v0.14.1

0.14.1 (2023/10/17)

Bug Fixes

• deps: Bump Go version to v1.21.3; gRPC to v1.58.3; golang.org/x/net to
  v0.17.0. This is to address a security vulnerability in the HTTP stack where a
  malicious HTTP/2 client which rapidly creates requests and immediately resets
  them can cause excessive server resource consumption.

v0.14.0

0.14.0 (2023/10/10)

Deprecations/Changes

• Per the note in Boundary 0.12.0, the vault credential library subtype has
  now been removed in favor of vault-generic. For example, instead of
  boundary credential-libraries create vault, you must use boundary credential-libraries create vault-generic.
• Per the note in Boundary 0.12.0, errors returned from the cli when using the
  -format=json option will now only use the status_code field. The status
  field has been removed.
• Per the note in Boundary 0.12.0, targets require a default port value. Ports
  defined as part of a host address were ignored but allowed as part of a target
  definition; from 0.14.0 onwards, any port defined on a host address will now
  become an error.
• Targets: Per the note in Boundary 0.10.10, target Application Credentials has
  been renamed to Brokered Credentials. application-credential-source has been
  removed as a field. brokered-credential-source should be used instead.
  (PR, deprecated
  changelog).

New and Improved

• cli: Add support for specifying a command that will be executed on the remote host when
  using the boundary connect ssh subcommand.
  (Issue,
  PR).
• feat: add API support for additional LDAP auth method fields:
  maximum_page_size and dereference_aliases
  (PR).
• feat: add worker upstream connection status to ops health check
  (PR).
• feat: allow HCP cluster id to be sourced from file or env variable
  (PR).
• feat: add support for telemetry events via flag or Boundary configuration
  (requires observation events to be enabled). Deny filter now filters
  coordination worker status from observation events by default. (This behavior
  is overridden by any user specified allow or deny filters)
  (PR).
• ui: Add full UI support for LDAP auth method
  (PR)
• ui: Add new attribute fields to storage bucket to support the assume role service in AWS.
  (PR)

Bug Fixes

• LDAP auth methods: allow bind-dn and bind-password to be updated
  independently. (PR)
• targets: Fix address field not being populated if the number of targets on a
  list returns more than 10000 entries
  (PR)
• cli: Fix issue when using the authenticate command against a password auth
  method on Windows where the password would be swallowed when the login name is
  submitted (PR)
• worker: Fix an issue that could cause intermittent startup issues on slow
  systems (PR)
• cli: Remove websocket max message size. This fixes issues where large message
  sizes are sent to the client from a worker which resulted in the connection
  being terminated, as is the case with an scp download when using an SSH
  Target. (PR)

v0.13.1

0.13.1 (2023/07/10)

New and Improved

• roles: In grants, the id field has been changed to ids (but id will
  still be accepted for now, up until 0.15.0). In the ids field, multiple IDs
  can now be specified in a grant, either via commas (text format) or array
  (JSON format). (PR).
• dev environment: When running boundary dev the initial LDAP auth-method with an
  ID of amldap_1234567890 is now in a public-active state, so it will be returned
  in the response from boundary auth-methods list

Deprecations/Changes

• Grants can now accept more than one ID per grant string (or entry in JSON) via
  the ids parameter. In 0.15.0 the ability to add new grants via the id
  parameter will be removed.

Bug Fixes

• PKI worker authentication: A worker authentication record can be stored more than once, if it matches the
  existing record for that worker auth key ID. Fixes an edge case where a worker attempted authorization
  and the controller successfully stored the worker auth record but went down before returning authorization
  details to the worker. (PR)
• LDAP managed groups: adding/setting/removing a principal to a role now works
  properly when it's an LDAP managed group.
  (PR and
  PR)

v0.13.0

0.13.0 (2023/06/13)

