Skip to content

Icinga Web Version 2.14.0

Latest

Choose a tag to compare

@raviks789 raviks789 released this 06 Jul 13:38
v2.14.0
122c569

What's New in Version 2.14.0

You can find all issues related to this release on our roadmap.

Streamlined Authentication

Authentication now runs explicitly during bootstrap instead of being triggered lazily. Custom user backends now load early enough to take part in the authentication chain.

  • Streamline authentication process #5387

Two-Factor Authentication

Icinga Web now provides a two-factor authentication extension point. Modules can register a two-factor method. After enrollment, users are redirected to a token challenge page after password authentication and before the session is established. Enrollment and unenrollment are handled through a new Two-Factor Auth tab in account settings.

  • Add two-factor authentication extension point #5514

Password Policies

Administrators can now enforce password policies for database-backed user accounts. Under Configuration > Application > General, an administrator can select a policy that applies to every form that sets or resets a password, including the account change password form, the admin user create and edit form, and the setup wizard's admin account page.

Two built-in policies ship with this release. None (the default) accepts any password without validation. Common requires a minimum of 12 characters with at least one digit, one special character, one lowercase letter, and one uppercase letter. The active policy's requirements are shown below the password field so users know what to enter before submitting. Third-party modules can add their own policies by implementing PasswordPolicyHook.

  • Implement password policy with hook #5419

Configurable Content Security Policy

The Content-Security-Policy header is no longer a hardcoded string. It is now assembled from multiple sources: system directives, dashlet frame-src entries, navigation item frame-src entries, and any directives contributed by installed modules. Administrators who need full control can opt out of automatic generation and supply a raw CSP string instead. A style nonce placeholder in that string is replaced with the per-request nonce at runtime.

A new configuration page under Application settings shows the current effective CSP as a table grouped by source, with a basic security analysis that flags risky keywords and schemes. Forms that create dashlets or navigation items now show an info callout when CSP is active but the corresponding loader is disabled, so users know why an external URL might be blocked.

  • Allow custom CSP header #5477

Hook Essentials

Hook implementations now need less repeated code.

  • Introduce HookEssentials #5474

Less Compilation Migrated to ipl-web

We moved Less compilation to the ipl-web library. Nothing changes for end users, but module authors who rely on the Less pipeline now get the compiler from a different package.

  • Migrate Less compilation to ipl-web #5492

Deprecations

The custom ProgrammingError exception class is now deprecated. PHP's built-in LogicException covers the same use case and should be used instead. Existing code still works, but please start migrating your throw sites.

Custom user and group backends provided by a module's configuration.php are deprecated and will stop working in Icinga Web 2.15. Move these backend registrations to the module's run.php instead.

  • Deprecate the custom programming error exception #5511
  • Deprecate custom user and group backends in module configuration.php files #5387