Skip to content

Releases: NREL/api-umbrella

0.15.1 / 2019-05-14

14 May 06:05
@GUI GUI
v0.15.1
8df1f6d
This commit was signed with the committer’s verified signature. The key has expired.
GUI Nick Muerdter
GPG key ID: 7C517C5A1A14988A
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.15.1 / 2019-05-14 Latest
Latest

👋 Long time no release! Sorry for the long gap since our last formal release, but we have a sizable upgrade ready that fixes various bugs, and makes a lot of internal improvements. Upgrading is recommended.

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Fixed

  • Fix filtering admin analytics on the "HTTP Method" field: Analytics filters for the "HTTP Method" field were not working. (api.data.gov#401, #389)
  • Fix admins without admin management permissions accessing their own account page: If an admin account didn't also have "Admin Accounts - View & Manage" permissions, the admin wasn't able to access their own admin account page. (api.data.gov#451, api.data.gov#443)
  • Fix admin navigation links not hiding based on admin account permissions: Admin accounts with limited permissions were still being shown links to all the possible admin pages, even if they didn't have permissions to those pages. This is fixed so there are only navigation links to the permitted admin areas now. (api.data.gov#432, api.data.gov#394)
  • Fix admins with limited permissions not able to publish website backends: Only superuser admins were able to publish website backend changes. (9091de9, 0356c6b)
  • Fix CSV download for admin drilldown analytics: The CSV download link in the API Drilldown part of the admin analytics wasn't working. (api.data.gov#410)
  • Fix missing column headers in admin analytics "Filter Logs" CSVs: Some of the last columns of data in this CSV were missing the associated column headers. (api.data.gov#480)
  • Fix out-of-memory issues potentially leading to outage: In the event the API backend configuration exceeds the allocated memory for this configuration in nginx (configured via nginx.shared_dicts.active_config.size), the API backend configuration could become unloaded leading to an API outage. This is now fixed so that the new API backend configuration will only get published if there's enough available memory (otherwise, the old configuration will remain in place, and a warning will be logged). The default memory size for this configuration has also been increased to allow for 750-1000 API backends by default (up from the previous default allowing 150-300 API backends). (cb5e2c1, 3af5700, api.data.gov#385)
  • Fix URL handling for query strings containing "api_key": It was possible that API Umbrella was stripping the string "api_key" from inside URLs before passing requests to the API backend in some unexpected cases. The api_key query parameter should still be stripped, but other instances of "api_key" elsewhere in the URL (for example as a value, like ?foo=api_key), are now retained. (de3e207)
  • Fix behavior of drilldown chart in admin analtyics: The behavior of the drilldown chart in the analtyics area could sporadically be incorrect and render the wrong data in the chart. (api.data.gov#433)
  • Fix redirect rewriting from API backends: When an API backend returns a redirect, there were some situations where the rewritten redirect would be incorrect (if API Umbrella was running on a custom HTTP or HTTPS port, or in situations where the API backend has multiple URL prefix matches, or if the API backend returns an already rewritten path). (735212b, 4d5cc3f)
  • Fix configuration settings to extend the default HTTP timeout: Fix the nginx.proxy_read_timeout and nginx.proxy_connect_timeout settings for use with API backends that are slower to respond. (#441, 17bc65c)
  • Fix empty 404 and 500 error pages served from web-app: If the web-app returned 404 or 500 errors, these were returned with an empty response body in v0.14.0+. (a6fb68e)
  • Fix memory leaks: Remove background task to periodically reload nginx due to unexpected memory growth which is now fixed. (09b3f74)
  • Fix admin logouts when API Umbrella is restarted: The randomized secret token used for session encryption could be regenerated on API Umbrella restarts, which could lead to admins needing to login again. (c65ea2f, f88a2c0)
  • Fix admin analytics when no indices for the date range are present: If querying the analytics for date ranges where no analytics indices were present, ensure that the API still responds successfully (with 0 values). (c743e79)
  • Fix nginx warnings: Fix warnings generated in the nginx log files. (04e8c9c, 08b59e7)
  • Fix edge case with seeded API keys having the same key: It was possible that the API keys created during startup for internal usage could end up having duplicate, colliding API key values. This likely only affected the test environment when repeated, rapid reload were performed. (a725342, 8fd99e3)
  • Fix edge cases to handle MongoDB replicaset changes more gracefully: Better handle errors during MongoDB replicaset changes to retry queries. (a808feb)
  • Improve keepalive handling: Fix possibility of 502 Bad Gateway responses in cases where an API backend closes a keepalive connection to API Umbrella. (833e3de, api.data.gov#446)
  • Fix edge case with rapid reloads causing config data to go missing: If rapidly reloading the API Umbrella process, the config could go missing. This likely only affected our test suite which performs rapid reloads. (e274d86)

