pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/vault Update security/vault to 0.9.0.
details: https://anonhg.NetBSD.org/pkgsrc/rev/3eec22412578
branches: trunk
changeset: 371652:3eec22412578
user: fhajny <fhajny%pkgsrc.org@localhost>
date: Thu Nov 16 11:31:12 2017 +0000
description:
Update security/vault to 0.9.0.
DEPRECATIONS/CHANGES:
- API HTTP client behavior: When calling `NewClient` the API no longer
modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
backend that gets returned along with the authentication response
will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
or update a role with the mutually-exclusive options
`disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
backend, the TTL/max TTL values will now be an integer number of
seconds rather than a string. This better matches the API elsewhere
in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
the API, the response data will additionally return a `key_info` map
that will contain a map of each key with a corresponding object
containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
are still in RFC3339 format but now have a granularity of
nanoseconds.
- High availability related values have been moved out of the
`storage` and `ha_storage` stanzas, and into the top-level
configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
is optional and enables configuration of the seal type to use for
additional data protection, such as using HSM or Cloud KMS solutions
to encrypt and decrypt data.
FEATURES:
- RSA Support for Transit Backend: Transit backend can now generate
RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
enhancements, Identity is an integrated system for understanding
users across tokens and enabling easier management of users directly
and via groups.
- External Groups in Identity: Vault can now automatically assign
users and systems to groups in Identity based on their membership in
external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
take advantage of FIPS 140-2-certified HSMs to ensure that Critical
Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
Sentinel to create extremely flexible access control policies - even
on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
auto-unsealing functionality, the `rekey` operation is now
supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
using Disaster Recovery replication, a token can be created that can
be used to authorize actions such as promotion and updating primary
information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
auto-unsealing, a request to unseal Vault can be triggered by a
threshold of recovery keys, rather than requiring the Vault process to
be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
Enterprise UI. The look and feel has been completely redesigned to
give users a better experience and make managing secrets fast and
easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
backend, create and browse roles. And use them to sign keys or
generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
backend via the Vault Enterprise UI. In addition you can create
roles, browse the roles and Generate IAM Credentials from them
in the UI.
IMPROVEMENTS:
- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
The files themselves were `600` and are all encrypted, but this
doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
or an integer
- secret/transit: Sign and verify operations now support a `none` hash
algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
promoting, and updating primary on DR Secondary clusters
BUG FIXES:
- api: Fix panic when setting a custom HTTP client but with a nil
transport
- api: Fix authing to the `cert` backend when the CA for the client
cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
matching
- physical/etcd3: Fix case where standbys can lose their etcd client
lease
- physical/file: Fix listing when underscores are the first component
of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
this was erroneously removed in a previous release
diffstat:
security/vault/Makefile | 4 ++--
security/vault/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (27 lines):
diff -r 1a804944d547 -r 3eec22412578 security/vault/Makefile
--- a/security/vault/Makefile Thu Nov 16 11:01:47 2017 +0000
+++ b/security/vault/Makefile Thu Nov 16 11:31:12 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.18 2017/09/26 07:41:14 fhajny Exp $
+# $NetBSD: Makefile,v 1.19 2017/11/16 11:31:12 fhajny Exp $
-DISTNAME= vault-0.8.3
+DISTNAME= vault-0.9.0
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff -r 1a804944d547 -r 3eec22412578 security/vault/distinfo
--- a/security/vault/distinfo Thu Nov 16 11:01:47 2017 +0000
+++ b/security/vault/distinfo Thu Nov 16 11:31:12 2017 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.12 2017/09/26 07:41:14 fhajny Exp $
+$NetBSD: distinfo,v 1.13 2017/11/16 11:31:12 fhajny Exp $
-SHA1 (vault-0.8.3.tar.gz) = dc346bdd2a9ee521eb04a6452d5d838736eea0ef
-RMD160 (vault-0.8.3.tar.gz) = b8a169e0fa9aa6c4f020d87c739d28b6b50c6d78
-SHA512 (vault-0.8.3.tar.gz) = e2b273ebb761246f6d85fc040d911a3f3a7beb0951fed4adcbe5df4106dd0cb013328b5816ef4153b2c4d363f7f2a14ae1c82bae9baaea74ef707ff0934d6c8d
-Size (vault-0.8.3.tar.gz) = 8128509 bytes
+SHA1 (vault-0.9.0.tar.gz) = e0a7cc5fb0584cbb657c7042ba7cb9e4295d385e
+RMD160 (vault-0.9.0.tar.gz) = e14063aebb3d3ad08cccbd1b603c19513d1cf8d3
+SHA512 (vault-0.9.0.tar.gz) = c5755bd8a696764af2375ac51b955759ece36796e6c138e6fc3e8abd487c10ac41c8927501234e0cdfcd448021254b2f09097d8e00a6278b44f971d8b8442da6
+Size (vault-0.9.0.tar.gz) = 8457263 bytes
Home |
Main Index |
Thread Index |
Old Index