modifies Issuer in generated certificates: In 0.8.2 the
endpoint would not modify the Issuer in the generated certificate, leaving
the output self-issued. Although theoretically valid, in practice crypto
stacks were unhappy validating paths containing such certs. As a result,
sign-self-issued now encodes the signing CA's Subject DN into the Issuer
DN of the generated certificate.sys/raw requires enabling: While the sys/raw endpoint can be extremely
useful in break-glass or support scenarios, it is also extremely dangerous.
As of now, a configuration file option raw_storage_endpoint must be set in
order to enable this API endpoint. Once set, the available functionality has
been enhanced slightly; it now supports listing and decrypting most of
Vault's core data structures, except for the encryption keyring itself.generic is now kv: To better reflect its actual use, the generic
backend is now kv. Using generic will still work for backwards
compatibility.FEATURES:
IMPROVEMENTS:
sign-intermediate will now allow specifying a ttl value
longer than the signing CA certificate's NotAfter value. [GH-3325]BUG FIXES:
sign-self-issued encoding the wrong subject public key
[GH-3325]BUG FIXES:
SECURITY:
DEPRECATIONS/CHANGES:
vault ssh users should supply -mode and -role to reduce the number of
API calls. A future version of Vault will mark these optional values are
required. Failure to supply -mode or -role will result in a warning.FEATURES:
vault ssh: vault ssh now supports the SSH CA
backend for authenticating to machines. It also supports remote host key
verification through the SSH CA backend, if enabled.pki backend now supports
signing self-issued CA certs. This is useful when switching root CAs.IMPROVEMENTS:
stdout as the file_path to log to standard
output [GH-3235]bound_iam_principal_arn [GH-3213]vault -autocomplete-install [GH-3223]vault auth. What
is output depends on the other given flags; see the help output for that
command for more information. [GH-3263]cluster_cipher_suites in configuration [GH-3228]plugin_name can now either be specified directly as part of the
parameter or within the config object when mounting a secret or auth backend
via sys/mounts/:path or sys/auth/:path respectively [GH-3202]description of a mount when
mount-tuning, although this must be done through the HTTP layer [GH-3285]pki/root/sign-self-issued [GH-3274]BUG FIXES:
DEPRECATIONS/CHANGES:
pki/root/generate when a CA cert/key already
exists will now return a 204 instead of overwriting an existing root. If
you want to recreate the root, first run a delete operation on pki/root
(requires sudo capability), then generate it again.FEATURES:
pki backend now supports
specifying permitted DNS domains for CA certificates, allowing you to
narrowly scope the set of domains for which a CA can issue or sign child
certificates.sys/plugins/reload/backend endpoint and providing either
the plugin name or the mounts to reload.IMPROVEMENTS:
pki/root delete operation [GH-3165]BUG FIXES:
SECURITY:
DEPRECATIONS/CHANGES:
A1a-
characters prepended to ensure stricter requirements. No regressions are
expected from this change. (For database backends that were previously
substituting underscores for hyphens in passwords, this will remain the
case.)sys/renew, sys/revoke, sys/revoke-prefix,
sys/revoke-force have been deprecated and relocated under sys/leases.