Security

  • Prevent API URLs and contact URLs from linking to unknown domains in API key signup e-mails: Someone could trigger an API key signup e-mail to a user with links to unexpected locations for the example API URL or "contact us" link. Thanks to @nuke11 for the bug bounty report. (api.data.gov#460)
  • XSS issue in flash error messages from external login providers: Error messages from external login providers (eg, Google) could contain a cross-site scripting (XSS) vulnerability. (469572c)
  • Prevent admin groups from having analytics permissions: If an admin account belonged to only admin groups that didn't have any analytics permissions, then it was possible they admin could inadvertently view all analytics data. (a4569a6)

Added

  • Added packages for Ubuntu 18.04 and Debian 9: Pre-packaged binaries are now available for the latest Debian and Ubuntu LTS releases. (#432, #444)
  • Elasticsearch V5, V6, and V7 compatibility: If using an external Elasticsearch database, API Umbrella now support Elasticsearch versions 5, 6, and 7. The elasticsearch.api_version must be adjusted accordingly. (#393)
  • Elasticsearch SSL support: You can now point to an Elasticsearch URL over HTTPS. (a201220, a5a403f, d89960f)
  • AWS Elasticsearch signing for IAM access control: There is an extra proxy layer to support using AWS Elasticsearch when using IAM for access control. (9ddce5e)
  • Option to log all output to stdout/stderr: The log.destination: console o...
Read more
Assets 2

0.14.4 / 2017-07-15

15 Jul 03:45
@GUI GUI
v0.14.4
16ea351
Compare
Choose a tag to compare
0.14.4 / 2017-07-15

0.14.4 (2017-07-15)

This update contains one important fix for v0.14.3. Upgrading is recommended if you are currently running v0.14.3.

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Fixed

  • Rollback rsyslog to fix memory leak: The version of rsyslog included in API Umbrella v0.14.3 (rsyslog v8.28.0) has a memory leak with the way API Umbrella configures it. This leads to rsyslog's memory use growing indefinitely. To fix this, the included version of rsyslog has been downgraded to v8.27.0 (and a bug report has been filed with rsyslog). (api.data.gov#395)
Assets 2

0.14.3 / 2017-07-13

13 Jul 05:29
@GUI GUI
v0.14.3
b699733
Compare
Choose a tag to compare
0.14.3 / 2017-07-13

This update contains a few bug fixes and some potential security fixes. Upgrading is recommended.

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Changed

  • Make web-app timeouts configurable: Timeouts in the Rails web application are now configurable. (bfe3f06)
  • On admin sign in with Google, prompt for specific account: When the admin tool is configured to use Google for logins, always prompt for which Google account to use. (c11ea16)
  • Search behavior in admin APIs: The free-form text search functionality provided by most of the admin APIs has been tweaked slightly. Now searching for an ID requires a full match instead of a partial match, and the "admins" API endpoint no longer searches the authentication token field. (e936932, aac482e)
  • Upgrade bundled software dependencies:
    • MongoDB 3.2.13 -> 3.2.15
    • OpenResty 1.11.2.3 -> 1.11.2.4 (security update: CVE-2017-7529)
    • Rsyslog 8.27.0 -> 8.28.0

