v0.22.0
Release 0.22.0
What's New
- Refactor: Fabric Sessions renamed to Circuits (breaking change)
- Feature: Links will now wait for a timeout for retrying
- Bug fix: Sessions created on the controller when circuit creation fails are now cleaned up
- Feature: Enhanced
ziti
CLI login functionality (has breaking changes to CLI options) - Feature: new
ziti edge list summary
command, which shows database entity counts - Bug fix: ziti-fabric didn't always report an error to the OS when it had an error
- Refactor: All protobuf packages have been prefixed with
ziti.
to help prevent namespace clashes. Should not be a breaking change. - Feature: Selective debug logging by identity for path selection and circuit establishment
ziti edge trace identity <identity id>
will turn on debug logging for selecting paths and establishing circuits- Addition context for these operations including circuitId, sessionid and apiSessionId should now be in log messages regardless of whether tracing is enabled
- Tracing is enabled for a given duration, which defaults to 10 minutes
Breaking Changes
Fabric sessions renamed to circuits. External integrators may be impacted by changes to events. See below for details.
Ziti CLI
Commands under ziti edge
now reserve the -i
flag for specifying client identity.
Any command line argumet which previously had a -i
short version now only has a long version.
For consistency, policy roles parameters must all be specified in long form
This includes the following flags:
- ziti edge create edge-router-policy --identity-roles --edge-router-roles
- ziti edge update edge-router-policy --identity-roles --edge-router-roles
- ziti edge create service-policy --identity-roles --service-roles
- ziti edge update service-policy --identity-roles --service-roles
- ziti edge create service-edge-router-policy --service-roles --edge-router-roles
- ziti edge update service-edge-router-policy --service-roles --edge-router-roles
- ziti edge create posture-check mfa --ignore-legacy
- ziti edge update posture-check mfa --ignore-legacy
- ziti edge update authenticator updb --identity
- ziti egde update ca --identity-atributes (now -a)
The ziti edge
commands now store session credentials in a new location and new format. Existing sessions will be ignored.
The ziti edge controller
command was previously deprecated and has now been removed. All commands that were previously available
under ziti edge controller
are available under ziti edge
.
Fabric Sessions renamed to Circuits
Previously we had three separate entities named session: fabric sessions, edge sessions and edge API sessions. In order to reduce confusion, fabric sessions
have been renamed to circuits. This has the following impacts:
- ziti-fabric CLI
list sessions
renamed tolist circuits
remove session
renamed toremove circuit
stream sessions
renamed tostream circuits
- Config properties
- In the controller config, under
networks
,createSessionRetries
is nowcreateCircuitRetries
- In the router config, under xgress dialer/listener options,
getSessionTimeout
is nowgetCircuitTimeout
- In the router config, under xgress dialer/listener options,
sessionStartTimeout
is nowcircuitStartTimeout
- In the router, under
forwarder
,idleSessionTimeout
is nowidleCircuitTimeout
- In the controller config, under
In the context of the fabric there was an existing construct call Circuit
which has now been renamed to Path
. This may be visible in a few ziti-fabric
CLI outputs
Event changes
Previously the fabric had session events. It now has circuit events instead. These events have the fabric.circuits
namespace. The circuitUpdated
event type
is now the pathUpdated
event.
type CircuitEvent struct {
Namespace string `json:"namespace"`
EventType string `json:"event_type"`
CircuitId string `json:"circuit_id"`
Timestamp time.Time `json:"timestamp"`
ClientId string `json:"client_id"`
ServiceId string `json:"service_id"`
Path string `json:"circuit"`
}
Additionally the Usage events now have circuit_id
instead of session_id
. The usage events also have a new version
field, which is set to 2.
Pending Link Timeout
Previously whenever a router connected we'd look for new links possiblities and create new links between routers where any were missing.
If lots of routers connected at the same time, we might create duplicate links because the links hadn't been reported as established yet.
Now we'll checking for links in Pending state, and if they haven't hit a configurable timeout, we won't create another link.
