hashicorp/boundary v0.13.0

on GitHub

0.13.0 (2023/06/13)

New and Improved

• SSH Session Recordings (Enterprise and HCP Boundary only): SSH targets can now
  be configured to record sessions. Recordings are signed and stored in a
  Storage Bucket. Recordings can be played back in the admin UI.
  • Storage Buckets: This release introduces Storage Buckets, a Boundary
    resource that represents a bucket in an external object store. Storage
    Buckets can be defined at the global or org scope. When associated with an
    SSH target, the storage bucket is used to store session recordings. This
    release includes support for AWS S3 only.
  • BSR (Boundary Session Recording) file format: BSR is a new specification
    that defines a hierarchical directory structure of files and a binary file
    format. The contents of a BSR include all data transmitted between a user
    and a target during a single session, relevant session metadata and summary
    information. The BSR also includes checksum and signature files for
    cryptographically verifying BSR contents, and a set of KMS wrapped keys for
    use in BSR verification. The BSR format is intended to be extensible to
    support various protocols. With this release BSR supports the SSH protocol.
    It also supports converting an SSH channel recording into an
    asciicast
    format that is playable by asciinema.
  • To learn more about this new feature, refer to the
    documentation.
• KMS workers: KMS workers now have feature parity with PKI workers (they
  support multi-hop and Vault private access) and support separate KMSes for
  authenticating downstreams across different networks. See the worker
  configuration documentation
  for more information. (PR)
• roles: Perform additional validity checking on grants at submission time (PR)
• targets: The new default_client_port field allows specifying the default
  port to use on the client side when connecting to a target, unless overridden
  by the client via -listen-port (PR)
• cli/api/sdk: New LDAP auth method type added with support for create, read,
  update, delete, and list (see new cli ldap subcommands available on CRUDL
  operations for examples), as well as the ability to authenticate against it
  via the SDK, CLI, admin UI, and desktop client. (PR)
• ui: Display external names when listing dynamic hosts (PR)
• ui: Add support for LDAP authentication (PR)
• Dynamic Host Catalog: You can now view the AWS or Azure host name when listing hosts in CLI, admin console, and desktop client. (PR)
• Add configuration for license reporting (Enterprise only)

Deprecations/Changes

• With the introduction of the new KMS variant for worker registration (as
  described below), using the deprecated behavior requires opting-in. This is
  only recommended if compatibility with pre-0.13 workers using the KMS auth
  method is required. Requiring opting in removes some potentially confusing
  behavior for deciding when to use the old versus new mechanism. To opt in, add
  use_deprecated_kms_auth_method = true to the worker config block. Note
  that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
  transition to the new method will happen automatically. To go back to the old
  method after that will require the worker to be deleted and re-added with the
  use_deprecated_kms_auth_method config field specified.

• When grants are added to roles additional validity checking is now performed.
  This extra validity checking is designed to reject grants that are not
  documented grant formats
  or are for combinations of IDs and types that cannot actually be used
  together. These previously would have been accepted without error but would
  never result in permissions being granted, causing confusion. As a result,
  attempting to write such grants into roles may now result in an error; the
  error message gives hints for resolution.

• WithAutomaticVersioning for auth tokens in Go SDK: this option was
  incorrectly being generated for auth token resources, which do not support
  versioning. This is technically a breaking change, but it was a no-op option
  anyways that there was no reason to be using. It has now been removed.

• Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin
  repositories have been renamed to drop the host element of the repository name:

  • https://github.com/hashicorp/boundary-plugin-host-aws -> https://github.com/hashicorp/boundary-plugin-aws
  • https://github.com/hashicorp/boundary-plugin-host-azure -> https://github.com/hashicorp/boundary-plugin-azure

  Similarly the plugins/host package has been renamed to plugins/boundary
  (PR1,PR2, PR3, PR4).

• PostgreSQL 12 or greater is now required. PostgreSQL 11 is no longer
  supported.

Bug Fixes

• targets: authorize-session now works properly when using a target's name as
  the identifier and the target name contains one or more slashes (PR)
• resource listing: API requests to list a resource (targets, sessions, users,
  etc) now properly return all resources the callers has appropriate permission
  to list (PR)
• sessions: Fix a bug that contributed to slow response times when listing
  sessions that had a large number of connections (PR)
• ui: Fix client secret bug for OIDC authentication methods(PR)
• ui: Fix linking to a Host from the Host Set screen of a Dynamic Host Catalog (PR)