Releases: hashicorp/boundary
v0.7.3
0.7.3 (2021/12/16)
Bug Fixes
- target: Fix permission bug which prevents the UI from being able to add and remove
host sources on a target. (PR) - credential: Fix panic during credential issue when a nil secret is received. This can
occur when using the Vault KV backend which returns a nil secret and no error if the
secret does not exist. (PR)
v0.7.2
0.7.2 (2021/12/14)
Security
- Boundary now uses Go 1.17.5 to address a security vulnerability (CVE-2021-44716) where
an attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
See the Go announcement for
more details. (PR)
v0.7.1
0.7.1 (2021/11/18)
Bug Fixes
- db: Fix panic invoking the CLI on Windows. Some changes to how the binary is
initialized resulted in running some functions on every startup that looked
for some embedded files. However, Go's embed package does not use OS-specific
path separators, so a mismatch between path separators caused a failure in the
function. (PR)
v0.7.0
0.7.0 (2021/11/17)
Deprecations/Changes
- tls: Boundary's support for TLS 1.0/1.1 on the API listener was broken. Rather
than fix this, we are simply not supporting TLS 1.0/1.1 as they are insecure.
New and Improved
- Boundary now supports dynamic discovery of host resources using our (currently
internal) new plugin system. See the
documentation for configuration
instructions. Currently, only Azure and AWS are supported, but more providers
will be following in future releases. - workers: The existing worker connection replay prevention logic has been
enhanced to be more robust against attackers that have decryption access to
the sharedworker-auth
KMS key
(PR)
Bug Fixes
- tls: Support TLS 1.2 for more clients. This was broken for some clients due to
a missing mandated cipher suite of the HTTP/2 (h2
) specification that could
result in no shared cipher suites between the Boundary API listener and those
clients. (PR) - vault: Fix credential store support when using Vault namespaces
(Issue,
PR)
v0.6.2
0.6.2 (2021/09/27)
Deprecations/Changes
- permissions: Fix bug in Host Sets service that authenticated requests
againist incorrect grant actions. This bug affects the SetHosts, AddHosts
and RemoveHosts paths that do not have wildcard (*
) action grants.
If affected, please update grant actions as follows: -
set-host-sets
->set-hosts
-
add-host-sets
->add-hosts
-
remove-host-sets
->remove-hosts
(PR).
- Removes support for the
auth-methods/<id>:authenticate:login
action that was
deprecated in Boundary 0.2.0, please use
auth-methods/<id>:authenticate
instead.
(PR). - Removes support for the
credential
field withinauth-methods/<id>:authenticate
action. This field was deprecated in Boundary 0.2.0, please use
attributes
instead.
(PR).
v0.6.1
0.6.1 (2021/09/14)
Bug Fixes
- grants: Fix issue where
credential-store
,credential-library
, and
managed-group
would not be accepted as specifictype
values in grant
strings. Also, fix authorized actions not showingcredential-store
values in
project scope output. (PR) - actions: Fix
sessions
collection actions not being visible when reading a
scope (PR) - credential stores: Fix credential stores not showing authorized collection
actions (PR)
v0.6.0
0.6.0 (2021/09/03)
New and Improved
- ui: Reflect user authorized actions in the UI: users now see only actionable
items for which they have permissions granted. - ui: Icons refreshed for a friendlier look and feel.
Bug Fixes
- controller: Fix issue with recursive listing across services when using the
unauthenticated user (u_anon
) with no token and the list was started in a
scope where the user does not have permission
(PR) - grants: Fix grant format
type=<type>;output_fields=<fields>
with no action
specified. In some code paths this format would trigger an error when
validating even though it is correctly handled within the ACL code.
(PR) - targets: Fix panic when using
boundary targets authorize-session
(issue,
PR).
v0.5.1
0.5.1 (2021/08/16)
New and Improved
- Data Warehouse: Add OIDC auth method and accounts to the database warehouse.
Four new columns have been added to thewh_user_dimension
table:
auth_method_external_id
,auth_account_external_id
,
auth_account_full_name
, andauth_account_email
.
(PR)
Bug Fixes
v0.5.0
0.5.0 (2021/08/02)
Deprecations/Changes
- With respect to Target resources, two naming changes are taking place. Note
that these are not affecting the resources themselves, only the fields on
Target resources that map them to targets: -
- Credential Libraries: In Target definitions, the field referring to
attached credential libraries is being renamed to the more abstract
credential sources. In the future Boundary will gain the ability to
internally store static credentials that are not generated or fetched
dynamically, and the sources terminology better reflects that the IDs
provided are a source of credentials, whether via dynamic generation or via
the credentials themselves. This will allow a paradigm similar to
principals
with roles, where the principal IDs can be a users, groups, and
managed groups, rather than having them split out, and should result in an
easier user experience once those features roll out compared to having
separate flags and fields. In this 0.5 release the Boundary CLI has gained
parallelapplication-credential-source
flags to the existing
application-credential-library
flags, as well asboundary targets add/remove/set-credential-sources
commands that parallelboundary targets add/remove/set-credential-libraries
commands. This parallelism extends to
the API actions and the grants system. In 0.6, the library versions of
these commands, flags, and actions will be removed.