New and Improved

• SSH Session Recordings (Enterprise and HCP Boundary only): SSH targets can now
  be configured to record sessions. Recordings are signed and stored in a
  Storage Bucket. Recordings can be played back in the admin UI.
  • Storage Buckets: This release introduces Storage Buckets, a Boundary
    resource that represents a bucket in an external object store. Storage
    Buckets can be defined at the global or org scope. When associated with an
    SSH target, the storage bucket is used to store session recordings. This
    release includes support for AWS S3 only.
  • BSR (Boundary Session Recording) file format: BSR is a new specification
    that defines a hierarchical directory structure of files and a binary file
    format. The contents of a BSR include all data transmitted between a user
    and a target during a single session, relevant session metadata and summary
    information. The BSR also includes checksum and signature files for
    cryptographically verifying BSR contents, and a set of KMS wrapped keys for
    use in BSR verification. The BSR format is intended to be extensible to
    support various protocols. With this release BSR supports the SSH protocol.
    It also supports converting an SSH channel recording into an
    asciicast
    format that is playable by asciinema.
  • To learn more about this new feature, refer to the
    documentation.
• KMS workers: KMS workers now have feature parity with PKI workers (they
  support multi-hop and Vault private access) and support separate KMSes for
  authenticating downstreams across different networks. See the worker
  configuration documentation
  for more information. (PR)
• roles: Perform additional validity checking on grants at submission time (PR)
• targets: The new default_client_port field allows specifying the default
  port to use on the client side when connecting to a target, unless overridden
  by the client via -listen-port (PR)
• cli/api/sdk: New LDAP auth method type added with support for create, read,
  update, delete, and list (see new cli ldap subcommands available on CRUDL
  operations for examples), as well as the ability to authenticate against it
  via the SDK, CLI, admin UI, and desktop client. (PR)
• ui: Display external names when listing dynamic hosts (PR)
• ui: Add support for LDAP authentication (PR)
• Dynamic Host Catalog: You can now view the AWS or Azure host name when listing hosts in CLI, admin console, and desktop client. (PR)
• Add configuration for license reporting (Enterprise only)

Deprecations/Changes

• With the introduction of the new KMS variant for worker registration (as
  described below), using the deprecated behavior requires opting-in. This is
  only recommended if compatibility with pre-0.13 workers using the KMS auth
  method is required. Requiring opting in removes some potentially confusing
  behavior for deciding when to use the old versus new mechanism. To opt in, add
  use_deprecated_kms_auth_method = true to the worker config block. Note
  that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
  transition to the new method will happen automatically. To go back to the old
  method after that will require the worker to be deleted and re-added with the
  use_deprecated_kms_auth_method config field specified.

• When grants are added to roles additional validity checking is now performed.
  This extra validity checking is designed to reject grants that are not
  documented grant formats
  or are for combinations of IDs and types that cannot actually be used
  together. These previously would have been accepted without error but would
  never result in permissions being granted, causing confusion. As a result,
  attempting to write such grants into roles may now result in an error; the
  error message gives hints for resolution.

• WithAutomaticVersioning for auth tokens in Go SDK: this option was
  incorrectly being generated for auth token resources, which do not support
  versioning. This is technically a breaking change, but it was a no-op option
  anyways that there was no reason to be using. It has now been removed.

• Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin
  repositories have been renamed to drop the host element of the repository name:

  • https://github.com/hashicorp/boundary-plugin-host-aws -> https://github.com/hashicorp/boundary-plugin-aws
  • https://github.com/hashicorp/boundary-plugin-host-azure -> https://github.com/hashicorp/boundary-plugin-azure

  Similarly the plugins/host package has been renamed to plugins/boundary
  (PR1,PR2, PR3, PR4).

• PostgreSQL 12 or greater is now required. PostgreSQL 11 is no longer
  supported.

Bug Fixes

• targets: authorize-session now works properly when using a target's name as
  the identifier and the target name contains one or more slashes (PR)
• resource listing: API requests to list a resource (targets, sessions, users,
  etc) now properly return all resources the callers has appropriate permission
  to list (PR)
• sessions: Fix a bug that contributed to slow response times when listing
  sessions that had a large number of connections (PR)
• ui: Fix client secret bug for OIDC authentication methods(PR)
• ui: Fix linking to a Host from the Host Set screen of a Dynamic Host Catalog (PR)

v0.12.2

0.12.2 (2023/04/04)

Security

• Boundary now uses Go 1.19.8 to address CVE-2023-24536. See the
  Go announcement for
  more details.

v0.12.1

fix(tests): break out of infinite loop for bats tests

v0.12.0

0.12.0 (2023/01/24)