Fixed

  • Fix logrotation inside Docker container: Log files could grow unbounded in size inside the API Umbrella Docker container. (#365)
  • Fix the default "contact us" form: A regression in v0.14.0 broke the default contact form's ability to send e-mails. (api.data.gov#390)
  • Fix logging data to authenticated Elasticsearch: If using a custom Elasticsearch instance that uses HTTP basic authentication, this should work now. (eae9553)
  • Fix an internal analytics endpoint: A regression in v0.14.0 broke a non-public API endpoint for summary analytics. (api.data.gov#387)

Security

  • Fix admin password hashes exposure:
    • If you use the local authentication mechanism for logging into the admin (new in v0.14.0 and the default), then upgrading to API Umbrella v0.14.3 is highly recommended.
    • If you rely only on external login providers (Google, GitHub, etc), then this issue should not affect your installation.
    • This issue could lead to the password hashes for admins being exposed to other admin users. Similarly, hashed password reset tokens or account unlock tokens could also be exposed to other admin users.
    • No plain text passwords or tokens would have been exposed, and these hashes would have only been exposed to other API Umbrella admin users. So the likelihood of this information being exploitable is hopefully very low (the hashes are considered strong and not easy to brute force), but upgrading is recommended to remedy this. You'll also want to weigh the risks for your installation, but it would be prudent to instruct your admins to resets their password.
    • Hash details: The exposed password hashes would have been hashed using bcrypt (with a cost factor of 11), and the exposed reset/unlock tokens would have been hashed using HMAC-256 (with the key being a random 128 character string, or the web.rails_secret_token value if you manually set that in your config). (82dfe06)
  • Updated bundled dependencies:
Assets 2

0.14.2 / 2017-05-23

26 May 23:35
@GUI GUI
v0.14.2
bec7e9d
Compare
Choose a tag to compare
0.14.2 / 2017-05-23

This update contains a few bug fixes. Upgrading is recommended.

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Changed

  • Upgrade bundled software dependencies:
    • Elasticsearch 2.4.4 -> 2.4.5
    • MongoDB 3.2.12 -> 3.2.13
    • Rsyslog 8.26.0 -> 8.27.0

Fixed

  • Fix removing last item from array fields in admin: A regression in v0.14.0 prevented admins from removing the last items in certain array fields in the admin (for example, removing all roles from a user or API). (#367)
  • Fix SSL validation against external Elasticsearch databse: Allow for explicit configuration of SSL settings when connecting to an external Elasticsearch database that is using HTTPS. Thanks to @martinzuern. (#364)
  • Increase default memory storge for configuration data: Increase the default memory allocated for storing the live API backend configuration data from 600KB to 3MB to prevent potential issues when publishing lots of API backends. (api.data.gov#385)
Assets 2

0.14.1 / 2017-04-23

24 Apr 02:26
@GUI GUI
v0.14.1
cefceb0
Compare
Choose a tag to compare
0.14.1 / 2017-04-23

This update contains a few bug fixes and one potential security fix. Upgrading is recommended.

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Changed

  • Upgrade bundled software dependencies:
    • OpenResty 1.11.2.2 -> 1.11.2.3
    • Ruby 2.3.3 -> 2.3.4
    • Rsyslog 8.24.0 -> 8.26.0

Fixed

  • Missing validations on API backends: It was possible to create API backends that omitted fields that should have been required in the Sub-URL Request Settings and Advanced Requests Rewriting sections. This could cause errors in loading the API configuration. (#360)
  • Creating new admin groups: Creating new admin groups in the admin was broken in v0.14.0. (#347)
  • Outgoing example URL in admin: In the API backend form of the admin, the example outgoing URL was incorrect in v0.14.0. (b4ce3e28)
  • Ember.js deprecation warnings: Fix some deprecation warnings in the admin tool. (3e019140, 27bf988d)

Security

  • Don't pass admin session cookie to API backends: The session cookie the API Umbrella admin uses is now stripped from requests to API backends. (89371149)
Assets 2

0.14.0 / 2017-02-22

23 Feb 02:46
@GUI GUI
v0.14.0
3e7ee2c
Compare
Choose a tag to compare
0.14.0 / 2017-02-22

This update focuses on upgrading various internal components of API Umbrella. It also offers new features and various bug fixes. A few potential security issues are also addressed. Upgrading is recommended, but there are some potential compatibility issues to note. See the Upgrade Instructions section below.

