Releases: hashicorp/boundary
Releases · hashicorp/boundary
v0.10.4
0.10.4 (2022/09/13)
New and Improved
- Controller-led worker authorization: This is a second authorization option for
the workers using PKI-based authentication that was introduced in Boundary
0.10.0. In 0.10.0, the only mode available was "worker-led", in which a worker
generates an authorization request which can be submitted to a controller to
authorize the worker. With this new controller-led flow, a worker can be
created via the controller API first and return a one-time-use authorization
token. This token can then be made available to the worker at startup time via
its configuration file, env var, or a file with the value. If the worker is
not authorized and this token is provided, it will use the token to authorize
itself to the controller and set up PKI-based authentication.
(PR) - Initial upstreams reloading on
SIGHUP: Workers will now re-read the
initial_upstreamsvalue from the configuration file when given a SIGHUP.
This allows a worker to reconnect to controllers if the full set of
controllers has been changed over at the same time, without having to restart
the worker. (PR)
Bug Fixes
- vault: Correctly handle Vault credential stores and libraries that are linked to an
expired Vault token. (Issue,
PR). - aws host catalog: Fix an issue where the request to list hosts could timeout
on a large number of hosts
(Issue,
PR) - aws host catalog: Fix an issue where filters could become unreadable in the UI
if only one filter was created and was set by the CLI or directly via the API
(PR1,
PR2) - aws host catalog: Use provided region for IAM calls in addition to EC2
(Issue,
PR) - azure host catalog: Fix hosts not being found depending on the exact filter
used because different filters return values with different casing
(PR) - sessions: Fix an issue where sessions could not have more than one connection
(Issue,
PR) - workers: Fix repeating error in logs when connected to HCP Boundary about an
unimplemented HcpbWorkers call
(PR) - workers: Fix a panic that could occur when
workers:create:worker-led(e.g.
viaboundary workers create worker-led) was given an invalid token
(PR) - workers: Add the ability to set API-based worker tags via the CLI
(PR)
v0.10.3
v0.10.2
0.10.2 (2022/08/23)
Security
- Fix security vulnerability CVE-2022-36130, Boundary up to 0.10.1 did not properly perform
authorization checks to ensure the resources were associated with the correct scopes,
allowing potential privilege escalation for authorized users of another scope.
[HCSEC-2022-17]
v0.10.1
0.10.1 (2022/08/11)
Bug Fixes
- db: Fix an issue with migrations affecting clusters that contain
credential libraries or static credentials.
(Issue),
(PR). - Managed Groups: Fix an issue where the
filterfield is not sent by
admin UI (PR). - Host Sets: Fix an issue causing host sets to not display in UI when using the aws plugin
(PR) - Plugins: Fixes regression from 0.9.0 causing a failure to start when using
multiple KMS blocks of the same type
(PR1,
PR2) - CLI: Fixed errors related to URL detection when passing in
-attror
-secretvalues that contained colons
(PR)
v0.10.0
0.10.0 (2022/08/10)
Known Issues
- Migration to this version may fail if the cluster contains credential
libraries. This will be fixed shortly in 0.10.1.
New and Improved
sshTarget Type With Credential Injection (HCP Boundary only): Boundary has
gained a newsshtarget type. Using this type, username/password or SSH
private key credentials can be sourced fromvaultcredential libraries or
staticcredentials and injected into the SSH session between a client and
end host. This allows users to securely SSH to remote hosts while never being
in possession of a valid credential for that target host.- SSH Private Key Credentials: There is now an
ssh_private_keycredential type
that allows submitting a username/private key (and optional passphrase) to
Boundary for use with credential injection or brokering workflows. boundary connect sshCredential Brokering Enhancements: we have extended
support into theboundary connect sshhelper for brokered credentials of
ssh_private_keytype; the command will automatically pass the credentials to
thesshprocess (PR).boundary authenticate,boundary accounts: Enables use ofenv://and
file://syntax to specify location of a password
(PR)
Bug Fixes
- cli: Correctly cleanup plugins after exiting
boundary dev,boundary server
andboundary database init
(Issue,
PR). boundary accounts change-password: Fixed being prompted for confirmation of
the current password instead of the new one
(PR)
Deprecations/Changes
- API Module: Changed the return types that reference interfaces into their
expected typed definition. Type casting is only allowed against interface
types, therefore to mitigate compiler errors please remove any type casting
done against the return values.
(Issue,
PR) - Targets: Rename Application credentials to Brokered credentials
(PR). - Host plugins: Plugin-type host catalogs/sets/hosts now use typed prefixes for
any newly-created resources. Existing resources will not be affected.
