Releases: hashicorp/boundary
Releases · hashicorp/boundary
v0.13.0
0.13.0 (2023/06/13)
New and Improved
- SSH Session Recordings (Enterprise and HCP Boundary only): SSH targets can now
be configured to record sessions. Recordings are signed and stored in a
Storage Bucket. Recordings can be played back in the admin UI.- Storage Buckets: This release introduces Storage Buckets, a Boundary
resource that represents a bucket in an external object store. Storage
Buckets can be defined at the global or org scope. When associated with an
SSH target, the storage bucket is used to store session recordings. This
release includes support for AWS S3 only. - BSR (Boundary Session Recording) file format: BSR is a new specification
that defines a hierarchical directory structure of files and a binary file
format. The contents of a BSR include all data transmitted between a user
and a target during a single session, relevant session metadata and summary
information. The BSR also includes checksum and signature files for
cryptographically verifying BSR contents, and a set of KMS wrapped keys for
use in BSR verification. The BSR format is intended to be extensible to
support various protocols. With this release BSR supports the SSH protocol.
It also supports converting an SSH channel recording into an
asciicast
format that is playable by asciinema. - To learn more about this new feature, refer to the
documentation.
- Storage Buckets: This release introduces Storage Buckets, a Boundary
- KMS workers: KMS workers now have feature parity with PKI workers (they
support multi-hop and Vault private access) and support separate KMSes for
authenticating downstreams across different networks. See the worker
configuration documentation
for more information. (PR) - roles: Perform additional validity checking on grants at submission time (PR)
- targets: The new
default_client_portfield allows specifying the default
port to use on the client side when connecting to a target, unless overridden
by the client via-listen-port(PR) - cli/api/sdk: New LDAP auth method type added with support for create, read,
update, delete, and list (see new clildapsubcommands available on CRUDL
operations for examples), as well as the ability to authenticate against it
via the SDK, CLI, admin UI, and desktop client. (PR) - ui: Display external names when listing dynamic hosts (PR)
- ui: Add support for LDAP authentication (PR)
- Dynamic Host Catalog: You can now view the AWS or Azure host name when listing hosts in CLI, admin console, and desktop client. (PR)
- Add configuration for license reporting (Enterprise only)
Deprecations/Changes
-
With the introduction of the new KMS variant for worker registration (as
described below), using the deprecated behavior requires opting-in. This is
only recommended if compatibility with pre-0.13 workers using the KMS auth
method is required. Requiring opting in removes some potentially confusing
behavior for deciding when to use the old versus new mechanism. To opt in, add
use_deprecated_kms_auth_method = trueto theworkerconfig block. Note
that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
transition to the new method will happen automatically. To go back to the old
method after that will require the worker to be deleted and re-added with the
use_deprecated_kms_auth_methodconfig field specified. -
When grants are added to roles additional validity checking is now performed.
This extra validity checking is designed to reject grants that are not
documented grant formats
or are for combinations of IDs and types that cannot actually be used
together. These previously would have been accepted without error but would
never result in permissions being granted, causing confusion. As a result,
attempting to write such grants into roles may now result in an error; the
error message gives hints for resolution. -
WithAutomaticVersioningfor auth tokens in Go SDK: this option was
incorrectly being generated for auth token resources, which do not support
versioning. This is technically a breaking change, but it was a no-op option
anyways that there was no reason to be using. It has now been removed. -
Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin
repositories have been renamed to drop thehostelement of the repository name:- https://github.com/hashicorp/boundary-plugin-host-aws -> https://github.com/hashicorp/boundary-plugin-aws
- https://github.com/hashicorp/boundary-plugin-host-azure -> https://github.com/hashicorp/boundary-plugin-azure
Similarly the
plugins/hostpackage has been renamed toplugins/boundary
(PR1,PR2, PR3, PR4). -
PostgreSQL 12 or greater is now required. PostgreSQL 11 is no longer
supported.