Many thanks to everyone that contributed with pull requests and bug reports!

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

This version has a few potential compatibility issues, depending on your setup, so be sure to read the following upgrade notes:

  • Database network binds: For security reasons, Elasticsearch and MongoDB only listen for local connections now. If you have a multi-server setup, you'll need to adjust the bind addresses. If you cannot upgrade to API Umbrella v0.14.0 immediately, you should check your current bind addresses to ensure they're secure.
  • Elasticsearch and MongoDB upgrades:
    • The default version of Elasticsearch bundled with API Umbrella has been updated from 1.7 to 2.3.
    • The default version of MongoDB bundled with API Umbrella has been updated from 3.0 to 3.2.
    • If you're running a single server, all that should be required is a full restart (sudo /etc/init.d/api-umbrella restart).
    • If you're running a cluster of multiple database servers, then you may need to be more careful about the sequence of upgrades. See Elasticsearch's upgrade notes and MongoDB's upgrade notes for more details.
    • The data API Umbrella stores in Elasticsearch should be compatible with the upgrade without further steps. However, if you store non-API Umbrella data in the same Elasticsearch server, you may want to check for data compatibility issues with the elasticsearch-migration plugin.
  • Admin login changes: API Umbrella now defaults to using local login accounts for the accessing the admin (instead of using external login providers like Google, or GitHub). If you'd still like to use external login providers, they will need to be explicitly enabled.

Added

  • Local admin accounts: There is now (#332, #314, #207, #247, #124, #45)
  • Default Elasticsearch query timeout: For admin analytics queries, there's now a default timeout for the queries to try and prevent complex queries from running indefinitely. (6b1187d3)
  • Log API backend IDs: Add logging of the matched API backend ID to the analytics database. #252
  • Add GitLab login provider: GitLab as been added as an external login provider. (#311)
  • Add security-related HTTP headers: Default X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options headers have been added to website backend and web-app responses. (f15ac873)
  • Log rsyslog statistics: Log additional statistics on rsyslog's queue size and processing information. (c3afad9f)
  • Redirect to admin URLs after login: Deep links to areas in the admin are now retained throughout the login process. (#257)
  • Allow overriding the public HTTP/HTTPS ports: When placing a load balancer in front of API Umbrella, allow for additional configuration to override the public ports. (#329, #296)
  • MongoDB WiredTiger storage support: API Umbrella is now compatible with the newer MongoDB WiredTiger storage engine. (#260, #312)
  • MongoDB SCRAM-SHA-1 authentication support: API Umbrella is now compatible with the default authentication mechanism in MongoDB 3.0+. (#260, #312)