Additionally, the deprecated path sys/revoke-force now requires the sudo
capability.sys/wrapping/lookup endpoint
is now unauthenticated. This allows introspection of the wrapping info by
clients that only have the wrapping token without then invalidating the
token. Validation functions/checks are still performed on the token.FEATURES:
databases backend can now manage users
for SAP HANA databasessys/leases endpoints in the API. These are located in the new top level
navigation item "Leases".IMPROVEMENTS:
RenewTokenAsSelf [GH-2886]VAULT_CLIENT_TIMEOUT env
var or with a new API function [GH-2956]ttl/max_ttl inside the mount [GH-2915]VAULT_CLIENT_TIMEOUT env
var [GH-2956]-token-only flag to vault auth that returns only the
token on stdout and does not store it via the token helper [GH-2855]tls_client_ca_file option for specifying a CA file to use for
client certificate verification when tls_require_and_verify_client_cert is
enabled [GH-3034]max_parallel [GH-3026]max_parallel [GH-3026]sys/wrapping/lookup unauthenticated [GH-3084]BUG FIXES:
429 codes as an error [GH-2850]transit key [GH-2958]sys/leases/renew returns same payload as original
sys/leases endpoint [GH-2891]SECURITY:
DEPRECATIONS/CHANGES:
FEATURES:
transit backend now supports generating
ed25519 keys for signing and verification
functionality. These keys support derivation, allowing you to modify the
actual encryption key used by supplying a context value.min_encryption_version key
configuration property.IMPROVEMENTS:
-no-store option that prevents the auth command from
storing the returned token into the configured token helper [GH-2809]BUG FIXES:
ttl field as the
documentation claims is supported [GH-2699]BUG FIXES:
DEPRECATIONS/CHANGES:
binddn
user when binddn/bindpass are configured, rather than as the
authenticating user as was the case previously.FEATURES:
sts:GetCallerIdentity is validated against the AWS STS
service before issuing a Vault token. This backend is unified with the
aws-ec2 authentication backend under the name aws, and allows additional
EC2-related restrictions to be applied during the IAM authentication; the
previous EC2 behavior is also still available. [GH-2441]sys/leases/lookup; with sudo
capability you can also list leases for lookup, renewal, or revocation via
that endpoint. Various lease functions (renew, revoke, revoke-prefix,
revoke-force) have also been relocated to sys/leases/, but they also work
at the old paths for compatibility. Reading (but not listing) leases via
sys/leases/lookup is now a part of the current default policy. [GH-2650]IMPROVEMENTS:
-self option to allow revoking the currently active token
[GH-2596]approle on a primary before
secondaries were connectedno_store option that allows certificates to be issued
without being stored. This removes the ability to look up and/or add to a
CRL but helps with scaling to very large numbers of certificates. [GH-2565]sign-verbatim/<role>
endpoint honors the values of generate_lease, no_store, ttl and
max_ttl from the given role [GH-2593]allow_glob_domains that enables defining
names in allowed_domains containing * glob patterns [GH-2517]discovery_srv option to query for SRV records to find
servers [GH-2521]max_parallel option to limit concurrent outstanding
requests [GH-2466]auth/token/tidy and sys/leases/tidy to handle more
cleanup cases [GH-2452]BUG FIXES:
vault write is used with the force flag but no path
[GH-2674]SECURITY:
exclude_cn_from_sans option used in
pki backend: When using a role in the pki backend that specified the
exclude_cn_from_sans option, the common name would not then be properly
validated against the role's constraints. This has been fixed. We recommend
any users of this feature to upgrade to 0.7 as soon as feasible.DEPRECATIONS/CHANGES:
GET or LIST HTTP verb, will now internally canonicalize the path to
have a trailing slash. This makes policy writing more predictable, as it
means clients will no longer work or fail based on which client they're
using or which HTTP verb they're using. However, it also means that policies
allowing list capability must be carefully checked to ensure that they
contain a trailing slash; some policies may need to be split into multiple
stanzas to accommodate.pki/revoke
endpoint. Issuing leases is still possible by enabling the generate_lease
toggle in PKI role entries (this will default to true for upgrades, to
keep existing behavior), which will allow using lease IDs to revoke
certificates. For installations issuing large numbers of certificates (tens
to hundreds of thousands, or millions), this will significantly improve
Vault startup time since leases associated with these certificates will not
have to be loaded; however note that it also means that revocation of a
token used to issue certificates will no longer add these certificates to a
CRL. If this behavior is desired or needed, consider keeping leases enabled
and ensuring lifetimes are reasonable, and issue long-lived certificates via
a different role with leases disabled.FEATURES:
IMPROVEMENTS:
LOGNAME or USER env vars for the
username if not explicitly set on the command line when authenticating
[GH-2154]@cee) before each
line [GH-2359]config/ca endpoint
and also return it when CA key pair is generated [GH-2483]BUG FIXES:
FEATURES:
transit can now be marked as
exportable at creation time. This allows a properly ACL'd user to retrieve
the associated signing key, encryption key, or HMAC key. The exportable
value is returned on a key policy read and cannot be changed, so if a key is
marked exportable it will always be exportable, and if it is not it will
never be exportable.encrypt, decrypt and rewrap operations
in the transit backend now support processing multiple input items in one
call, returning the output of each item in the response.IMPROVEMENTS:
BUG FIXES:
disallowed_policies set) would not work in most
circumstances [GH-2286]sign-verbatim, don't require a role and use the
CSR's common name [GH-2243]SECURITY:
Further details about these security issues can be found in the 0.6.4 upgrade guide.
