v0.11.2

0.11.2 (2022/12/09)

Security

• Boundary now uses Go 1.19.4 to address security vulnerability (CVE-2022-41717) See the
  Go announcement for
  more details.

v0.11.1

0.11.1 (2022/11/30)

New and Improved

• Vault Parameter Templating: In vault credential libraries, the paths and any
  POST bodies can contain templated parameters using Go template syntax (similar
  to Consul-Template). The following template parameters are supported (note
  that account values are tied to the account associated with the token making
  the call):

  • {{ .User.Id }}: the user's ID
  • {{ .User.Name }}: the user's name (from the user resource)
  • {{ .User.FullName }}: the user's name (from the account corresponding to
    the primary auth method in the user's scope; this may not be populated or
    maybe different than the account name in the template)
  • {{ .User.Email }}: the user's email address (same caveat as FullName)
  • {{ .Account.Id }}: the account's ID
  • {{ .Account.Name }}: the account's name (from the account resource)
  • {{ .Account.LoginName }}: the account's login name (if used by that type
    of account)
  • {{ .Account.Subject }}: the account's subject (if used by that type
    of account)
  • {{ .Account.Email }}: the account's email (if used by that type
    of account)

  Additionally, there is currently a single function that strips the rest of a
  string after a specified substring; this is useful for pulling an user/account name from an email address. In the following example it uses the account email can be any other parameter:

  • {{ truncateFrom .Account.Email "@" }}: this would turn [email protected] into foo

• Per-scope key lifecycle management: You can now manage the lifecycles of both Key
  Encryption Keys (KEKs) and Data Encryption Keys (DEKs) using the new key rotation
  and key version destruction functionality. To learn more about this new feature,
  refer to the
  documentation.

  Upgrade notice: If the Database purpose DEK for a scope is destroyed, you must use
  the API to cancel any sessions that predate the upgrade.
  (PR)

• workers: PKI Worker daemons now get disconnected from upstreams when their
  corresponding resource is deleted (PR)

Bug Fixes

• sessions: Fix workers not being in random order when returned to clients at
  authorize-session time, which could allow one worker to bear the majority of
  sessions (PR)
• workers: In some error conditions when sending status to controllers, errors
  could be written to stdout along with a message that they could not
  successfully be evented instead of being written to the event log
  (PR)
• workers: Fixed a panic that can happen in certain situations
  (PR)
• sessions: Fixed a panic in a controller when a worker is deleted while
  sessions are ongoing (PR)
• sessions: Fixed a panic in a worker when a user with an active
  session is deleted (PR)
• sessions: Fixed a bug where reading a session after its associated project
  had been deleted would result in an error
  (PR)
• config: Fixed a bug where supplying multiple KMS blocks with the same purpose
  would silently ignore all but the last block
  (PR)

Deprecations/Changes

• In order to standardize on the templating format, templates in
  grants
  now are documented to use the new capitalization and format; however, the
  previous style will continue to work.

v0.11.0

0.11.0 (2022/09/27)

Known Issues

• PKI workers in past versions did not store a prior encryption key, and a bug
  prior to 0.11.0 meant that auth rotations could happen more frequently than
  expected. This could cause some race issues around rotation time. However,
  there was another issue where a past worker authentication record could be
  looked up for some operations instead of the current one, made more likely by
  the too-frequent rotations. In 0.11.0 we attempt to ensure that the record
  that remains on upgrade is the most current one, but it is possible that the
  wrong one is chosen, leading to a failure for the worker to authenticate or
  for some operations to consistently fail. In this case, the worker will need
  to be deleted and re-authorized. We apologize for any issues this causes and
  this should be remedied going forward.

Bug Fixes

• Fix bug preventing delete of org. (PR
• scopes: Organizations could be prevented from being deleted if some resources
  remained (PR)
• workers: Authentication rotation could occur prior to the expected time
  (PR)
• workers: When looking up worker authentication records, an old record could be
  returned instead of the new one, leading to errors for encryption or
  decryption operations (PR)

