aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e3e96a87fa'
${ noResults }
boundary/CHANGELOG.md

16 KiB
Raw Blame History

Boundary CHANGELOG

Canonical reference for changes, improvements, and bugfixes for Boundary.

Next (Unreleased)

Changes/Deprecations

  • api: A few functions have changed places. Notably, instead of ResponseMap() and ResponseBody(), resources simply expose Response(). This higher-level response object contains the map and body, and also exposes StatusCode() in place of indivdidual resources. PR
  • cli: In json output format, a resource item is now an object under the top-level key item; a list of resource items is now an list of objects under the top-level key items. This preserves the top level for putting in other useful information later on (and the HTTP status code is included now). PR
  • cli: In json output format, errors are now serialized as a JSON object with an error key instead of outputting normal text PR
  • cli: All errors, including API errors, are now written to stderr. Previously in the default table format, API errors would be written to stdout. PR
  • cli: Error return codes have been standardized across CLI commands. An error code of 1 indicates an error generated from the actual controller API; an error code of 2 is an error encountered due to the CLI command's logic; and an error code of 3 indicates an error that was caused due to user input to the command. (There is some nuance sometimes whether an error is really due to user input or not, but we attempt to be consistent.) PR

New and Improved

  • list filtering: Listing now supports filtering results before being returned to the user. The filtering takes place server side and uses boolean expressions against the JSON representation of returned items. See the documentation for more details. (PR 1) (PR 2) (PR 3)
  • server: Officially support reloading TLS parameters on SIGHUP. (This likely worked before but wasn't fully tested.) (PR)
  • server: On SIGHUP, worker tags will be re-parsed and new values used (PR)
  • server: In addition to the existing tls_min_version listener configuration value, tls_max_version is now supported. This should generally be left blank but can be useful for situations where e.g. a load balancer has broken TLS 1.3 support, or does not support TLS 1.3 and flags it as a disallowed value.

0.1.7 (2021/02/16)

Note: This release fixes an upgrade issue affecting users on Postgres 11 upgrading to 0.1.5 or 0.1.6 and makes a modification to the boundary dev environment. It is otherwise identical to 0.1.6; see the entry for that version for more details.

Changes/Deprecations

  • boundary dev now uses Postgres 11 by default, rather than Postgres 12.

Bug Fixes

  • server: Fix an issue with migrations affecting Postgres 11 (PR)

0.1.6 (2021/02/12)

Changes/Deprecations

  • authentication: The auth-methods/<id>:authenticate action is deprecated and will be removed in a few releases. Instead, each auth method will define its own action or actions that are valid. This is necessary to support multi-step authentication schemes in upcoming releases. For the password auth method, the new action is auth-methods/<id>:authenticate:login.
  • permissions: Update some errors to make them more descriptive, and disallow permissions in some forms where they will never take effect, preventing possible confusion (existing grants already saved to the database will not be affected as this is only filtered when grants are added/set on a role):
    • id=<some_id>;actions=<some_actions> where one of the actions is create or list. By definition this format operates only on individual resources so create and list will never work
    • type=<some_type>;actions=<some_actions> where one of the actions is not create or list. This format operates only on collections so assigning more actions this way will never work
  • CORS: CORS is now turned on by default when running with boundary server with an allowed_origins value of serve://boundary. You can disable it with cors_enabled = false, or if you want to change parameters, set cors_enabled = true and the other related configuration values.

New and Improved

  • server: When running single-server mode and controllers is not specified in the worker block, use public_cluster_addr if given (PR)
  • server: public_cluster_addr in the controller block can now be specified as a file:// or env:// URL to read the value from a file or env var (PR)
  • server: Add read action to default scope grant (PR)
  • server: public_cluster_addr in the controller block can now be specified as a file:// or env:// URL to read the value from a file or env var (PR)
  • sessions: Add read:self and cancel:self actions and enable them by default (in new project scopes) for all sessions. This allows a user to read or cancel any session that is associated with their user ID. read and cancel actions are still available that allow performing these actions on sessions that are associated with other users.

Bug Fixes

  • api: Fix nil pointer panic that could occur when using TLS (Issue, PR)
  • server: When shutting down a controller release the shared advisory lock with a non-cancelled context. (Issue, PR)
  • targets: If a worker filter references a key that doesn't exist, treat it as a non-match rather than an error (PR)

0.1.5 (2021/01/29)

NOTE: This version requires a database migration via the new boundary database migrate command.

