All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Change authn-k8s to expect the client cert (passed in
X-SSL-Client-Certificate
) to be url-escaped. - Update Conjur issued certificates to use the common name derived from the authenticated host, rather than use the value from the CSR.
- Update Conjur issued certificates to include a SPIFFE SVID as a subject alternative name (SAN).
1.2.0 - 2018-09-07
- Added support for issuing certificates to Hosts using CAs configured as Conjur services. More details are available here.
- Added support for Conjur CAs to use encrypted private keys
- Implemented keyword search for Role memberships
1.1.2 - 2018-08-22
- Fixes a vulnerability that could allow an authn-K8s request to bypass mutual TLS authentication. All Conjur users using authn-k8s within Kubernetes or OpenShift are strongly recommended to upgrade to this version.
- Substantial performance improvement when loading large policy files
1.1.1 - 2018-8-10
conjurctl export
now includes the account list to support migrationconjurctl export
allows the operator to specify the file name label using the-l
or--label
flag- Update puma to a version that understands how to handle having ipv6 disabled
- Update puma worker timeout to allow longer requests to finish (from 1 minute to 10 minutes)
1.1.0 - 2018-7-30
- Adds
conjurctl export
command to provide a migration data package to Conjur EE
1.0.1 - 2018-7-23
- Handling of absolute user ids in policies.
- Attempts to fetch a secret from a nonexistent resource no longer cause 500.
1.0.0 - 2018-7-16
- Audit attempts to update and fetch an invisible secret.
- Updated license to LGPL
0.9.0 - 2018-7-11
- Adds CIDR restrictions to Host and User resources
- Adds Kubernete authentication
- Optimize audit database and responses, for a significant improvement of performance.
start
no longer fails to show Help information.
0.8.1 - 2018-06-29
- Audit events for failed variable fetches and updates.
0.8.0 - 2018-06-26
- Audit events for entitlements, variable fetches and updates, authentication and authorization.
0.7.0 - 2018-06-25
- Added AWS Secret Access Key Rotator
0.6.0 - 2018-06-25
-
RolesController#index now accepts
role
as a query parameter. If present, resources visible to that role are listed. -
Resources are now only visible if the user is a member of a role that owns them or has some permission on them.
-
RolesController now implements #direct_memberships to return the direct members of a role, without recursive expansion.
-
Updated Ruby version from 2.2, which is no longer supported, to version 2.5.
-
RolesController now implements #members to return a searchable, pageable collection of members of a Role.
-
AWS Hosts can authenticate using their assigned AWS IAM role.
-
Added variable rotation for Postgres databases
-
Experimental audit querying engine mounted at /audit. It can be configured to work with an external audit database by using config.audit_database configuration entry.
-
API endpoints for granting and revoking role membership
-
API endpoint for the role graph
-
Paging parameters (
offset
andlimit
) for audit API endpoints
- Policy changes now generate audit log messages. These can optionally be generated in RFC5424 format and pushed to a UNIX socket for further processing.
- Code of Conduct
0.3.0 - 2018-01-11
conjurctl wait
command is added that can be used to check if the Conjur server is ready
- Moved Conjur docs to a separate repo
0.2.0 - 2017-12-07
- Add
authn-local
service which issues access tokens over a Unix domain socket.
- Resolved bug: Policy replace can fail when user is deleted and removed from group
- CTA was updated
0.1.1 - 2017-12-04
- Build scripts now look at git tags to determine version and tags to use.
- When a policy is loaded which references a non-existant object, that error is now reported as a JSON-formatted 404 error rather than an ugly 500 error.
The first tagged version.