Bug Fixes
- targets:
authorize-sessionnow works properly when using a target's name as
the identifier and the target name contains one or more slashes (PR) - resource listing: API requests to list a resource (targets, sessions, users,
etc) now properly return all resources the callers has appropriate permission
to list (PR) - sessions: Fix a bug that contributed to slow response times when listing
sessions that had a large number of connections (PR) - ui: Fix
client secretbug for OIDC authentication methods(PR) - ui: Fix linking to a Host from the Host Set screen of a Dynamic Host Catalog (PR)
v0.12.2
0.12.2 (2023/04/04)
Security
- Boundary now uses Go 1.19.8 to address CVE-2023-24536. See the
Go announcement for
more details.
v0.12.1
fix(tests): break out of infinite loop for bats tests
v0.12.0
0.12.0 (2023/01/24)
Deprecations/Changes
- In Boundary 0.9.0, targets were updated to require a default port value. This
had been the original intention; it was a mistake that it was optional.
Unfortunately, due to a separate defect in the update verification logic for
static hosts, it was possible for a host to be updated (but not created) with
a port. This meant that targets could use ports attached to host addresses,
which was not the intention and leads to confusing behavior across different
installations. In this version, updating static hosts will no longer allow
ports to be part of the address; when authorizing a session, any port on such
a host will be ignored in favor of the default port on the target. In Boundary
0.14.0, this will become an error instead. As a consequence, it means that the
fallback logic for targets that did not have a default port defined is no
longer in service; all targets must now have a default port defined. - With the introduction of
vault-ssh-certificatecredential libraries, the
vaultcredential library subtype is being renamed tovault-genericto
denote it as a credential library that can be used in a generalized way to
issue credentials from vault. Existing credential libraries with the
subtype ofvaultwill be updated tovault-generic. The subtype of
vaultwill still be accepted as a valid subtype in API requests to the
credential libraries endpoints, but is deprecated. Insteadvault-generic
should be used. In addition theboundary credential-libraries create vaultandboundary credential-libraries update vaultsubcommands will
still function, but are deprecated. Insteadboundary credential-libraries create vault-genericandboundary credential-libraries update vault-genericshould be used. Also note that any credential library created
using the subtype ofvault, either via the API or via the deprecated
subcommand, will have the subtype set tovault-generic. The deprecated
subtype and subcommands will be removed in boundary 0.14.0, at which point
vault-genericmust be used. - In Boundary 0.1.8 using the
-format=jsonoption with the cli would provide
astatus_codefor successful API requests from the cli. However, in the
case where an error was returned, the JSON would usestatusinstead. This
inconsistency has been fixed, withstatus_codebeing used in both cases.
For error casesstatuswill still be populated, but is deprecated and will
be removed in 0.14.0.
New and Improved
- Direct Address Targets: You can now set an address directly on a target,
bypassing the need for host catalogs, host sets and hosts.
(PR) - Custom Response Headers: Adds ability to set api and ui response headers based
on status code. Includes default secure CSP and other headers.
(PR) - metrics: Adds accepted connections and closed connections counters to keep track
downstream connections for worker and controller servers.
(PR) - Egress and Ingress worker filters: The target
worker_filterfield has been deprecated and
replaced with egress and ingress worker filters. Egress worker filters determine which workers are
used to access targets. Ingress worker filters (HCP Boundary only) determine which workers are
used to connect with a client to initiate a session. (PR) - Multi-Hop Sessions (HCP Boundary only): Multi-hop PKI workers can communicate with each other to serve
2 primary purposes: authentication and session proxying. This results in the ability to chain
multiple workers together to access services hidden under layers of network security. Multi-hop
workers can also establish a TCP session through multiple workers, with the ability to reverse
proxy and establish a connection. - ui: Upgrade Admin UI to Ember 4.4.
(PR) - ui: Add support for JSON credentials in Admin UI.
(PR) - Vault SSH certificate credential library: A new credential library that uses
the vault ssh secret engine to generate ssh private key and certificates. The
library can be used as an injected application credential source for targets
that support credential injection. (PR) - ui: Add support for managed groups in add-principals list. (PR)
Bug Fixes
- plugins: Ignore
SIGHUPsent to parent process; some init systems, notably
dumb-init, would pass them along to the child processes and cause the
plugin to exit (PR) - data warehouse: Fix bug that caused credential dimensions to not get
associated with session facts (PR). - sessions: Fix two authorizeSession race conditions in handleProxy. (PR)
- cli: When using
-format=jsonthe JSON was inconsistent in how it reported
status codes. In successful cases it would usestatus_code, but in error
cases it would usestatus. Nowstatus_codeis used in both cases. In
error casesstatusis still populated, see the deprecations above for
more details. (PR) - database: Add job that automatically cleans up completed runs in the
job_runtable.
