1.10.0
March 23, 2022
CHANGES:
- core: Changes the unit of
default_lease_ttl
andmax_lease_ttl
values returned by
the/sys/config/state/sanitized
endpoint from nanoseconds to seconds. [GH-14206] - core: Bump Go version to 1.17.7. [GH-14232]
- plugin/database: The return value from
POST /database/config/:name
has been updated to "204 No Content" [GH-14033] - secrets/azure: Changes the configuration parameter
use_microsoft_graph_api
to use the Microsoft
Graph API by default. [GH-14130] - storage/etcd: Remove support for v2. [GH-14193]
- ui: Upgrade Ember to version 3.24 [GH-13443]
FEATURES:
- Database plugin multiplexing: manage multiple database connections with a single plugin process [GH-14033]
- Login MFA: Single and two phase MFA is now available when authenticating to Vault. [GH-14025]
- Mount Migration: Vault supports moving secrets and auth mounts both within and across namespaces.
- Postgres in the UI: Postgres DB is now supported by the UI [GH-12945]
- Report in-flight requests: Adding a trace capability to show in-flight requests, and a new gauge metric to show the total number of in-flight requests [GH-13024]
- Server Side Consistent Tokens: Service tokens have been updated to be longer (a minimum of 95 bytes) and token prefixes for all token types are updated from s., b., and r. to hvs., hvb., and hvr. for service, batch, and recovery tokens respectively. Vault clusters with integrated storage will now have read-after-write consistency by default. [GH-14109]
- Transit SHA-3 Support: Add support for SHA-3 in the Transit backend. [GH-13367]
- Transit Time-Based Key Autorotation: Add support for automatic, time-based key rotation to transit secrets engine, including in the UI. [GH-13691]
- UI Client Count Improvements: Restructures client count dashboard, making use of billing start date to improve accuracy. Adds mount-level distribution and filtering. [GH-client-counts]
- Agent Telemetry: The Vault Agent can now collect and return telemetry information at the
/agent/v1/metrics
endpoint.
IMPROVEMENTS:
- agent: Adds ability to configure specific user-assigned managed identities for Azure auto-auth. [GH-14214]
- agent: The
agent/v1/quit
endpoint can now be used to stop the Vault Agent remotely [GH-14223] - api: Allow cloning
api.Client
tokens viaapi.Config.CloneToken
orapi.Client.SetCloneToken()
. [GH-13515] - api: Define constants for X-Vault-Forward and X-Vault-Inconsistent headers [GH-14067]
- api: Implements Login method in Go client libraries for GCP and Azure auth methods [GH-13022]
- api: Implements Login method in Go client libraries for LDAP auth methods [GH-13841]
- api: Trim newline character from wrapping token in logical.Unwrap from the api package [GH-13044]
- api: add api method for modifying raft autopilot configuration [GH-12428]
- api: respect WithWrappingToken() option during AppRole login authentication when used with secret ID specified from environment or from string [GH-13241]
- audit: The audit logs now contain the port used by the client [GH-12790]
- auth/aws: Enable region detection in the CLI by specifying the region as
auto
[GH-14051] - auth/cert: Add certificate extensions as metadata [GH-13348]
- auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [GH-13365]
- auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [GH-13595]
- auth/ldap: Add a response warning and server log whenever the config is accessed
ifuserfilter
doesn't consideruserattr
[GH-14095] - auth/ldap: Add username to alias metadata [GH-13669]
- auth/ldap: Add username_as_alias configurable to change how aliases are named [GH-14324]
- auth/okta: Update okta-sdk-golang dependency to version v2.9.1 for improved request backoff handling [GH-13439]
- auth/token: The
auth/token/revoke-accessor
endpoint is now idempotent and will
not error out if the token has already been revoked. [GH-13661] - auth: reading
sys/auth/:path
now returns the configuration for the auth engine mounted at the given path [GH-12793] - cli: interactive CLI for login mfa [GH-14131]
- command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
- core/ha: Add new mechanism for keeping track of peers talking to active node, and new 'operator members' command to view them. [GH-13292]
- core/identity: Support updating an alias'
custom_metadata
to be empty. [GH-13395] - core/pki: Support Y10K value in notAfter field to be compliant with IEEE 802.1AR-2018 standard [GH-12795]