default Policy Privilege Escalation: If a parent token did not have the
default policy attached to its token, it could still create children with
the default policy. This is no longer allowed (unless the parent has
sudo capability for the creation path). In most cases this is low severity
since the access grants in the default policy are meant to be access
grants that are acceptable for all tokens to have.auth/token/tidy) that can
perform housekeeping tasks on the token store; one of its tasks can detect
this situation and revoke the associated leases.FEATURES:
IMPROVEMENTS:
no-store cache control header to make it more
secure in setups that are not end-to-end encrypted [GH-2183]BUG FIXES:
DEPRECATIONS/CHANGES:
deny_null_bind parameter can be set to false to allow
these. [GH-2103]FEATURES:
ui = true in the top level of Vault's configuration file and point a
web browser at your Vault address.IMPROVEMENTS:
revocation_sql parameter on the role endpoint to
enable customization of user revocation SQL statements [GH-2033]BUG FIXES:
unwrap command with
Vault 0.6.1 and older [GH-2014]-field if the values contained
formatting directives [GH-2109]DEPRECATIONS/CHANGES:
transit using convergent mode will
use a new nonce derivation mechanism rather than require the user to supply
a nonce. While not explicitly increasing security, it minimizes the
likelihood that a user will use the mode improperly and impact the security
of their keys. Keys in convergent mode that were created in v0.6.1 will
continue to work with the same mechanism (user-supplied nonce).etcd HA off by default: Following in the footsteps of dynamodb, the
etcd storage backend now requires that ha_enabled be explicitly
specified in the configuration file. The backend currently has known broken
HA behavior, so this flag discourages use by default without explicitly
enabling it. If you are using this functionality, when upgrading, you should
set ha_enabled to "true" before starting the new versions of Vault./lookup and /destroy) which consumes the input from
the body and not the URL.cubbyhole/response is deprecated. The
sys/wrapping/unwrap endpoint should be used instead as it provides
additional security, auditing, and other benefits. The ability to read
directly will be removed in a future release."disable_clustering" parameter in Vault's
config, or per-request
with the X-Vault-No-Request-Forwarding header.bound_iam_role_arn value in the
aws-ec2 authentication backend to actually use the instance profile ARN.
This has been corrected, but as a result there is a behavior change. To
match using the instance profile ARN, a new parameter
bound_iam_instance_profile_arn has been added. Existing roles will
automatically transfer the value over to the correct parameter, but the next
time the role is updated, the new meanings will take effect.FEATURES:
AppRole: Secret IDs generated under an
approle can now specify a list of CIDR blocks from where the requests to
generate secret IDs should originate from. If an approle already has CIDR
restrictions specified, the CIDR restrictions on the secret ID should be a
subset of those specified on the role [GH-1910]generate-root, the root
token created at initialization time can now be PGP encrypted [GH-1883]pki: The pki backend now allows,
when a CA cert is being supplied as a signed root or intermediate, a trust
chain of arbitrary length. The chain is returned as a parameter at
certificate issue/sign time and is retrievable independently as well.