(PR) - core: Linux packages now have vendor label and set the default label to HashiCorp.
This fix is implemented for any future releases, but will not be updated for historical releases.
v0.11.2
0.11.2 (2022/12/09)
Security
- Boundary now uses Go 1.19.4 to address security vulnerability (CVE-2022-41717) See the
Go announcement for
more details.
v0.11.1
0.11.1 (2022/11/30)
New and Improved
-
Vault Parameter Templating: In
vaultcredential libraries, the paths and any
POST bodies can contain templated parameters using Go template syntax (similar
to Consul-Template). The following template parameters are supported (note
that account values are tied to the account associated with the token making
the call):{{ .User.Id }}: the user's ID{{ .User.Name }}: the user's name (from the user resource){{ .User.FullName }}: the user's name (from the account corresponding to
the primary auth method in the user's scope; this may not be populated or
maybe different than the account name in the template){{ .User.Email }}: the user's email address (same caveat asFullName){{ .Account.Id }}: the account's ID{{ .Account.Name }}: the account's name (from the account resource){{ .Account.LoginName }}: the account's login name (if used by that type
of account){{ .Account.Subject }}: the account's subject (if used by that type
of account){{ .Account.Email }}: the account's email (if used by that type
of account)
Additionally, there is currently a single function that strips the rest of a
string after a specified substring; this is useful for pulling an user/account name from an email address. In the following example it uses the account email can be any other parameter:{{ truncateFrom .Account.Email "@" }}: this would turn[email protected]intofoo
-
Per-scope key lifecycle management: You can now manage the lifecycles of both Key
Encryption Keys (KEKs) and Data Encryption Keys (DEKs) using the new key rotation
and key version destruction functionality. To learn more about this new feature,
refer to the
documentation.Upgrade notice: If the Database purpose DEK for a scope is destroyed, you must use
the API to cancel any sessions that predate the upgrade.
(PR) -
workers: PKI Worker daemons now get disconnected from upstreams when their
corresponding resource is deleted (PR)
Bug Fixes
- sessions: Fix workers not being in random order when returned to clients at
authorize-sessiontime, which could allow one worker to bear the majority of
sessions (PR) - workers: In some error conditions when sending status to controllers, errors
could be written to stdout along with a message that they could not
successfully be evented instead of being written to the event log
(PR) - workers: Fixed a panic that can happen in certain situations
(PR) - sessions: Fixed a panic in a controller when a worker is deleted while
sessions are ongoing (PR) - sessions: Fixed a panic in a worker when a user with an active
session is deleted (PR) - sessions: Fixed a bug where reading a session after its associated project
had been deleted would result in an error
(PR) - config: Fixed a bug where supplying multiple KMS blocks with the same purpose
would silently ignore all but the last block
(PR)
Deprecations/Changes
- In order to standardize on the templating format, templates in
grants
now are documented to use the new capitalization and format; however, the
previous style will continue to work.
v0.11.0
0.11.0 (2022/09/27)
Known Issues
- PKI workers in past versions did not store a prior encryption key, and a bug
prior to 0.11.0 meant that auth rotations could happen more frequently than
expected. This could cause some race issues around rotation time. However,
there was another issue where a past worker authentication record could be
looked up for some operations instead of the current one, made more likely by
the too-frequent rotations. In 0.11.0 we attempt to ensure that the record
that remains on upgrade is the most current one, but it is possible that the
wrong one is chosen, leading to a failure for the worker to authenticate or
for some operations to consistently fail. In this case, the worker will need
to be deleted and re-authorized. We apologize for any issues this causes and
this should be remedied going forward.