Security

  • Boundary now uses Go's new execabs package for execution of binaries in boundary connect. This is for defense-in-depth rather than a specific issue. See the Go blog post for more details. (PR)

Changes/Deprecations

  • controller/worker: Require names to be all lowercase. This removes ambiguity or accidental mismatching when using upcoming filtering features.
  • api/cli: Due to visibility changes on collection listing, a list will not include any resources if the user only has list as an authorized action. As a result scope list, which is used by the UI to populate the login scope dropdown, will be empty if the role granting the u_anon user list privileges is not updated to also contain a read action

New and Improved

  • targets: You can now specify a Boolean-expression filter against worker tags to control which workers are allowed to handle any given target's sessions (PR)
  • api/cli: On listing/reading, return a list of actions the user is authorized to perform on the identified resources or their associated collections (PR)
  • api/cli: Most resource types now support recursive listing, allowing listing to occur down a scope tree (PR)
  • cli: Add a database migrate command which updates a database's schema to the version supported by the boundary binary (PR).

Bug Fixes

  • controller/db: Correctly check if db init previously completed successfully when starting a controller or when running database init (Issue) (PR)
  • cli: When output-curl-string is used with update or add-/remove-/set- commands and automatic versioning is being used (that is, no -version flag is given), it will now display the final call instead of the GET that fetches the current version (Issue) (PR)
  • db: Fix panic in database init when controller config block is missing (Issue) (PR)

0.1.4 (2021/01/05)

New and Improved

  • controller: Improved error handling in iam repo (PR)
  • controller: Improved error handling in db (PR)

Bug Fixes

  • servers: Fix erronious global unicast check that disallowed valid addresses from being assigned (PR)
  • cli: Fix (hopefully) panic some users experience depending on their Linux setup when running the binary (Issue) (PR)

0.1.3 (2020/12/18)

Changes/Deprecations

  • controller: Switch the session connection limit for dev mode and the initial target when doing database initialization to -1. This makes it easier for people to start understanding Boundary while not hitting issues related to some programs/protocols needing multiple connections as they may not be easy for new users to understand. (PR)

New and Improved

  • controller, worker, cli: When the client quits before the session time is over, but in a manner where the TOFU token will be locked, attempt canceling the session rather than leaving it open to time out (PR)
  • controller: Improved error handling in hosts, host catalog and host set (PR)
  • controller: Relax account login name constraints to allow dash as valid character (Issue) (PR)
  • cli/connect/http: Pass endpoint address through to allow setting TLS server name directly in most cases (PR)
  • cli/connect/kube: New kube subcommand for boundary connect that makes it easy to route kubectl commands through Boundary, including when using kubectl proxy (PR)
  • cli/server: Add some extra checks around valid/invalid combinations of addresses to avoid hard-to-understand runtime issues (PR)

Bug Fixes

  • cli: Ensure errors print to stderr when token is not found (Issue) (PR)
  • controller: Fix grant IDs being lowercased when being read back (and when being used for permission evaluation) (Issue) (PR)

0.1.2 (2020/11/17)

New and Improved

  • docker: Official Docker image for hashicorp/boundary (PR)
  • controller: Add ability to set public address for cluster purposes (Issue) (PR)
  • ui: Improve scope awareness and navigation, including IAM for global scope (PR)
  • ui: Add dark mode toggle (Issue) (PR)
  • ui: Add scope grants to roles (PR)
  • ui: Add IAM resources to global scope (PR)

Bug Fixes

  • controller, worker: Fix IPv4-only check so 0.0.0.0 specified without a port only listens on IPv4 (PR)
  • ui: Fix grant string corruption on updates (Issue) (PR)
  • controller, cli: Fix mutual exclusivity bug with using -authz-token on boundary connect (PR)

0.1.1 (2020/10/22)

Changes/Deprecations

Note: in addition to changes marked below in this section, be aware that currently names of resources are case-sensitive, but in a future update they will become case-preserving but case-insensitive for comparisons (e.g. if using them to access targets).

  • cli: There are two changes to token storage handling:
    • Specifying none for the -token-name parameter has been deprecated in favor of specifying none for the new -keyring-type parameter.
    • pass is now the default keyring type on non-Windows/non-macOS platforms. See the CLI docs page for more information.

New and Improved

  • cli: New -keyring-type option and pass keyring type for token storage (Issue) (PR)
  • connect: Allow using -target-name in conjunction with either -target-scope-id or -target-scope-name to connect to targets, rather than the target's ID (PR)
  • controller: Allow API/Cluster listeners to be Unix domain sockets (Issue) (PR)
  • ui: Allow creating and assigning a host to a host set directly from the host set view (Issue) (PR)

Bug Fixes

  • cli: Fix database init when locale isn't English (Issue) (PR)
  • cli: Fix hyphenation in help output for resources with compound names (Issue) (PR)
  • controller: Allow connecting to Postgres when using remote Docker in dev mode (Issue (PR)
  • controller, worker: Fix listening on IPv6 addresses (Issue) (PR)
  • worker: Fix setting controller address for worker in dev mode (Issue) (PR)

0.1.0 (2020/10/14)

v0.1.0 is the first release of Boundary. As a result there are no changes, improvements, or bugfixes from past versions.