Deprecations/Changes

• In Boundary 0.9.0, targets were updated to require a default port value. This
  had been the original intention; it was a mistake that it was optional.
  Unfortunately, due to a separate defect in the update verification logic for
  static hosts, it was possible for a host to be updated (but not created) with
  a port. This meant that targets could use ports attached to host addresses,
  which was not the intention and leads to confusing behavior across different
  installations. In this version, updating static hosts will no longer allow
  ports to be part of the address; when authorizing a session, any port on such
  a host will be ignored in favor of the default port on the target. In Boundary
  0.14.0, this will become an error instead. As a consequence, it means that the
  fallback logic for targets that did not have a default port defined is no
  longer in service; all targets must now have a default port defined.
• With the introduction of vault-ssh-certificate credential libraries, the
  vault credential library subtype is being renamed to vault-generic to
  denote it as a credential library that can be used in a generalized way to
  issue credentials from vault. Existing credential libraries with the
  subtype of vault will be updated to vault-generic. The subtype of
  vault will still be accepted as a valid subtype in API requests to the
  credential libraries endpoints, but is deprecated. Instead vault-generic
  should be used. In addition the boundary credential-libraries create vault and boundary credential-libraries update vault subcommands will
  still function, but are deprecated. Instead boundary credential-libraries create vault-generic and boundary credential-libraries update vault-generic should be used. Also note that any credential library created
  using the subtype of vault, either via the API or via the deprecated
  subcommand, will have the subtype set to vault-generic. The deprecated
  subtype and subcommands will be removed in boundary 0.14.0, at which point
  vault-generic must be used.
• In Boundary 0.1.8 using the -format=json option with the cli would provide
  a status_code for successful API requests from the cli. However, in the
  case where an error was returned, the JSON would use status instead. This
  inconsistency has been fixed, with status_code being used in both cases.
  For error cases status will still be populated, but is deprecated and will
  be removed in 0.14.0.

New and Improved

• Direct Address Targets: You can now set an address directly on a target,
  bypassing the need for host catalogs, host sets and hosts.
  (PR)
• Custom Response Headers: Adds ability to set api and ui response headers based
  on status code. Includes default secure CSP and other headers.
  (PR)
• metrics: Adds accepted connections and closed connections counters to keep track
  downstream connections for worker and controller servers.
  (PR)
• Egress and Ingress worker filters: The target worker_filter field has been deprecated and
  replaced with egress and ingress worker filters. Egress worker filters determine which workers are
  used to access targets. Ingress worker filters (HCP Boundary only) determine which workers are
  used to connect with a client to initiate a session. (PR)
• Multi-Hop Sessions (HCP Boundary only): Multi-hop PKI workers can communicate with each other to serve
  2 primary purposes: authentication and session proxying. This results in the ability to chain
  multiple workers together to access services hidden under layers of network security. Multi-hop
  workers can also establish a TCP session through multiple workers, with the ability to reverse
  proxy and establish a connection.
• ui: Upgrade Admin UI to Ember 4.4.
  (PR)
• ui: Add support for JSON credentials in Admin UI.
  (PR)
• Vault SSH certificate credential library: A new credential library that uses
  the vault ssh secret engine to generate ssh private key and certificates. The
  library can be used as an injected application credential source for targets
  that support credential injection. (PR)
• ui: Add support for managed groups in add-principals list. (PR)

Bug Fixes

• plugins: Ignore SIGHUP sent to parent process; some init systems, notably
  dumb-init, would pass them along to the child processes and cause the
  plugin to exit (PR)
• data warehouse: Fix bug that caused credential dimensions to not get
  associated with session facts (PR).
• sessions: Fix two authorizeSession race conditions in handleProxy. (PR)
• cli: When using -format=json the JSON was inconsistent in how it reported
  status codes. In successful cases it would use status_code, but in error
  cases it would use status. Now status_code is used in both cases. In
  error cases status is still populated, see the deprecations above for
  more details. (PR)
• database: Add job that automatically cleans up completed runs in the job_run table.
  (PR)
• core: Linux packages now have vendor label and set the default label to HashiCorp.
  This fix is implemented for any future releases, but will not be updated for historical releases.

v0.11.2

0.11.2 (2022/12/09)

Security

• Boundary now uses Go 1.19.4 to address security vulnerability (CVE-2022-41717) See the
  Go announcement for
  more details.

v0.11.1

0.11.1 (2022/11/30)

New and Improved

• Vault Parameter Templating: In vault credential libraries, the paths and any
  POST bodies can contain templated parameters using Go template syntax (similar
  to Consul-Template). The following template parameters are supported (note
  that account values are tied to the account associated with the token making
  the call):

  • {{ .User.Id }}: the user's ID
  • {{ .User.Name }}: the user's name (from the user resource)
  • {{ .User.FullName }}: the user's name (from the account corresponding to
    the primary auth method in the user's scope; this may not be populated or
    maybe different than the account name in the template)
  • {{ .User.Email }}: the user's email address (same caveat as FullName)
  • {{ .Account.Id }}: the account's ID
  • {{ .Account.Name }}: the account's name (from the account resource)
  • {{ .Account.LoginName }}: the account's login name (if used by that type
    of account)
  • {{ .Account.Subject }}: the account's subject (if used by that type
    of account)
  • {{ .Account.Email }}: the account's email (if used by that type
    of account)

  Additionally, there is currently a single function that strips the rest of a
  string after a specified substring; this is useful for pulling an user/account name from an email address. In the following example it uses the account email can be any other parameter:

  • {{ truncateFrom .Account.Email "@" }}: this would turn [email protected] into foo

• Per-scope key lifecycle management: You can now manage the lifecycles of both Key
  Encryption Keys (KEKs) and Data Encryption Keys (DEKs) using the new key rotation
  and key version destruction functionality. To learn more about this new feature,
  refer to the
  documentation.