Bug Fixes
- Fix bug preventing delete of org. (PR
- scopes: Organizations could be prevented from being deleted if some resources
remained (PR) - workers: Authentication rotation could occur prior to the expected time
(PR) - workers: When looking up worker authentication records, an old record could be
returned instead of the new one, leading to errors for encryption or
decryption operations (PR)
New and Improved
- vault: (HCP Boundary only): Private Vault clusters can be used with HCP Boundary by using PKI workers
deployed in the same network as a private cluster. Tags are used to control which PKI workers can manage private Vault
requests by specifying aworker_filterattribute when configuring a Vault credential store. - credentials: There is now a
jsoncredential type supported bystatic
credential stores that allows submitting a generic JSON object to Boundary for
use with credential brokering workflows
(PR) - ui: Add support for worker management
(PR) - ui: Add support for PKI worker registration
(PR) - ui: Add support for Static Credential Stores
(PR) - ui: Add support for Username & Password Credentials
(PR) - ui: Add support for Username & Key Pair Credentials
(PR) - ui (HCP Boundary only): SSH Target creation along with injected application
credential support (PR) - ui (HCP Boundary only): Update vault credential stores to support private
vault access (PR) - ui: Improve quick setup wizard onboarding guide resource names
(PR) - ui: Updates to host catalog and host set forms and “Learn More” links
(PR) - workers: Added the ability to read and reinitialize the Worker certificate
authority (PR1,
PR2) - workers: Return the worker Boundary binary version on worker list and read
(PR) - workers: Addition of worker graceful shutdown, triggered by an initial
SIGINTorSIGTERM(PR) - workers: Retain one previous encryption/decryption key after authentication
rotation (PR)
Deprecations/Changes
- In 0.5.0, the
add-host-sets,remove-host-sets, andset-host-setsactions
on targets were deprecated in favor ofadd-host-sources,
remove-host-sources, andset-host-sources. Originally these actions and
API calls were to be removed in 0.6, but this was delayed to give extra time
for clients to switch over. This has now been fully switched over. A database
migration will modify any grants in roles to have the new actions. This same
changeover has been made foradd-/remove-/set-credential-librariesto
add-/remove-/set-credential-sources, although those actions would only be in
grant strings in very rare circumstances as the-sourcesactions replaced
the-librariesactions very quickly.
(PR)
v0.10.5
0.10.5 (2022/09/13)
Bug Fixes
- grants: Properly resolve "only self" for permissions. When generating
permissions from grants, if a single grant was limited only to a set of "self"
actions and that was the last grant parsed (which would be semi-random
depending on a number of factors), the overall set of permissions would be
marked as only-self. This would result in the generated permissions being more
limiting then they should be based on the grants. This only impacts the
sessions list endpoint. It would result in users that have been granted access
to list other user's sessions to be unable to see these sessions in the list
results (PR).
v0.10.4
0.10.4 (2022/09/13)
New and Improved
- Controller-led worker authorization: This is a second authorization option for
the workers using PKI-based authentication that was introduced in Boundary
0.10.0. In 0.10.0, the only mode available was "worker-led", in which a worker
generates an authorization request which can be submitted to a controller to
authorize the worker. With this new controller-led flow, a worker can be
created via the controller API first and return a one-time-use authorization
token. This token can then be made available to the worker at startup time via
its configuration file, env var, or a file with the value. If the worker is
not authorized and this token is provided, it will use the token to authorize
itself to the controller and set up PKI-based authentication.
(PR) - Initial upstreams reloading on
SIGHUP: Workers will now re-read the
initial_upstreamsvalue from the configuration file when given a SIGHUP.
This allows a worker to reconnect to controllers if the full set of
controllers has been changed over at the same time, without having to restart
the worker. (PR)
Bug Fixes
- vault: Correctly handle Vault credential stores and libraries that are linked to an
expired Vault token. (Issue,
PR). - aws host catalog: Fix an issue where the request to list hosts could timeout
on a large number of hosts
(Issue,
PR) - aws host catalog: Fix an issue where filters could become unreadable in the UI
if only one filter was created and was set by the CLI or directly via the API
(PR1,
PR2) - aws host catalog: Use provided region for IAM calls in addition to EC2
(Issue,
PR) - azure host catalog: Fix hosts not being found depending on the exact filter
used because different filters return values with different casing
(PR) - sessions: Fix an issue where sessions could not have more than one connection
(Issue,
PR) - workers: Fix repeating error in logs when connected to HCP Boundary about an
unimplemented HcpbWorkers call
(PR) - workers: Fix a panic that could occur when
workers:create:worker-led(e.g.
viaboundary workers create worker-led) was given an invalid token
(PR) - workers: Add the ability to set API-based worker tags via the CLI
(PR)