Changed

  • Rails 4.2: The internal web-app component (that provides the admin APIs) has been upgraded from Rails 3.2 to Rails 4.2. (#259)
  • Ember 2.8: The internal admin-ui component (that provides the admin user interface) has been upgraded from Ember 1.7 to Ember 2.8. It has also been separate from the Rails codebase to be a standalone Ember app. (#257)
  • Bootstrap 3: The admin user interface has been upgraded from using Bootstrap 2 to Bootstrap 3. (#258)
  • Elasticsearch 2.3: The bundled version of Elasticsearch has been upgraded from Elasticsearch 1.7 to Elasticsearch 2.3. (#315, #261)
  • MongoDB 3.2: The bundled version of MongoDB has been upgraded from MongoDB 3.0 to MongoDB 3.2. (#260)
  • ECharts for admin charts: The admin interface has switched to use ECharts for its charts and maps. (#333, #124)
  • More debugging details in nginx logs #334
  • Unified test suite: API Umbrella's internal test suite has been cleaned up, unified, and made more stable. (#305)
  • Disable X-Fowarded-Host parsing: When determining which API backend to match, don't parse the X-Forwarded-Host header by default. (api.data.gov#355)
  • Quiet duplicative nginx error logging: Don't log duplicate nginx errors to nginx's error log. (3f90e158)
  • Disable elasticsearch heapdumps: If Elasticsearch runs out of memory, don't perform a heapdump by default. (api.data.gov#351)
  • Relative dates for admin analytics URLs: Links to analytics URLs in the admin for the "last 30 days" will always reflect the last 30 days from the current date (rather than when the link was generated). api.data.gov#73
  • Quicker process stops: Allow API Umbrella to stop more quickly by changing how delayed-job terminates. (837ca8f1)
  • Upgrade bundled software dependencies:
    • Elasticsearch 1.7.5 -> 2.4.4
    • MongoDB 3.0.12 -> 3.2.12
    • OpenResty 1.9.15.1 -> 1.11.2.2
    • OpenSSL 1.0.2h -> 1.0.2k
    • Ruby 2.2.5 -> 2.3.3
    • Rsyslog 8.14.0 -> 8.24.0

Removed

  • Don't log website backend requests to analytics: Requests to the website backend routes are no longer logged in the analytics database. #334
  • Don't log unused fields to analytics database: Several fields were being logged to the analytics database that API Umbrella was not using. These fields are no longer being logged to simplify things and reduce space. The fields no longer being stored are: backend_response_time, internal_gatekeeper_time, proxy_overhead, request_ip_location, and request_query. (#334)
  • Removed Mozilla Persona login option: The Mozilla Persona service was shutdown, so it's no longer a valid long option for the admin. (#313, #323)
  • Removed non-functional HTTPS redirect options: In the API Backends administration there were some "redirect" options for the "HTTPS Requirements" setting. These redirect options stopped working in API Umbrella v0.9.0. (8d986169)
  • Removed code for upgrading from API Umbrella v0.8: Code for directly upgrading from API Umbrella v0.8 packages has been removed. (101ac1e3)

Fixed

  • Missing analytics in Docker: If running API Umbrella from the default Docker container, analytics information was missing. (#284, #327, #328)
  • LDAP authentication: The LDAP login provider for the admin was broken. (#316, #278)
  • Startup race condition: There was a race condition on API Umbrella's first startup that could lead to the database not being properly seeded. (#300, f8495f11)
  • **Corrupt rsyslog/request....
Read more
Assets 2

0.13.0 / 2016-07-30

31 Jul 02:46
@GUI GUI
v0.13.0
560c0f8
Compare
Choose a tag to compare
0.13.0 / 2016-07-30

This update fixes one security issue and one small bug fix. Upgrading is recommended.

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Security

  • Removed the configuration import/export tool from the admin: This import/export tool could have presented a security issue if admin accounts with limited privilege scopes existed. These less-privileged admins could have viewed all API backend configuration, including API backends outside of their scoped permissions (however, they would not have been able to change the API backend configuration). Since the import/export tool has not been maintained and has other bugs, it has been removed entirely. If you still have a need for this tool, please let us know. (#272)

Fixed

  • Don't show the "Beta Analytics" checkbox by default: In the admin analytics interface, a "Beta Analytics" checkbox appeared in v0.12, but this should only be shown if the experimental Hadoop/Kylin-based analytics is actually enabled. (c606261)
Assets 2

0.12.0 / 2016-06-30

30 Jun 14:39
@GUI GUI
v0.12.0
53badf4
Compare
Choose a tag to compare
0.12.0 / 2016-06-30

This update brings a variety of fixes and new features. A few potential security issues are also addressed. Upgrading is recommended.