- core/pki: Support Y10K value in notAfter field when signing non-CA certificates [GH-13736]
- core: Add duration and start_time to completed requests log entries [GH-13682]
- core: Add support to list password policies at
sys/policies/password
[GH-12787] - core: Add support to list version history via API at
sys/version-history
and via CLI withvault version-history
[GH-13766] - core: Fixes code scanning alerts [GH-13667]
- core: Periodically test the health of connectivity to auto-seal backends [GH-13078]
- core: Reading
sys/mounts/:path
now returns the configuration for the secret engine at the given path [GH-12792] - core: Replace "master key" terminology with "root key" [GH-13324]
- core: Small changes to ensure goroutines terminate in tests [GH-14197]
- core: Systemd unit file included with the Linux packages now sets the service type to notify. [GH-14385]
- core: Update github.com/prometheus/client_golang to fix security vulnerability CVE-2022-21698. [GH-14190]
- core: Vault now supports the PROXY protocol v2. Support for UNKNOWN connections
has also been added to the PROXY protocol v1. [GH-13540] - http (enterprise): Serve /sys/license/status endpoint within namespaces
- identity/oidc: Adds a default OIDC provider [GH-14119]
- identity/oidc: Adds a default key for OIDC clients [GH-14119]
- identity/oidc: Adds an
allow_all
assignment that permits all entities to authenticate via an OIDC client [GH-14119] - identity/oidc: Adds proof key for code exchange (PKCE) support to OIDC providers. [GH-13917]
- sdk: Add helper for decoding root tokens [GH-10505]
- secrets/azure: Adds support for rotate-root. #70 [GH-13034]
- secrets/consul: Add support for consul enterprise namespaces and admin partitions. [GH-13850]
- secrets/consul: Add support for consul roles. [GH-14014]
- secrets/database/influxdb: Switch/upgrade to the
influxdb1-client
module [GH-12262] - secrets/database: Add database configuration parameter 'disable_escaping' for username and password when connecting to a database. [GH-13414]
- secrets/kv: add full secret path output to table-formatted responses [GH-14301]
- secrets/kv: add patch support for KVv2 key metadata [GH-13215]
- secrets/kv: add subkeys endpoint to retrieve a secret's stucture without its values [GH-13893]
- secrets/pki: Add ability to fetch individual certificate as DER or PEM [GH-10948]
- secrets/pki: Add count and duration metrics to PKI issue and revoke calls. [GH-13889]
- secrets/pki: Add error handling for error types other than UserError or InternalError [GH-14195]
- secrets/pki: Allow URI SAN templates in allowed_uri_sans when allowed_uri_sans_template is set to true. [GH-10249]
- secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim [GH-13958]
- secrets/pki: Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2. [GH-11218]
- secrets/pki: Restrict issuance of wildcard certificates via role parameter (
allow_wildcard_certificates
) [GH-14238] - secrets/pki: Return complete chain (in
ca_chain
field) on calls topki/cert/ca_chain
[GH-13935] - secrets/pki: Use application/pem-certificate-chain for PEM certificates, application/x-pem-file for PEM CRLs [GH-13927]
- secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates. [GH-11216]
- secrets/ssh: Add support for generating non-RSA SSH CAs [GH-14008]
- secrets/ssh: Allow specifying multiple approved key lengths for a single algorithm [GH-13991]
- secrets/ssh: Use secure default for algorithm signer (rsa-sha2-256) with RSA SSH CA keys on new roles [GH-14006]
- secrets/transit: Don't abort transit encrypt or decrypt batches on single item failure. [GH-13111]
- storage/aerospike: Upgrade
aerospike-client-go
to v5.6.0. [GH-12165] - storage/raft: Set InitialMmapSize to 100GB on 64bit architectures [GH-13178]
- storage/raft: When using retry_join stanzas, join against all of them in parallel. [GH-13606]
- sys/raw: Enhance sys/raw to read and write values that cannot be encoded in json. [GH-13537]
- ui: Add support for ECDSA and Ed25519 certificate views [GH-13894]
- ui: Add version diff view for KV V2 [GH-13000]
- ui: Added client side paging for namespace list view [GH-13195]
- ui: Adds flight icons to UI [GH-12976]
- ui: Adds multi-factor authentication support [GH-14049]
- ui: Allow static role credential rotation in Database secrets engines [GH-14268]
