0.15.0 (2024/01/30)
Deprecations/Changes
- Per the note in Boundary 0.13.0, the previous
kmsworker method has been
removed. Since 0.13.0, unless theuse_deprecated_kms_auth_methodvalue was
set on the worker config, the newkmsmechanism was already being used; this
is simply no longer an available option. - Per the notes in Boundary 0.12.0 and 0.14.0, it is now an error if an address
on a host or target contains a port. As of this release, this restriction also
affects existing addresses (not just creation/updating via the API) so any
existing addresses containing a port will not be able to be used as part of a
target's session authorization call. - The
grant_scope_idfield on roles is now deprecated in favor of the multiple
grant scope support. - Per the note in Boundary 0.13.1, the
idfield in grants has changed toids
which allows multiple ids to be included; existing grants submitted to
Boundary will continue to work, but grants using "id" can no longer be added
to or set on a role. - All list endpoints except workers now return the first 1000 items instead
of all items if no parameters are provided. The number of items returned can
be configured through the new controller configuration valuemax_page_size.
The Admin UI, CLI and api package automatically paginate results.
New and Improved
- Multiple grant scopes in roles: Roles now support multiple grant scopes, along
with the special valuesthis,children(global/org only) to apply to all
direct children of a scope, anddescendants(global only) to apply to all
descendants of a scope. These use the new actionsadd-grant-scopes,
set-grant-scopes, andremove-grant-scopeson roles. For now the
grant_scope_idfield on roles will continue to be able to be set, which will
set a single grant scope, but this capability is now deprecated. - Policies (Enterprise and HCP Boundary only): This release introduces Policies, a
Boundary resource that represents a Governance Policy to enforce. The first
implementation targets Storage Policies, which enables administrators to automate
the process of retention and deletion of Session Recordings, ensuring that they're only
retaining data that is explicitly required from a security/compliance perspective.- ui: Add full UI support for Storage Policies managing the lifecycle of Session Recordings.
(PR)
- ui: Add full UI support for Storage Policies managing the lifecycle of Session Recordings.
- New generic commands
read,update, anddeletehave been added. These
allow operating on resources by directly specifying the ID of the resource as
the next parameter (e.g.boundary update ttcp_1234567890). Subtypes do not
need to be specified (e.g. that command is equivalent toboundary targets update tcp -id ttcp_1234567890), and any flags given after the ID are passed
through to the type-specific subcommand. Once the ID has been entered,
autocomplete is also supported.
(PR) - The
key_idparameter within SSH Certificate Credential Libraries now accepts
the use of templated parameters
(PR) - List endpoint pagination: All list endpoints except workers now support pagination.
- api: All list endpoints except workers have added support for pagination.
The api package automatically paginates until the end of the results. The new
`WithListToken`` option can be used to request a list of updated and deleted resources
relative to the last result received. - config: add new controller field
max_page_sizefor controlling the default and max size
of pages when paginating through results.
- api: All list endpoints except workers have added support for pagination.
- New command
searchhas been added allowing quick searching of targets or
sessions. It utilizes a client side cache also added in this release. The
client side cache starts itself automatically in the background when successfully
executing any command that communicates with a Boundary controller. To disable
the client cache from starting automatically set the
BOUNDARY_SKIP_CACHE_DAEMONenvironment variable or pass the
-skip-cache-daemonflag when running a command that may start it.
Commandsdaemon start,daemon stop,daemon status, anddaemon add-token
were added to help manage the cache. The cache does not currently work with
Boundary instances that require the use of client side certs.