(PR) - Credential stores: Static-type credential stores/credentials now use typed
prefixes for any newly-created resources. Existing resources will not be
affected. (PR) - Change of behavior on
-tokenflag in CLI: Passing a token this way can
reveal the token to any user or service that can look at process information.
This flag must now reference a file on disk or an env var. Direct usage of the
BOUNDARY_TOKENenv var is also deprecated as it can show up in environment
information; theenv://format now supported by the-tokenflag causes the
Boundary process to read it instead of the shell so is safer.
(PR) - Change of behavior on
-passwordflag in CLI: The same change made above for
-tokenhas also been applied to-passwordor, for supporting resource
types,-current-passwordand-new-password.
(PR)
v0.9.1
0.9.1 (2022/07/06)
New and Improved
azurehost plugin: Support multiple MSI identities
(PR
Bug Fixes
- scheduler: Fix regression causing controller names of less than 10 characters
to fail to register jobs
(PR). - sessions: Fix an additional case from the changes in the 0.8.x series that
could result in sessions never moving fromcancelingstate to terminated.
(PR) - The plugin execution_dir configuration parameter is now respected by kms plugins too
PR.
Deprecations/Changes
- sessions: The default connect limit for new sessions changed from 1 to unlimited (-1).
Specific connection limits is an advanced feature of Boundary and this setting is
more friendly for new users.
(PR)
v0.9.0
0.9.0 (2022/06/20)
New and Improved
- PKI Workers: This release introduces a new worker type
pkiwhich
authenticates to Boundary using a new certificate-based method, allowing for
worker deployment without using a shared KMS. - Credentials: This release introduces a new credential store type
static,
which simply takes in a user-supplied credential and stores it (encrypted)
directly in Boundary. Currently, thestaticcredential store can hold
credentials of typeusername_password. These credentials can act as
credential sources for targets, similar to credential libraries from the
vaultcredential store, and thus can be brokered to users at session
authorization time. PR boundary connectCredential Brokering Integration: we have extended integration
into theboundary connecthelpers. A newsshpassstyle has been added to the
sshhelper, when used, if the credential contains a username/password andsshpass
is installed, the command will automatically pass the credentials to thesshprocess.
Additionally, the defaultsshhelper will now use theusernameof the brokered credential.
PR.- controller: Improve response time for listing sessions.
This also creates a new periodic job that will delete terminated
sessions after 1 hour.
See Deprecations/Changes for some additional details.
PR. - event filtering: Change event filters to use lowercase and snake case for data
elements like the rest of Boundary filters do. - ui: Use include_terminated flag for listing sessions.
PR. - ui: Add Quick Setup onboarding guide.
PR.
Bug Fixes
- The plugin execution_dir configuration parameter is now respected.
PR. - ui: Fix Users page not updating fields correctly.
PR.
Deprecations/Changes
- Targets: Removes support for
credential librarieswith respect to Target resources.
Thelibraryfieldsandactionswere deprecated in Boundary 0.5.0,
please usecredential sourcesinstead. See changelog referenced above for
more details (PR). - Credential Libraries: The
user_passwordcredential type has been renamed to
username_passwordto remove any inconsistency over what the credential type is.
All existinguser_passwordtyped credential libraries will be migrated to
username_password(PR). - controller: Change the default behavior of the session list endpoint
to no longer include sessions in a terminated state and introduces
a new query parameter/cli flag to include the terminated sessions.
This also removes the connection information from the list response.
PR. - Anonymous user permissions: In order to reduce the risk of accidental and
unintended granting of permissions to anonymous users, the permissions system
now only allows certain actions on certain resources to be assigned to the
anonymous user; currently these are the same permissions as assigned in
Boundary's default role permissions. If other use-cases arise this list can be
expanded. See the
documentation
for more details.
v0.8.1
v0.8.0
0.8.0 (2022/05/03)
New and Improved
- metrics: provide metrics for controllers and workers
- controller: new health endpoint (PR).
- Improve response time for listing sessions and targets.
PR - ui: Add support for worker filters in targets.
- ui: Add manual refresh button in sessions list.
Bug Fixes
- worker: create new error to prevent
event.newError: missing error: invalid parameterand handle session cancel
with no TOFU token (Issue,
PR) - controller: Reconcile DEKs with existing scopes (Issue,
PR) - Fix for retrieving sessions that could result in incomplete results when
there is a large number (10k+) of sessions.
PR - session: update session state trigger to prevent transitions to invalid states (Issue,
PR)