- Credential Libraries: In Target definitions, the field referring to
-
- Host Sets: Similarly, in Target definitions, the field referring to
attached host sets is being renamed to the more abstract host sources. In
the future Boundary will allow attaching some host types directly, and
possibly other mechanisms for gathering hosts for targets, so the sources
terminology better reflects that the IDs provided are a source of hosts,
whether via sets or via the hosts themselves. Like with credential sources,
in this 0.5 release the Boundary CLI and API have gained parallel API
actions and fields, and the set versions of these will be removed in 0.6.
- Host Sets: Similarly, in Target definitions, the field referring to
New and Improved
-
OIDC Accounts: When performing a
read
on anoidc
type account, the
original token and userinfo claims are provided in the output. This can make
it significantly easier to write filters to create managed
groups.
(PR) -
Controllers will now mark connections as closed in the database if the worker
has not reported its status; this can be seen as the controller counterpart to
the worker-side session cleanup functionality released in 0.4.0. As with the
worker, the timeout for this behavior is 15s. -
Workers will shut down connections gracefully upon shutdown of the worker,
both closing the connection and sending a request to mark the connection as
closed in the database. -
Pressing CTRL-C (or sending a SIGINT) when Boundary is already shutting
down due to a CTRL-C or interrupt will now cause Boundary to immediately shut
down non-gracefully. This may leave various parts of the Boundary deployment
(namely sessions or connections) in an inconsistent state. -
Events: Boundary has moved from writing hclog entries to emitting events.
There are four types of Boundary events:error
,system
,observation
and
audit
. All events are emitted as
cloudevents and we
support both acloudevents-json
format and custom Boundary
cloudevents-text
format.Notes:
- There are still a few lingering hclog bits within Boundary. If you wish to
only output json from Boundary logging/events then you should specify both
"-log-format json"
and"-event-format cloudevents-json"
when starting
Boundary. - Filtering events: hclog log levels have been replaced by optional sets
of allow and deny event
filters which are
specified via configuration, or in the case of "boundary dev" there are new
new cmd flags. - Observation events are MVP and contain a minimal set of observations about a
request. Observations are aggregated for each request, so only one
observation event will be emitted per request. We anticipate that a rich set
of aggregate data about each request will be developed over time. - Audit events are a WIP and will only be emitted if they are both enabled
and the env varBOUNDARY_DEVELOPER_ENABLE_EVENTS
equals true. We
anticipate many changes for audit events before they are generally available
including what data is included and different options for
redacting/encrypting that data.
PRs:
hclog json,text formats,
log adapters,
unneeded log deps,
update eventlogger,
convert from hclog to events,
event filtering,
cloudevents node,
system events,
convert errors to events,
integrate events into servers,
event pkg name,
events using ctx,
add eventer,
and base event types - There are still a few lingering hclog bits within Boundary. If you wish to
Bug Fixes
- config: Fix error when populating all
kms
purposes in separate blocks (as
well as the error message)
(issue,
PR) - server: Fix panic on worker startup failure when the server was not also
configured as a controller
(PR)
New and Improved
- docker: Add support for muti-arch docker images (amd64/arm64) via Docker buildx
v0.4.0
0.4.0 (2021/06/29)
New and Improved
- Credential Stores: This release introduces Credential Stores, with the first
implementation targeting Vault. A credential store can be created that accepts
a Vault periodic token (which it will keep refreshed) and connection
information allowing it to make requests to Vault. - Credential Libraries: This release introduces Credential Libraries, with the
first implementation targeting Vault. Credential libraries describe how to
make a request to fetch a credential from the credential store. The first
credential library is thegeneric
type that takes in a user-defined request
body to send to Vault and thus can work for any type of Vault secrets engine.
When a credential library is used to fetch a credential, if the credential
contains a lease, Boundary will keep the credential refreshed, and revoke the
credential when the session that requested it is finished. - Credential Brokering: Credential libraries can be attached to targets; when a
session is authorized against that target, a credential will be fetched from
the library that is then relayed to the client. The client can then use this
information to make a connection, allowing them to gain the benefit of dynamic
credential generation from Vault, but without needing their own Vault
login/token (see NOTE below). boundary connect
Credential Brokering Integration: Additionally, we have
started integration into theboundary connect
helpers, starting in this
release with the Postgres helper; if the credential contains a
username/password andboundary connect postgres
is the helper being used,
the command will automatically pass the credentials to thepsql
process.- The worker will now close any existing proxy connections it is handling when
it cannot make a status request to the worker. The timeout for this behavior
is currently 15 seconds.
NOTE: When using credential brokering, remember that if the user can connect
directly to the end resource, they can use the brokered username and password
via that direct connection to skip Boundary. This isn't any different from
normal Boundary behavior (if a user can directly connect, they can bypass
Boundary) but it's worth repeating.