[GH-1694]transit backend now supports generating random
bytes and SHA sums; HMACs; and signing and verification functionality using
EC keys (P-256 curve)IMPROVEMENTS:
auth/token/create-orphan endpoint [GH-1834]SIGHUP to Vault now causes Vault to close and
re-open the log file, making it easier to rotate audit logs [GH-1953]bound_iam_instance_profile_arn to
refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn
to refer to IAM role ARN instead of the instance profile ARN [GH-1913]format flag on select CLI commands takes yml as an
alias for yaml [GH-1899]DELETE is
an idempotent operation. [GH-1903]BUG FIXES:
generate-root [GH-1827]file storage backend [GH-1821]zookeeper storage
backend and add a fix to the file storage backend's logic [GH-1964]aws/sts path to consider ttl
parameter [39b75c6]DEPRECATIONS/CHANGES:
503/501
respectively. See the version-specific upgrade
guide for
more details.root policy) can no longer be created except
by another root token or the generate-root endpoint.pki backend against new roles created or
modified after upgrading will contain a set of default key usages.dynamodb physical data store no longer supports HA by default. It has
some non-ideal behavior around failover that was causing confusion. See the
documentation
for information on enabling HA mode. It is very important that this
configuration is added before upgrading.ldap backend no longer searches for memberOf groups as part of its
normal flow. Instead, the desired group filter must be specified. This fixes
some errors and increases speed for directories with different structures,
but if this behavior has been relied upon, ensure that you see the upgrade
notes before upgrading.app-id is now deprecated with the addition of the new AppRole backend.
There are no plans to remove it, but we encourage using AppRole whenever
possible, as it offers enhanced functionality and can accommodate many more
types of authentication paradigms.FEATURES:
approle backend is a
machine-oriented authentication backend that provides a similar concept to
App-ID while adding many missing features, including a pull model that
allows for the backend to generate authentication credentials rather than
requiring operators or other systems to push credentials in. It should be
useful in many more situations than App-ID. The inclusion of this backend
deprecates App-ID. [GH-1426]Transit: The transit backend now supports a
convergent encryption mode where the same plaintext will produce the same
ciphertext. Although very useful in some situations, this has potential
security implications, which are mostly mitigated by requiring the use of
key derivation when convergent encryption is enabled. See the transit
backend
documentation
for more details. [GH-1537]ldap auth backend now uses templates
to define group filters, providing the capability to support some
directories that could not easily be supported before (especially specific
Active Directory setups with nested groups). [GH-1388]PKI: Issued certificates from roles created or
modified after upgrading contain a set of default key usages for increased
compatibility with OpenVPN and some other software. This set can be changed
when writing a role definition. Existing roles are unaffected. [GH-1552]5xx
error code will now retry after a backoff. The maximum total number of
retries (including disabling this functionality) can be set with an
environment variable. See the environment variable
documentation
for more details. [GH-1594]vault init: The new -auto option on vault init
will perform service discovery using Consul. When only one node is discovered,
it will be initialized and when more than one node is discovered, they will
be output for easy selection. See vault init --help for more details. [GH-1642]IMPROVEMENTS:
bound_account_id to the role
[GH-1523]bound_iam_role_arn to the role
[GH-1522]ttl field for the role [GH-1703]tls.Config
