pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/vault security/vault: Update to ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/464262f5e6ef
branches: trunk
changeset: 306817:464262f5e6ef
user: fhajny <fhajny%pkgsrc.org@localhost>
date: Fri Apr 27 14:02:41 2018 +0000
description:
security/vault: Update to 0.10.1.
DEPRECATIONS/CHANGES:
- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
mount can now see information about that mount, such as its type and
options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
entities but these would not be able to be used successfully (even locally)
in replicated scenarios. We have now disallowed entities and groups from
being created for local mounts in the first place.
FEATURES:
- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
client IP seen by Vault. See the TCP listener configuration
page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
modifying only some values in existing data at a K/V path, but uses
check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
local to the cluster. This enables performance secondaries to generate and
consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
and migration between key and encryption types, such as from AES-CBC to
AES-GCM, can be performed at the same time (where supported).
IMPROVEMENTS:
- auth/approle: Support for cluster local secret IDs. This enables secondaries
to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
revoke associated tokens, but while the entity is disabled they cannot be
used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines)
BUG FIXES:
- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
mounts
- identity: Fix error preventing authentication using local mounts on
performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
api calls. This should fix needing "update" capabilites to read IAM
credentials in the AWS secrets engine
diffstat:
security/vault/Makefile | 4 ++--
security/vault/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (27 lines):
diff -r 0951615fd965 -r 464262f5e6ef security/vault/Makefile
--- a/security/vault/Makefile Fri Apr 27 13:53:08 2018 +0000
+++ b/security/vault/Makefile Fri Apr 27 14:02:41 2018 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.27 2018/04/11 15:35:49 fhajny Exp $
+# $NetBSD: Makefile,v 1.28 2018/04/27 14:02:41 fhajny Exp $
-DISTNAME= vault-0.10.0
+DISTNAME= vault-0.10.1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff -r 0951615fd965 -r 464262f5e6ef security/vault/distinfo
--- a/security/vault/distinfo Fri Apr 27 13:53:08 2018 +0000
+++ b/security/vault/distinfo Fri Apr 27 14:02:41 2018 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.18 2018/04/11 15:35:49 fhajny Exp $
+$NetBSD: distinfo,v 1.19 2018/04/27 14:02:41 fhajny Exp $
-SHA1 (vault-0.10.0.tar.gz) = 4bd141705c1704fbe309382ee8eb0e68786495a0
-RMD160 (vault-0.10.0.tar.gz) = 1d768b101d360c3b2a65d5ec19726c39cdca9549
-SHA512 (vault-0.10.0.tar.gz) = 204f6f7b36802befc6749a064f217817cdd1bbe634517dc6146a9a4a32bf70ea341634a7a4399f901bb2a63a1b096982f258e365244b01ab4ace833a799fa5bd
-Size (vault-0.10.0.tar.gz) = 12533158 bytes
+SHA1 (vault-0.10.1.tar.gz) = 698033ef7c931e2d7939eba8904cad79ccbfbe59
+RMD160 (vault-0.10.1.tar.gz) = eeaef430c97b405cdaf8f27eacbe26a0a1197bd0
+SHA512 (vault-0.10.1.tar.gz) = dfa2d81e0e51cf41694ad40ad9bcc6847a9261ee06b2787d59915b941a63bfe58e649271e1ff5a963b892af5c13043057f29a1a8412efe51b3cf54157c54a060
+Size (vault-0.10.1.tar.gz) = 13001413 bytes
Home |
Main Index |
Thread Index |
Old Index