  Upgrade notice: If the Database purpose DEK for a scope is destroyed, you must use
  the API to cancel any sessions that predate the upgrade.
  (PR)

• workers: PKI Worker daemons now get disconnected from upstreams when their
  corresponding resource is deleted (PR)

Bug Fixes

• sessions: Fix workers not being in random order when returned to clients at
  authorize-session time, which could allow one worker to bear the majority of
  sessions (PR)
• workers: In some error conditions when sending status to controllers, errors
  could be written to stdout along with a message that they could not
  successfully be evented instead of being written to the event log
  (PR)
• workers: Fixed a panic that can happen in certain situations
  (PR)
• sessions: Fixed a panic in a controller when a worker is deleted while
  sessions are ongoing (PR)
• sessions: Fixed a panic in a worker when a user with an active
  session is deleted (PR)
• sessions: Fixed a bug where reading a session after its associated project
  had been deleted would result in an error
  (PR)
• config: Fixed a bug where supplying multiple KMS blocks with the same purpose
  would silently ignore all but the last block
  (PR)

Deprecations/Changes

• In order to standardize on the templating format, templates in
  grants
  now are documented to use the new capitalization and format; however, the
  previous style will continue to work.

v0.11.0

0.11.0 (2022/09/27)

Known Issues

• PKI workers in past versions did not store a prior encryption key, and a bug
  prior to 0.11.0 meant that auth rotations could happen more frequently than
  expected. This could cause some race issues around rotation time. However,
  there was another issue where a past worker authentication record could be
  looked up for some operations instead of the current one, made more likely by
  the too-frequent rotations. In 0.11.0 we attempt to ensure that the record
  that remains on upgrade is the most current one, but it is possible that the
  wrong one is chosen, leading to a failure for the worker to authenticate or
  for some operations to consistently fail. In this case, the worker will need
  to be deleted and re-authorized. We apologize for any issues this causes and
  this should be remedied going forward.

Bug Fixes

• Fix bug preventing delete of org. (PR
• scopes: Organizations could be prevented from being deleted if some resources
  remained (PR)
• workers: Authentication rotation could occur prior to the expected time
  (PR)
• workers: When looking up worker authentication records, an old record could be
  returned instead of the new one, leading to errors for encryption or
  decryption operations (PR)

New and Improved

• vault: (HCP Boundary only): Private Vault clusters can be used with HCP Boundary by using PKI workers
  deployed in the same network as a private cluster. Tags are used to control which PKI workers can manage private Vault
  requests by specifying a worker_filter attribute when configuring a Vault credential store.
• credentials: There is now a json credential type supported by static
  credential stores that allows submitting a generic JSON object to Boundary for
  use with credential brokering workflows
  (PR)
• ui: Add support for worker management
  (PR)
• ui: Add support for PKI worker registration
  (PR)
• ui: Add support for Static Credential Stores
  (PR)
• ui: Add support for Username & Password Credentials
  (PR)
• ui: Add support for Username & Key Pair Credentials
  (PR)
• ui (HCP Boundary only): SSH Target creation along with injected application
  credential support (PR)
• ui (HCP Boundary only): Update vault credential stores to support private
  vault access (PR)
• ui: Improve quick setup wizard onboarding guide resource names
  (PR)
• ui: Updates to host catalog and host set forms and “Learn More” links
  (PR)
• workers: Added the ability to read and reinitialize the Worker certificate
  authority (PR1,
  PR2)
• workers: Return the worker Boundary binary version on worker list and read
  (PR)
• workers: Addition of worker graceful shutdown, triggered by an initial
  SIGINT or SIGTERM (PR)
• workers: Retain one previous encryption/decryption key after authentication
  rotation (PR)

Deprecations/Changes

• In 0.5.0, the add-host-sets, remove-host-sets, and set-host-sets actions
  on targets were deprecated in favor of add-host-sources,
  remove-host-sources, and set-host-sources. Originally these actions and
  API calls were to be removed in 0.6, but this was delayed to give extra time
  for clients to switch over. This has now been fully switched over. A database
  migration will modify any grants in roles to have the new actions. This same
  changeover has been made for add-/remove-/set-credential-libraries to
  add-/remove-/set-credential-sources, although those actions would only be in
  grant strings in very rare circumstances as the -sources actions replaced
  the -libraries actions very quickly.
  (PR)