New and Improved

• vault: (HCP Boundary only): Private Vault clusters can be used with HCP Boundary by using PKI workers
  deployed in the same network as a private cluster. Tags are used to control which PKI workers can manage private Vault
  requests by specifying a worker_filter attribute when configuring a Vault credential store.
• credentials: There is now a json credential type supported by static
  credential stores that allows submitting a generic JSON object to Boundary for
  use with credential brokering workflows
  (PR)
• ui: Add support for worker management
  (PR)
• ui: Add support for PKI worker registration
  (PR)
• ui: Add support for Static Credential Stores
  (PR)
• ui: Add support for Username & Password Credentials
  (PR)
• ui: Add support for Username & Key Pair Credentials
  (PR)
• ui (HCP Boundary only): SSH Target creation along with injected application
  credential support (PR)
• ui (HCP Boundary only): Update vault credential stores to support private
  vault access (PR)
• ui: Improve quick setup wizard onboarding guide resource names
  (PR)
• ui: Updates to host catalog and host set forms and “Learn More” links
  (PR)
• workers: Added the ability to read and reinitialize the Worker certificate
  authority (PR1,
  PR2)
• workers: Return the worker Boundary binary version on worker list and read
  (PR)
• workers: Addition of worker graceful shutdown, triggered by an initial
  SIGINT or SIGTERM (PR)
• workers: Retain one previous encryption/decryption key after authentication
  rotation (PR)

Deprecations/Changes

• In 0.5.0, the add-host-sets, remove-host-sets, and set-host-sets actions
  on targets were deprecated in favor of add-host-sources,
  remove-host-sources, and set-host-sources. Originally these actions and
  API calls were to be removed in 0.6, but this was delayed to give extra time
  for clients to switch over. This has now been fully switched over. A database
  migration will modify any grants in roles to have the new actions. This same
  changeover has been made for add-/remove-/set-credential-libraries to
  add-/remove-/set-credential-sources, although those actions would only be in
  grant strings in very rare circumstances as the -sources actions replaced
  the -libraries actions very quickly.
  (PR)

v0.10.5

0.10.5 (2022/09/13)

Bug Fixes

• grants: Properly resolve "only self" for permissions. When generating
  permissions from grants, if a single grant was limited only to a set of "self"
  actions and that was the last grant parsed (which would be semi-random
  depending on a number of factors), the overall set of permissions would be
  marked as only-self. This would result in the generated permissions being more
  limiting then they should be based on the grants. This only impacts the
  sessions list endpoint. It would result in users that have been granted access
  to list other user's sessions to be unable to see these sessions in the list
  results (PR).

v0.10.4

0.10.4 (2022/09/13)

New and Improved

• Controller-led worker authorization: This is a second authorization option for
  the workers using PKI-based authentication that was introduced in Boundary
  0.10.0. In 0.10.0, the only mode available was "worker-led", in which a worker
  generates an authorization request which can be submitted to a controller to
  authorize the worker. With this new controller-led flow, a worker can be
  created via the controller API first and return a one-time-use authorization
  token. This token can then be made available to the worker at startup time via
  its configuration file, env var, or a file with the value. If the worker is
  not authorized and this token is provided, it will use the token to authorize
  itself to the controller and set up PKI-based authentication.
  (PR)
• Initial upstreams reloading on SIGHUP: Workers will now re-read the
  initial_upstreams value from the configuration file when given a SIGHUP.
  This allows a worker to reconnect to controllers if the full set of
  controllers has been changed over at the same time, without having to restart
  the worker. (PR)

Bug Fixes

• vault: Correctly handle Vault credential stores and libraries that are linked to an
  expired Vault token. (Issue,
  PR).
• aws host catalog: Fix an issue where the request to list hosts could timeout
  on a large number of hosts
  (Issue,
  PR)
• aws host catalog: Fix an issue where filters could become unreadable in the UI
  if only one filter was created and was set by the CLI or directly via the API
  (PR1,
  PR2)
• aws host catalog: Use provided region for IAM calls in addition to EC2
  (Issue,
  PR)
• azure host catalog: Fix hosts not being found depending on the exact filter
  used because different filters return values with different casing
  (PR)
• sessions: Fix an issue where sessions could not have more than one connection
  (Issue,
  PR)
• workers: Fix repeating error in logs when connected to HCP Boundary about an
  unimplemented HcpbWorkers call
  (PR)
• workers: Fix a panic that could occur when workers:create:worker-led (e.g.
  via boundary workers create worker-led) was given an invalid token
  (PR)
• workers: Add the ability to set API-based worker tags via the CLI
  (PR)

v0.10.3

0.10.3 (2022/08/30)