- ui: Display badge for all versions in secrets engine header [GH-13015]
- ui: Swap browser localStorage in favor of sessionStorage [GH-14054]
- ui: The integrated web terminal now accepts both
-f
and--force
as aliases
for-force
for thewrite
command. [GH-13683] - ui: Transform advanced templating with encode/decode format support [GH-13908]
- ui: Updates ember blueprints to glimmer components [GH-13149]
- ui: customizes empty state messages for transit and transform [GH-13090]
BUG FIXES:
- Fixed bug where auth method only considers system-identity when multiple identities are available. #50 [GH-14138]
- activity log (enterprise): allow partial monthly client count to be accessed from namespaces [GH-13086]
- agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
- api/client: Fixes an issue where the
replicateStateStore
was being set tonil
upon consecutive calls toclient.SetReadYourWrites(true)
. [GH-13486] - auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array. [GH-13235]
- auth/approle: Fix wrapping of nil errors in
login
endpoint [GH-14107] - auth/github: Use the Organization ID instead of the Organization name to verify the org membership. [GH-13332]
- auth/kubernetes: Properly handle the migration of role storage entries containing an empty
alias_name_source
[GH-13925] - auth/kubernetes: ensure valid entity alias names created for projected volume tokens [GH-14144]
- auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and
form_post
response mode. [GH-13492] - cli: Fix using kv patch with older server versions that don't support HTTP PATCH. [GH-13615]
- core (enterprise): Fix a data race in logshipper.
- core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
- core/api: Fix overwriting of request headers when using JSONMergePatch. [GH-14222]
- core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13093]
- core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13476]
- core/token: Fix null token panic from 'v1/auth/token/' endpoints and return proper error response. [GH-13233]
- core/token: Fix null token_type panic resulting from 'v1/auth/token/roles/{role_name}' endpoint [GH-13236]
- core: Fix warnings logged on perf standbys re stored versions [GH-13042]
- core:
-output-curl-string
now properly sets cURL options for client and CA
certificates. [GH-13660] - core: add support for go-sockaddr templates in the top-level cluster_addr field [GH-13678]
- core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403 [GH-13162]
- core: revert some unintentionally downgraded dependencies from 1.9.0-rc1 [GH-13168]
- ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
- http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
- http:Fix /sys/monitor endpoint returning streaming not supported [GH-13200]
- identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [GH-13871]
- identity/oidc: Check for a nil signing key on rotation to prevent panics. [GH-13716]
- identity/oidc: Fixes inherited group membership when evaluating client assignments [GH-14013]
- identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation [GH-14426]
- identity/oidc: Make the
nonce
parameter optional for the Authorization Endpoint of OIDC providers. [GH-13231] - identity/token: Fixes a bug where duplicate public keys could appear in the .well-known JWKS [GH-14543]
- identity: Fix possible nil pointer dereference. [GH-13318]
- identity: Fix regression preventing startup when aliases were created pre-1.9. [GH-13169]
- identity: Fixes a panic in the OIDC key rotation due to a missing nil check. [GH-13298]
- kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
- licensing (enterprise): Revert accidental inclusion of the TDE feature from the
prem
build. - metrics/autosnapshots (enterprise) : Fix bug that could cause
vault.autosnapshots.save.errors to not be incremented when there is an
autosnapshot save error. - physical/mysql: Create table with wider
vault_key
column when initializing database tables. [GH-14231] - plugin/couchbase: Fix an issue in which the locking patterns did not allow parallel requests. [GH-13033]
- replication (enterprise): When using encrypted secondary tokens, only clear the
private key after a successful connection to the primary cluster - sdk/framework: Generate proper OpenAPI specs for path patterns that use an alternation as the root. [GH-13487]
- sdk/helper/ldaputil: properly escape a trailing escape character to prevent panics. [GH-13452]
