v1.7.0-rc1
Pre-release
Pre-release
CHANGES:
- go: Update go version to 1.15.8 [GH-11060]
FEATURES:
- Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
- agent: Support for persisting the agent cache to disk [GH-10938]
- auth/jwt: Adds
max_age
role parameter andauth_time
claim validation. [GH-10919] - kmip (enterprise): Use entropy augmentation to generate kmip certificates
- sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
- secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
- secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
- secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
- secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
- secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
- secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
- secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
- secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
- secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
- ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
- ui: Adds the wizard to the Database Secret Engine [GH-10982]
- ui: Database secrets engine, supporting MongoDB only [GH-10655]
IMPROVEMENTS:
- agent: Add template-retry stanza to agent config. [GH-10644]
- agent: Agent can now run as a Windows service. [GH-10231]
- agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
- agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
- agent: change auto-auth to preload an existing token on start [GH-10850]
- auth/ldap: Improve consistency in error messages [GH-10537]
- auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
- changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
- command/debug: Now collects logs (at level
trace
) as a periodic output. [GH-10609] - core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
- core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
- core/metrics: Added "vault operator usage" command. [GH-10365]
- core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
- core: Added active since timestamp to the status output of active nodes. [GH-10489]
- core: Check audit device with a test message before adding it. [GH-10520]
- core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
- core: add metrics for active entity count [GH-10514]
- core: add partial month client count api [GH-11022]
- core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
- core: reduce memory used by leases [GH-10726]
- secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
- storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request. - ui: Clarify language on usage metrics page empty state [GH-10951]
- ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
- ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
- ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
- ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
- ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
- ui: better errors on Database secrets engine role create [GH-10980]
BUG FIXES:
- agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
- agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
- agent: Set namespace for template server in agent. [GH-10757]
- api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
- api: Fixes CORS API methods that were outdated and invalid [GH-10444]
- auth/jwt: Fixes
bound_claims
validation for provider-specific group and user info fetching. [GH-10546] - auth/jwt: Fixes an issue where JWT verification keys weren't updated after a
jwks_url
change. [GH-10919] - auth/jwt: Fixes an issue where
jwt_supported_algs
were not being validated for JWT auth using
jwks_url
andjwt_validation_pubkeys
. [GH-10919] - auth/oci: Fixes alias name to use the role name, and not the literal string
name
[GH-10] [GH-10952] - consul-template: Update consul-template vendor version and associated dependencies to master,
pulling in hashicorp/consul-template#1447 [GH-10756] - core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
- core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
- core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
- core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
- core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
- core: Fix client.Clone() to include the address [GH-10077]
- core: Fix duplicate quotas on performance standby nodes. [GH-10855]
- core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring
purgeInterval
and
staleAge
are set appropriately. [GH-10536] - core: Make all APIs that report init status consistent, and make them report
initialized=true when a Raft join is in progress. [GH-10498] - core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
- core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
- http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
- license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
- metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
- quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
- replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
- secrets/database/influxdb: Fix issue where not all errors from InfluxDB were being handled [GH-10384]
- secrets/database/mysql: Fixes issue where the DisplayName within generated usernames was the incorrect length [GH-10433]
- secrets/database: Sanitize
private_key
field when reading database plugin config [GH-10416] - secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [GH-10759]
- secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [GH-10386]
- serviceregistration: Fix race during shutdown of Consul service registration. [GH-10901]
- storage/raft (enterprise): Automated snapshots with Azure required specifying
azure_blob_environment
, which should have had as a defaultAZUREPUBLICCLOUD
. - storage/raft (enterprise): Reading a non-existent auto snapshot config now returns 404.
- storage/raft (enterprise): The parameter aws_s3_server_kms_key was misnamed and
didn't work. Renamed to aws_s3_kms_key, and make it work so that when provided
the given key will be used to encrypt the snapshot using AWS KMS. - transform (enterprise): Fix bug tokenization handling metadata on exportable stores
- transform (enterprise): Fix bug where tokenization store changes are persisted but don't take effect
- transform (enterprise): Fix transform configuration not handling
stores
parameter on the legacy path - transform (enterprise): Make expiration timestamps human readable
- transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error
- ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [GH-10417]
- ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [GH-10596]
- ui: Fix expected response from feature-flags endpoint [GH-10684]
- ui: Fix footer URL linking to the correct version changelog. [GH-10491]