have the minimum TLS version set to 1.2 by default. This is configurable.disallowed_policies option to token store roles [GH-1681]root or sudo tokens can now create periodic tokens via
auth/token/create; additionally, the same token can now be periodic and
have an explicit max TTL [GH-1725]vault auth command supports a -path option to take in the path at
which the auth backend is enabled, thereby allowing authenticating against
different paths using the command options [GH-1532]vault auth -methods will now display the config settings of the mount
[GH-1531]vault read/write/unwrap -field now allows selecting token response
fields [GH-1567]vault write -field now allows selecting wrapped response fields
[GH-1567]vault status command [GH-1671]sys/capabilities-self is now accessible as part of the default
policy [GH-1695]sys/renew is now accessible as part of the default policy [GH-1701]/sys endpoints now return normal api.Secret
structs in addition to the values they carried before. This means that
response wrapping can now be used with most authenticated /sys operations
[GH-1699]ETCD_ADDR env var for specifying addresses [GH-1576]service_tags option [GH-1643]connect_timeout value for Cassandra connection
configuration [GH-1581]allowed_roles to vault-ssh-helper's config and returning
role name as part of response of verify APIssh [GH-1680]BUG FIXES:
400 in most non-5xx error
cases [GH-1553]SECURITY:
sys/revoke-prefix was intended to revoke prefixes of secrets (via
lease IDs, which incorporate path information) and
auth/token/revoke-prefix was intended to revoke prefixes of tokens (using
the tokens' paths and, since 0.5.2, role information), in implementation
they both behaved exactly the same way since a single component in Vault is
responsible for managing lifetimes of both, and the type of the tracked
lifetime was not being checked. The end result was that either endpoint
could revoke both secret leases and tokens. We consider this a very minor
security issue as there are a number of mitigating factors: both endpoints
require sudo capability in addition to write capability, preventing
blanket ACL path globs from providing access; both work by using the prefix
to revoke as a part of the endpoint path, allowing them to be properly
ACL'd; and both are intended for emergency scenarios and users should
already not generally have access to either one. In order to prevent
confusion, we have simply removed auth/token/revoke-prefix in 0.6, and
sys/revoke-prefix will be meant for both leases and tokens instead.DEPRECATIONS/CHANGES:
auth/token/revoke-prefix has been removed. See the security notice for
details. [GH-1280]vault service when
using the consul backend and will perform its own health checks. See
the Consul backend documentation for information on how to disable
auto-registration and service checks.404 status code
rather than an empty response object [GH-1365]pki backend no longer have associated
leases, and any CA certs already issued will ignore revocation requests from
the lease manager. This is to prevent CA certificates from being revoked
when the token used to issue the certificate expires; it was not be obvious
to users that they need to ensure that the token lifetime needed to be at
least as long as a potentially very long-lived CA cert.FEATURES:
vault unwrap command. This makes
secret distribution easier and more secure, including secure introduction.vault service and perform its own health checking. By default
the active node can be found at active.vault.service.consul and all with
standby nodes are standby.vault.service.consul. Sealed vaults are marked
critical and are not listed by default in Consul's service discovery. See
the documentation for details. [GH-1349]auth/token
mount must be set high to accommodate certain needs but you want more
granular restrictions on tokens being issued directly from the Token
authentication backend at auth/token. [GH-1399]true.IMPROVEMENTS:
seal and step-down commands [GH-1435]root/sudo paths in favor of normal ACL mechanisms.