Bug Fixes

• db: Fix an issue with migrations failing due to not updating the project_id value for the host plugin set (Issue, PR).

v0.10.2

0.10.2 (2022/08/23)

Security

• Fix security vulnerability CVE-2022-36130, Boundary up to 0.10.1 did not properly perform
  authorization checks to ensure the resources were associated with the correct scopes,
  allowing potential privilege escalation for authorized users of another scope.
  [HCSEC-2022-17]

v0.10.1

0.10.1 (2022/08/11)

Bug Fixes

• db: Fix an issue with migrations affecting clusters that contain
  credential libraries or static credentials.
  (Issue),
  (PR).
• Managed Groups: Fix an issue where the filter field is not sent by
  admin UI (PR).
• Host Sets: Fix an issue causing host sets to not display in UI when using the aws plugin
  (PR)
• Plugins: Fixes regression from 0.9.0 causing a failure to start when using
  multiple KMS blocks of the same type
  (PR1,
  PR2)
• CLI: Fixed errors related to URL detection when passing in -attr or
  -secret values that contained colons
  (PR)

v0.10.0

0.10.0 (2022/08/10)

Known Issues

• Migration to this version may fail if the cluster contains credential
  libraries. This will be fixed shortly in 0.10.1.

New and Improved

• ssh Target Type With Credential Injection (HCP Boundary only): Boundary has
  gained a new ssh target type. Using this type, username/password or SSH
  private key credentials can be sourced from vault credential libraries or
  static credentials and injected into the SSH session between a client and
  end host. This allows users to securely SSH to remote hosts while never being
  in possession of a valid credential for that target host.
• SSH Private Key Credentials: There is now an ssh_private_key credential type
  that allows submitting a username/private key (and optional passphrase) to
  Boundary for use with credential injection or brokering workflows.
• boundary connect ssh Credential Brokering Enhancements: we have extended
  support into the boundary connect ssh helper for brokered credentials of
  ssh_private_key type; the command will automatically pass the credentials to
  the ssh process (PR).
• boundary authenticate, boundary accounts: Enables use of env:// and
  file:// syntax to specify location of a password
  (PR)

Bug Fixes

• cli: Correctly cleanup plugins after exiting boundary dev, boundary server
  and boundary database init
  (Issue,
  PR).
• boundary accounts change-password: Fixed being prompted for confirmation of
  the current password instead of the new one
  (PR)

Deprecations/Changes

• API Module: Changed the return types that reference interfaces into their
  expected typed definition. Type casting is only allowed against interface
  types, therefore to mitigate compiler errors please remove any type casting
  done against the return values.
  (Issue,
  PR)
• Targets: Rename Application credentials to Brokered credentials
  (PR).
• Host plugins: Plugin-type host catalogs/sets/hosts now use typed prefixes for
  any newly-created resources. Existing resources will not be affected.
  (PR)
• Credential stores: Static-type credential stores/credentials now use typed
  prefixes for any newly-created resources. Existing resources will not be
  affected. (PR)
• Change of behavior on -token flag in CLI: Passing a token this way can
  reveal the token to any user or service that can look at process information.
  This flag must now reference a file on disk or an env var. Direct usage of the
  BOUNDARY_TOKEN env var is also deprecated as it can show up in environment
  information; the env:// format now supported by the -token flag causes the
  Boundary process to read it instead of the shell so is safer.
  (PR)
• Change of behavior on -password flag in CLI: The same change made above for
  -token has also been applied to -password or, for supporting resource
  types, -current-password and -new-password.
  (PR)

v0.9.1

0.9.1 (2022/07/06)

New and Improved

• azure host plugin: Support multiple MSI identities
  (PR

Bug Fixes

• scheduler: Fix regression causing controller names of less than 10 characters
  to fail to register jobs
  (PR).
• sessions: Fix an additional case from the changes in the 0.8.x series that
  could result in sessions never moving from canceling state to terminated.
  (PR)
• The plugin execution_dir configuration parameter is now respected by kms plugins too
  PR.

Deprecations/Changes

• sessions: The default connect limit for new sessions changed from 1 to unlimited (-1).
  Specific connection limits is an advanced feature of Boundary and this setting is
  more friendly for new users.
  (PR)