summaryrefslogtreecommitdiff
path: root/security/vault
diff options
context:
space:
mode:
authorfhajny <fhajny@pkgsrc.org>2018-04-27 14:02:41 +0000
committerfhajny <fhajny@pkgsrc.org>2018-04-27 14:02:41 +0000
commit0fb2cac95a45f8c5844a3ed2d12d92e619ad9dda (patch)
treef739187819312a299727f0fefbf7937b1135725b /security/vault
parent32bca19bd939f24af167fa267e723c39f992ffb0 (diff)
downloadpkgsrc-0fb2cac95a45f8c5844a3ed2d12d92e619ad9dda.tar.gz
security/vault: Update to 0.10.1.
DEPRECATIONS/CHANGES: - `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server and CLI versions is required. - Mount information visibility: Users that have access to any path within a mount can now see information about that mount, such as its type and options, via some API calls. - Identity and Local Mounts: Local mounts would allow creating Identity entities but these would not be able to be used successfully (even locally) in replicated scenarios. We have now disallowed entities and groups from being created for local mounts in the first place. FEATURES: - X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the client IP seen by Vault. See the TCP listener configuration page for details. - CIDR IP Binding for Tokens: Tokens now support being bound to specific CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be expanded to other authentication backends over time. - `vault kv patch` command: A new `kv patch` helper command that allows modifying only some values in existing data at a K/V path, but uses check-and-set to ensure that this modification happens safely. - AppRole Local Secret IDs: Roles can now be configured to generate secret IDs local to the cluster. This enables performance secondaries to generate and consume secret IDs without contacting the primary. - AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs, AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently only been fully tested on AWS CloudHSM. - Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys, and migration between key and encryption types, such as from AES-CBC to AES-GCM, can be performed at the same time (where supported). IMPROVEMENTS: - auth/approle: Support for cluster local secret IDs. This enables secondaries to generate secret IDs without contacting the primary - auth/token: Add to the token lookup response, the policies inherited due to identity associations - auth/token: Add CIDR binding to token roles - cli: Add `vault kv patch` - core: Add X-Forwarded-For support - core: Add token CIDR-binding support - identity: Add the ability to disable an entity. Disabling an entity does not revoke associated tokens, but while the entity is disabled they cannot be used. - physical/consul: Allow tuning of session TTL and lock wait time - replication: Dynamically adjust WAL cleanup over a period of time based on the rate of writes committed - secret/ssh: Update dynamic key install script to use shell locking to avoid concurrent modifications - ui: Access to `sys/mounts` is no longer needed to use the UI - the list of engines will show you the ones you implicitly have access to (because you have access to to secrets in those engines) BUG FIXES: - cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts - identity: Persist entity memberships in external identity groups across mounts - identity: Fix error preventing authentication using local mounts on performance secondary replication clusters - replication: Fix issue causing secondaries to not connect properly to a pre-0.10 primary until the primary was upgraded - secret/gcp: Fix panic on rollback when a roleset wasn't created properly - secret/gcp: Fix panic on renewal - ui: Fix IE11 form submissions in a few parts of the application - ui: Fix IE file saving on policy pages and init screens - ui: Fixed an issue where the AWS secret backend would show the wrong menu - ui: Fixed an issue where policies with commas would not render in the interface properly - ui: Corrected the saving of mount tune ttls for auth methods - ui: Credentials generation no longer checks capabilities before making api calls. This should fix needing "update" capabilites to read IAM credentials in the AWS secrets engine
Diffstat (limited to 'security/vault')
-rw-r--r--security/vault/Makefile4
-rw-r--r--security/vault/distinfo10
2 files changed, 7 insertions, 7 deletions
diff --git a/security/vault/Makefile b/security/vault/Makefile
index 1a2bd804e39..9500762a820 100644
--- a/security/vault/Makefile
+++ b/security/vault/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.27 2018/04/11 15:35:49 fhajny Exp $
+# $NetBSD: Makefile,v 1.28 2018/04/27 14:02:41 fhajny Exp $
-DISTNAME= vault-0.10.0
+DISTNAME= vault-0.10.1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff --git a/security/vault/distinfo b/security/vault/distinfo
index 87f3ed308d7..d204fb78442 100644
--- a/security/vault/distinfo
+++ b/security/vault/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.18 2018/04/11 15:35:49 fhajny Exp $
+$NetBSD: distinfo,v 1.19 2018/04/27 14:02:41 fhajny Exp $
-SHA1 (vault-0.10.0.tar.gz) = 4bd141705c1704fbe309382ee8eb0e68786495a0
-RMD160 (vault-0.10.0.tar.gz) = 1d768b101d360c3b2a65d5ec19726c39cdca9549
-SHA512 (vault-0.10.0.tar.gz) = 204f6f7b36802befc6749a064f217817cdd1bbe634517dc6146a9a4a32bf70ea341634a7a4399f901bb2a63a1b096982f258e365244b01ab4ace833a799fa5bd
-Size (vault-0.10.0.tar.gz) = 12533158 bytes
+SHA1 (vault-0.10.1.tar.gz) = 698033ef7c931e2d7939eba8904cad79ccbfbe59
+RMD160 (vault-0.10.1.tar.gz) = eeaef430c97b405cdaf8f27eacbe26a0a1197bd0
+SHA512 (vault-0.10.1.tar.gz) = dfa2d81e0e51cf41694ad40ad9bcc6847a9261ee06b2787d59915b941a63bfe58e649271e1ff5a963b892af5c13043057f29a1a8412efe51b3cf54157c54a060
+Size (vault-0.10.1.tar.gz) = 13001413 bytes