A particular exception are any current MFA paths. A few paths in token and
sys also require root or sudo. [GH-1478]auth command
fails to authenticate the provided token [GH-1233]-format and -field can now be used with the write
command [GH-1228]mlock support for FreeBSD, OpenBSD, and Darwin [GH-1297]disable_cache option, caches for the policy store and
the transit backend are now disabled as well [GH-1346]groupdn is not configured, skip searching LDAP and
only return policies for local groups, plus a warning [GH-1283]vault list support for users and groups [GH-1270]memberOf attribute for group membership
searching [GH-1245]default policies in appropriate
places [GH-1235]vault token-create and the API. The default is true, but tokens can be
specified as non-renewable. [GH-1499]exclude_cn_from_sans field to prevent adding the CN to
DNS or Email Subject Alternate Names [GH-1220]HEAD [GH-1509]BUG FIXES:
-field with a non-string value [GH-1308]devRootTokenID and devListenAddress flags
over their respective env vars [GH-1480]vault ssh command uses sshpass which was failing to handle
host key checking presented by the ssh binary. [GH-1473]vault auth can now be
specified in the VAULT_AUTH_GITHUB_TOKEN environment variable [GH-1511]allowed_policies is empty for a role. Using allowed_policies of
default resulted in the same behavior anyways. [GH-1276]default policy is not
contained in the backend config [GH-1256]SECURITY:
We have written an example shell script that searches through Consul's ACL tokens and looks for those generated by Vault, which can be used as a template for a revocation script as deemed necessary for any particular security response. The script is available at https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0
Please note that any outstanding leases for Consul tokens produced prior to 0.5.3 that have been renewed will continue to exhibit this behavior. As a result, we recommend either revoking all tokens produced by the backend and issuing new ones, or if needed, a more advanced variant of the provided example could use the timestamp embedded in each generated token's name to decide which tokens are too old and should be deleted. This could then be run periodically up until the maximum lease time for any outstanding pre-0.5.3 tokens has expired.
This is a security-only release. There are no other code changes since 0.5.2. The binaries have one additional change: they are built against Go 1.6.1 rather than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming language itself.
FEATURES:
hmac_accessor=false when
enabling an audit backend.token
credential backend that allow modifying token behavior in ways that are not
otherwise exposed or easily delegated. This allows creating tokens with a
fixed set (or subset) of policies (rather than a subset of the calling
token's), periodic tokens with a fixed TTL but no expiration, specified
prefixes, and orphans.IMPROVEMENTS:
auth/token/lookup-accessor, auth/token/revoke-accessor and
sys/capabilities-accessor, which enables performing the respective actions
with just the accessor of the tokens, without having access to the actual
token [GH-1188]/ in policy paths [GH-1170]/ in mount paths [GH-1172]-dev mode can
now be specified via -dev-root-token-id or the environment variable
VAULT_DEV_ROOT_TOKEN_ID [GH-1162]-dev mode can now be
specified via -dev-listen-address or the environment variable
VAULT_DEV_LISTEN_ADDRESS [GH-1169]vault step-down command and API endpoint to force
the targeted node to give up active status, but without sealing. The node
will wait ten seconds before attempting to grab the lock again. [GH-1146]renew-self in
this case. Change the behavior for any token being passed in to use renew.
[GH-1150]app-id parameter to be given in the login path;
this causes the app-id to be part of the token path, making it easier to
use with revoke-prefix [GH-424]create/update capability
distinction in user path, and add user-specific endpoints to allow changing
the password and policies [GH-1216]pki/cert/SERIAL
endpoint [GH-1180]pki/revoke endpoint to allow some
other formats [GH-1187]ssh/config/zeroaddress endpoint.
[GH-1154]sys/capabilities and sys/capabilities-self to
fetch the capabilities of a token on a given path [GH-1171]sys/revoke-force, which enables a user to ignore backend errors
when revoking a lease, necessary in some emergency/failure scenarios
[GH-1168]sys/health can now be user-specified via query
parameters [GH-1199]BUG FIXES:
DEPRECATIONS/CHANGES:
pki backend has enforced SHA256 hashes in signatures from the
beginning, and software that can handle these hashes should be able to
handle larger key sizes. [GH-1095]pki/tidy endpoint can be used to trigger expirations. [GH-1129]cert backend now performs a variant of channel binding at renewal time
for increased security. In order to not overly burden clients, a notion of
identity is used. This functionality can be disabled. See the 0.5.1 upgrade
guide for more specific information [GH-1127]FEATURES:
IMPROVEMENTS:
VAULT_TLS_SERVER_NAME environment variable can be used to control
the SNI header during TLS connections [GH-1131]certs/ and crls/
paths; use normal ACL behavior instead [GH-468]config endpoint no longer requires a root token;
normal ACL path matching appliesconnection_url [GH-1096]sign-verbatim path [GH-1104]tidy endpoint to allow expunging expired certificates.