- sdk/queue: move lock before length check to prevent panics. [GH-13146]
- sdk: Fixes OpenAPI to distinguish between paths that can do only List, or both List and Read. [GH-13643]
- secrets/azure: Fixed bug where Azure environment did not change Graph URL [GH-13973]
- secrets/azure: Fixes service principal generation when assigning roles that have DataActions. [GH-13277]
- secrets/azure: Fixes the rotate root
operation for upgraded configurations with aroot_password_ttl
of zero. [GH-14130] - secrets/database/cassandra: change connect_timeout to 5s as documentation says [GH-12443]
- secrets/database/mssql: Accept a boolean for
contained_db
, rather than just a string. [GH-13469] - secrets/gcp: Fixed bug where error was not reported for invalid bindings [GH-13974]
- secrets/gcp: Fixes role bindings for BigQuery dataset resources. [GH-13548]
- secrets/openldap: Fix panic from nil logger in backend [GH-14171]
- secrets/pki: Default value for key_bits changed to 0, enabling key_type=ec key generation with default value [GH-13080]
- secrets/pki: Fix issuance of wildcard certificates matching glob patterns [GH-14235]
- secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-13759]
- secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-2456]
- secrets/pki: Fixes around NIST P-curve signature hash length, default value for signature_bits changed to 0. [GH-12872]
- secrets/pki: Recognize ed25519 when requesting a response in PKCS8 format [GH-13257]
- secrets/pki: Skip signature bits validation for ed25519 curve key type [GH-13254]
- secrets/transit: Ensure that Vault does not panic for invalid nonce size when we aren't in convergent encryption mode. [GH-13690]
- secrets/transit: Return an error if any required parameter is missing. [GH-14074]
- storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
- storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
- storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [GH-13703]
- storage/raft: Fix regression in 1.9.0-rc1 that changed how time is represented in Raft logs; this prevented using a raft db created pre-1.9. [GH-13165]
- storage/raft: On linux, use map_populate for bolt files to improve startup time. [GH-13573]
- storage/raft: Units for bolt metrics now given in milliseconds instead of nanoseconds [GH-13749]
- ui: Adds pagination to auth methods list view [GH-13054]
- ui: Do not show verify connection value on database connection config page [GH-13152]
- ui: Fix client count current month data not showing unless monthly history data exists [GH-13396]
- ui: Fix default TTL display and set on database role [GH-14224]
- ui: Fix incorrect validity message on transit secrets engine [GH-14233]
- ui: Fix issue where UI incorrectly handled API errors when mounting backends [GH-14551]
- ui: Fix kv engine access bug [GH-13872]
- ui: Fixes breadcrumb bug for secrets navigation [GH-13604]
- ui: Fixes caching issue on kv new version create [GH-14489]
- ui: Fixes displaying empty masked values in PKI engine [GH-14400]
- ui: Fixes horizontal bar chart hover issue when filtering namespaces and mounts [GH-14493]
- ui: Fixes issue logging out with wrapped token query parameter [GH-14329]
- ui: Fixes issue removing raft storage peer via cli not reflected in UI until refresh [GH-13098]
- ui: Fixes issue restoring raft storage snapshot [GH-13107]
- ui: Fixes issue saving KMIP role correctly [GH-13585]
- ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
- ui: Fixes issue with SearchSelect component not holding focus [GH-13590]
- ui: Fixes issue with automate secret deletion value not displaying initially if set in secret metadata edit view [GH-13177]
- ui: Fixes issue with correct auth method not selected when logging out from OIDC or JWT methods [GH-14545]
- ui: Fixes issue with placeholder not displaying for automatically deleted secrets when deletion time has passed [GH-13166]
- ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [GH-13038]
- ui: Fixes long secret key names overlapping masked values [GH-13032]
- ui: Fixes node-forge error when parsing EC (elliptical curve) certs [GH-13238]
- ui: Redirects to managed namespace if incorrect namespace in URL param [GH-14422]
- ui: Removes ability to tune token_type for token auth methods [GH-12904]
- ui: trigger token renewal if inactive and half of TTL has passed [GH-13950]