The new config property is pendingLinkTimeoutSeconds
in the controller config file under network
, and defaults to 10 seconds.
Enhanced CLI Login Functionality
Server Trust
Untrusted Servers
If you don't provide a certificates file when logging in, the server's well known certificates will now be pulled from the server and you will be prompted if you want to use them.
If certs for the host have previously been retrieved they will be used. Certs stored locally will be checked against the certs on the server when logging in.
If a difference is found, the user will be notified and asked if they want to update the local certificate cache.
If you provide certificates during login, the server's certificates will not be checked or downloaded. Locally cached certificates for that host will not be used.
Trusted Servers
If working with a server which is using certs that your OS already recognizes, nothing will change. No cert needs to be provided and the server's well known certs will not be downloaded.
Identities
The Ziti CLI now suports multiple identities. An identity can be specified using --cli-identity
or -i
.
Example commands:
$ ziti edge login -i dev localhost:1280
Enter username: admin
Enter password:
Token: 76ff81b4-b528-4e2c-ad73-dcb0a39b6489
Saving identity 'dev' to ~/.config/ziti/ziti-cli.json
$ ziti edge -i dev list services
id: -JucPW0kGR name: ssh encryption required: true terminator strategy: smartrouting role attributes: ["ssh"]
results: 1-1 of 1
If no identity is specified, a default will be used. The default identity is default
.
Switching Default Identity
The default identity can be changed with the ziti edge use
command.
The above example could also be accomplished as follows:
$ ziti edge use dev
Settting identity 'dev' as default in ~/.config/ziti/ziti-cli.json
$ ziti edge login localhost:1280
Enter username: admin
Enter password:
Token: e325d91c-a452-4454-a733-cfad88bfa356
Saving identity 'dev' to ~/.config/ziti/ziti-cli.json
$ ziti edge list services
id: -JucPW0kGR name: ssh encryption required: true terminator strategy: smartrouting role attributes: ["ssh"]
results: 1-1 of 1
$ ziti edge use default
Settting identity 'default' as default in ~/.config/ziti/ziti-cli.json
ziti edge use
without an argument will list logins you have made.
$ ziti edge use
id: default | current: true | read-only: true | urL: https://localhost:1280/edge/management/v1
id: cust1 | current: false | read-only: false | urL: https://customer1.com:443/edge/management/v1
Logout
You can now also clear locally stored credentials using ziti edge logout
$ ziti edge -i cust1 logout
Removing identity 'cust1' from ~/.config/ziti/ziti-cli.json
Read-Only Mode
When logging in one can mark the identity as read-only. This is a client side enforced flag which will attempt to make sure only
read operations are performed by this session.
$ ziti edge login --read-only localhost:1280
Enter username: admin
Enter password:
Token: 966192c6-fb7f-481e-8230-dcef157770ef
Saving identity 'default' to ~/.config/ziti/ziti-cli.json
$ ziti edge list services
id: -JucPW0kGR name: ssh encryption required: true terminator strategy: smartrouting role attributes: ["ssh"]
results: 1-1 of 1
$ ziti edge create service test
error: this login is marked read-only, only GET operations are allowed
NOTE: This is not guaranteed to prevent database changes. It is meant to help prevent accidental changes, if the wrong profile
is accidentally used. Caution should always be exercised when working with sensitive data!
Login via Token
If you already have an API session token, you can use that to create a client identity using the new --token
flag.
When using --token
the saved identity will be marked as read-only unless --read-only=false
is specified. This
is because if you only have a token and not full credentials, it's more likely that you're inspecting a system to
which you have limited privileges.
$ ziti edge login localhost:1280 --token c9f37575-f660-409b-b731-5a256d74a931
NOTE: When using --token the saved identity will be marked as read-only unless --read-only=false is provided
Saving identity 'default' to ~/.config/ziti/ziti-cli.json
Using this option will still check the server certificates to see if they need to be downloaded and/or compare them with locally
cached certificates.