[GH-1129]connection_url [GH-1096]BUG FIXES:
SECURITY:
DEPRECATIONS/CHANGES:
s3 physical backend: Environment variables are now preferred over
configuration values. This makes it behave similar to the rest of Vault,
which, in increasing order of preference, uses values from the configuration
file, environment variables, and CLI flags. [GH-871]etcd physical backend: sync functionality is now supported and turned on
by default. This can be disabled. [GH-921]transit: If a client attempts to encrypt a value with a key that does not
yet exist, what happens now depends on the capabilities set in the client's
ACL policies. If the client has create (or create and update)
capability, the key will upsert as in the past. If the client has update
capability, they will receive an error. [GH-1012]token-renew CLI command: If the token given for renewal is the same as the
client token, the renew-self endpoint will be used in the API. Given that
the default policy (by default) allows all clients access to the
renew-self endpoint, this makes it much more likely that the intended
operation will be successful. [GH-894]lookup: the ttl value in the response now reflects the actual
remaining TTL rather than the original TTL specified when the token was
created; this value is now located in creation_ttl [GH-986]rekey: Rekey now requires a nonce to be supplied with key shares. This
nonce is generated at the start of a rekey attempt and is unique for that
attempt.status: The exit code for the status CLI command is now 2 for an
uninitialized Vault instead of 1. 1 is returned for errors. This better
matches the rest of the CLI.FEATURES:
capabilities set
to specify fine-grained control over operations allowed on a path, including
separation of sudo privileges from other privileges. These can be mixed
and matched in any way desired. The policy value is kept for backwards
compatibility. See the updated policy
documentation for
details. [GH-914]vault list command. This currently supports listing keys in the generic and
cubbyhole backends and a few other places (noted in the IMPROVEMENTS
section below). Different parts of the API and backends will need to
implement list capabilities in ways that make sense to particular endpoints,
so further support will appear over time. [GH-617]generate-root CLI command to generate new orphaned, non-expiring root
tokens in case the original is lost or revoked (accidentally or
purposefully). This requires a quorum of unseal key holders. The output
value is protected via any PGP key of the initiator's choosing or a one-time
pad known only to the initiator (a suitable pad can be generated via the
-genotp flag to the command. [GH-915]init, rekey, and generate-root
CLI commands. Public keys for these users will be fetched automatically.
[GH-901]transit backend has gained a
cache, and now loads only the working set of keys (e.g. from the
min_decryption_version to the current key version) into its working set.
This provides large speedups and potential memory savings when the rotate
feature of the backend is used heavily.IMPROVEMENTS:
advertise_addr for HA via the
VAULT_ADVERTISE_ADDR environment variable [GH-581]-check flag that returns whether Vault is initialized
[GH-949]-dev mode [GH-850]-pgp-keys [GH-940]tls_disable option [GH-802]last_renewal_time to token lookup calls [GH-896]ttl to reflect the current remaining TTL; the
original value is in creation_ttl [GH-1007]protocol_version parameter to set the CQL proto
version [GH-1005]pem_bundle to be specified as the format, which
provides a concatenated PEM bundle of returned values [GH-1008]max_idle_connections parameter [GH-950]min_decryption_version are loaded into the working set. This can
provide a very large speed increase when rotating keys very often. [GH-977]BUG FIXES:
Sys().MountConfig(...) to return proper values
[GH-1017]sys/renew that caused information stored in the
Secret part of the response to be lost [GH-912]MISC:
vault-java to libraries [GH-851]BUILD NOTE:
SECURITY:
This is a security-only release; other than the version number and building against Go 1.5.3, there are no changes from 0.4.0.