Special thanks to @ThibautGery and @shaliko for their contributions to this release, and to anyone else reporting issues!

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Compatibility Notes: There are two small changes in how the raw analytics data is stored in v0.12.0. This should only be relevant if you were querying the Elasticsearch analytics database directly (not via the admin UI or APIs) and interacting with the request_at or request_query fields. See the "Changed" section below for more details. Otherwise, v0.12.0 should be fully backwards compatible.

Added

  • E-mail notification to admins on new API key signups: You may optionally notify specified e-mail addresses whenever users signup for an API key. (#246, @ThibautGery)
  • Elasticsearch 2 compatibility: API Umbrella continues to bundle Elasticsearch 1.7 as the default version, but it now offers compatibility with external Elasticsearch 2 instances. (#253, @ThibautGery)
  • Allow limited admins to create new groups or sub-scopes: Non-superuser admins now may create more groups or other API scopes underneath their current permissions. (#238, api.data.gov#135, api.data.gov#339)
  • Improve navigation of admin accounts in the admin interface: When viewing or editing Admin Groups, the members of each admin group are displayed. (api.data.gov#256)
  • Ubuntu 16.04 Packages: Binary packages are now available for Ubuntu 16.04. (09f8f3c)
  • Run web-app tests in Docker: The test suite for the web-app component may be run with Docker. (#243, @ThibautGery)
  • Experimental support of Hadoop/Kylin-based analytics: Initial support has been added to optionally store the analytics data in Hadoop and query from Kylin. This offers an alternative to Elasticsearch for analytics that can scale to larger capacities in a more efficient manner. (#227, api.data.gov#235)

Changed

  • Analytics timestamps now reflect the ending time of the request: The request_at timestamp logged in the analytics database now reports the time the request ended, rather than when the request began. (#251)
  • Analytics fields no longer contain dots: To prepare for Elasticsearch 2 upgrades, the request_query field in Elasticsearch may no longer contain dots/periods. (#253)
  • Better SSL defaults and more configurable settings: If using API Umbrella for SSL, the default SSL settings are now better. The defaults can also now be customized via the API Umbrella configuration file. (#240, @shaliko)
  • Switch internal log collecting process: The internal process used for buffering and transmitting log data for analytics storage has been switched from Heka to rsyslog. (#227)
  • Switch to CMake based builds: For better maintainability of the build process, CMake is now used. (#226)
  • Linting changes for shell scripts: Shell scripts used throughout the project now have a more consistent style, and any issues around variable quoting should be fixed. (#237)
  • Upgrade bundled software dependencies:
    • Elasticsearch 1.7.4 -> 1.7.5
    • MongoDB 3.0.8 -> 3.0.12
    • OpenResty 1.9.7.4 -> 1.9.15.1 (Security updates: CVE-2016-4450)
    • Ruby 2.2.4 -> 2.2.5

Fixed

  • Fix admin searches involving special characters: If using the search tools in the admin, searching for special characters did not behave as expected. (api.data.gov#334)
  • Fix "unexpected error" message when publishing with empty selection: If you tried to publish API Backend changes without selecting any changes to publish, you received an "unexpected error" message. (api.data.gov#307)
  • Fix listing of website backends being visible to all admins: Non-superuser admin accounts could view the complete listing of Website Backends in the database, even if they did not have permission to edit the website backend. (api.data.gov#261)
  • Fix running feature tests on non-English computers: Some browser integration tests in the web-app component would fail if running the tests from a non-English computer (#242)
  • Fix potential load conflicts if system has other Lua libraries install: If the system running API Umbrella also has other Lua libraries installed into system-wide locations, potential conflicts could occur when API Umbrella tried to load its own dependencies. (#250)
  • Fix potential for negative TTLs when distributing rate limit info: If API Umbrella is operating in a cluster, unexpected negative TTLs could be calculated when distributing rate limit information among the servers in the cluster. (api.data.gov#335)
  • Fix the GeoIP data updater downloading too frequently on restarts: If API Umbrella was manually restarted, the GeoIP data could be re-downloaded with more frequency than needed (38d4654)
  • Fix running tests in NodeJS v0.10.42+: Some UTF-8 integration tests would fail if running the integration test suite in NodeJS v0.10.42 or higher. (2a329ad)

Security

  • Fix potential security issue if limited admins had knowledge of internal record UUIDs: If non-superuser admins knew the random UUIDs for records they did not have permissions to, they could potentially overwrite the records. (#238)
  • Fix possibility of admins abusing regex searches: Admins could search for regular expressions, allowing for regular expression denial of service. (api.data.gov#334)
  • Fix listing of website backends being visible to all admins: Non-superuser admin accounts could view the complete listing of Website Backends in the database, even if they did not have permission to edit the website backend. (api.data.gov#261)
  • Updated bundled dependencies:
Assets 2

0.11.1 / 2016-04-14

15 Apr 03:40
@GUI GUI
v0.11.1
9966e56
Compare
Choose a tag to compare
0.11.1 / 2016-04-14

This is a small update that fixes a couple bugs (one important one if you use the HTTP cache), makes a couple small tweaks, and updates some dependencies for security purposes. Upgrading is recommended.

Download 0.11.1 Packages

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Changed

Fixed

  • Resolve possible HTTP cache conflicts: If API Umbrella is configured with multiple API backends that utilize the same frontend host and same backend URL path prefix, then if either API backend returned cacheable responses, then it's possible the responses would get mixed up. Upgrading is highly recommended if you utilize the HTTP cache and have multiple API backends utilizing the same URL path prefix. (api.data.gov#322)
  • Don't require API key roles for accessing admin APIs if admin token is used: If accessing the administrative APIs using an admin authentication token, then the API key no longer needs any special roles assigned. This was a regression that ocurred in API Umbrella v0.9.0. (#217)
  • Fix potential mail security issue: OSVDB-131677.
Assets 2

0.11.0 / 2016-01-20

21 Jan 07:07
@GUI GUI
v0.11.0
30ff4c4
Compare
Choose a tag to compare
0.11.0 / 2016-01-20

This is a small update that fixes a few bugs, adds a couple small new features, and updates some dependencies for security purposes. Upgrading is recommended.

Download 0.11.0 Packages

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Added

  • Search user role names in admin user search: In the admin search interface for users, role names assigned to users are now searched too. (api.data.gov#302)
  • Allow for nginx's server_names_hash_bucket_size option to be set: If you've explicitly defined hosts in the API Umbrella config with longer hostnames, you can now adjust the nginx.server_names_hash_bucket_size setting in /etc/api-umbrella/api-umbrella.yml to accommodate longer hostnames. (#208)
  • Documentation on MongoDB authentication: Add documentation on configuring API Umbrella to use a MongoDB server with authentication. (#206)

Changed

  • Upgrade bundled software dependencies:
    • Elasticsearch 1.7.3 -> 1.7.4
    • MongoDB 3.0.7 -> 3.0.8
    • OpenResty 1.9.3.2 -> 1.9.7.1
    • Ruby 2.2.3 -> 2.2.4

Fixed

  • Fix editing users with custom rate limits: There were a few bugs related to editing custom rate limits on users that broke in the v0.9 release. (api.data.gov#303, api.data.gov#304, api.data.gov#306)
  • Fix MongoDB connections when additional options are given: If the mongodb.url setting contained additional query string options, it could cause connection failures. (#206)
  • Fix logging requests containing multiple User-Agent headers: If a request contained multiple User-Agent HTTP headers, the request would fail to be logged to the analytics database. (api.data.gov#309)
  • Raise default resource limits when starting processes: Restore functionality that went missing in the v0.9 release that raised the nofile and noproc resource limits to a configurable number.

Security

We've updated several dependencies with reported security issues. We're not aware of these security issues impacting API Umbrella in any significant way, but upgrading is still recommended.

Assets 2