DEPRECATIONS/CHANGES:
etcd
physical store uses port 2379 instead of port 4001, which is the port used
by the supported version 2.x of etcd. [GH-753]default, new tokens created will inherit this policy
automatically.allowed_base_domain parameter has been changed to allowed_domains,
which accepts a comma-separated list of domains. This allows issuing
certificates with DNS subjects across multiple domains. If you had a
configured allowed_base_domain parameter, it will be migrated
automatically when the role is read (either via a normal read, or via
issuing a certificate).FEATURES:
pki backend can now generate
and sign root CA certificates and intermediate CA CSRs. It can also now sign
submitted client CSRs, as well as a significant number of other
enhancements. See the updated documentation for the full API. [GH-666]cert backend now
supports pushing CRLs into the mount and using the contained serial numbers
for revocation checking. See the documentation for the cert backend for
more info. [GH-330]default is added
to every token. This policy cannot be deleted, but it can be modified
(including to an empty policy). There are three endpoints allowed in the
default default policy, related to token self-management: lookup-self,
which allows a token to retrieve its own information, and revoke-self and
renew-self, which are self-explanatory. If your existing Vault
installation contains a policy called default, it will not be overridden,
but it will be added to each new token created. You can override this
behavior when using manual token creation (i.e. not via an authentication
backend) by setting the "no_default_policy" flag to true. [GH-732]IMPROVEMENTS:
sys/audit-hash endpoint that can be used to generate
an HMAC-SHA256'd value from provided data using the given audit backend's
salt [GH-784]init and
rekey operations [GH-653]sys/policy and sys/mounts now uses the normal ACL system
instead of requiring a root token [GH-769]. in path-based variables in many more locations [GH-244]datacenter parameter was removed; It could not be
effective unless the Vault node (or the Consul node it was connecting to)
was in the datacenter specified, in which case it wasn't needed [GH-816]AWS_S3_BUCKET
environment variable [GH-758]BUG FIXES:
token-create now supports the ttl parameter in addition to the
deprecated lease parameter. [GH-688]generic backends on the last use of a limited-use
token [GH-615]generic prior to 0.3 [GH-673]mount-tune on the auth/token path did not take effect.
[GH-688]generic backend is written
to with no data fields [GH-825]MISC:
SECURITY:
FEATURES:
mysql and postgresql backends
now allow setting the number of maximum open connections to the database,
which was previously capped to 2. [GH-661]github backend now supports
specifying a TTL, enabling renewable tokens. [GH-664]BUG FIXES:
MISC:
DEPRECATIONS/CHANGES:
Note: deprecations and breaking changes in upcoming releases are announced ahead of time on the "vault-tool" mailing list.
FEATURES:
IMPROVEMENTS:
BUG FIXES:
MISC:
FEATURES:
rotate command can be used to rotate the
master encryption key used to write data to the storage (physical) backend.
[GH-277]pki: Enable Vault to be a certificate authority
and generate signed TLS certificates. [GH-310]cassandra: Generate dynamic credentials for
Cassandra [GH-363]etcd: store physical data in etcd [GH-259]
[GH-297]s3: store physical data in S3. Does not support
HA. [GH-242]MySQL: store physical data in MySQL. Does not
support HA. [GH-324]transit secret backend supports derived keys for per-transaction unique
keys [GH-399]IMPROVEMENTS:
cert method [GH-380]* to the path specification is all that is required.sys/health endpoint supports ?standbyok to return 200 on
standby [GH-389]BUG FIXES:
k=v allow blank valuesMISC:
help to avoid confusionFEATURES:
zookeeper: store physical data in Zookeeper.
HA not supported yet.ldap: authenticate using LDAP credentials.IMPROVEMENTS:
-insecure has been renamed to -tls-skip-verify [GH-130]VAULT_TOKEN overrides local stored auth [GH-162]X-Vault-Token as auth header [GH-124]BUG FIXES:
SECURITY CHANGES:
IMPROVEMENTS:
lease_renewable is now outputted along with the secret to
show whether it is renewable or notBUG FIXES:
advertise_addr is a valid URL with scheme [GH-106]