Change8

v1.21.1

📦 vaultView on GitHub →
14 features🐛 26 fixes🔧 19 symbols

Summary

This patch addresses several security vulnerabilities, fixes numerous bugs across authentication methods and the UI, and introduces significant enterprise features related to PKI certificate reporting and activity monitoring.

✨ New Features

  • API: Added sudo-permissioned sys/reporting/scan endpoint to output Vault state information to a configured directory.
  • Auth/LDAP: Passwords are now required for the login command to prevent unauthenticated access.
  • Core/Metrics: Snapshot reading and listing operations are now tracked via vault.route.read-snapshot.{mount_point} and vault.route.list-snapshot.{mount_point} metrics.
  • Enterprise: Added metrics for the number of issued PKI certificates via license utilization reporting.
  • Policies: Added a warning when comparing lists using allowed_parameters or denied_parameters.
  • Secret-Sync: Added parallelization support for sync and unsync operations at the secret-key granularity level.
  • Secrets/PKI: Certificate AuthorityKeyID is now included in response fields for API endpoints that issue, sign, or fetch certificates.
  • Enterprise (Sys): Added sys/billing/certificates API endpoint to retrieve the count of issued PKI certificates.
  • Enterprise (UI/Activity): Added clarifying text to the "Initial Usage" column to indicate timestamps only apply to clients used after upgrading to v1.21.
  • Enterprise (UI/Activity): Allowed manual querying of client usage if license start time retrieval fails.
  • Enterprise (UI/Activity): Reduced requests to the activity export API by fetching only new data on initial load or manual refresh.
  • Enterprise (UI/Activity): Support added for filtering the months dropdown using ISO timestamp or display value.
  • UI/Activity: Display total instead of new monthly clients for HCP managed clusters.
  • UI/PKI: Added support to configure server_flag, client_flag, code_signing_flag, and email_protection_flag parameters when creating/updating a PKI role.

🐛 Bug Fixes

  • Auth/AWS: Fixed an issue where a user could bypass authentication to Vault due to incorrect caching of the AWS client.
  • Auth/AppRole (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/AWS (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/Cert (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/GitHub (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/LDAP (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/Okta (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/Radius (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/SCEP (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth/Userpass (Enterprise): Fixed role parameter alias_metadata to correctly populate the alias custom metadata field instead of the alias metadata field.
  • Auth: Fixed a panic that occurred when an integer was supplied as a lease_id during renewal.
  • Core/Rotation: Avoided timezone shifting by ignoring cron.SpecSchedule.
  • Core: Interpreted all new rotation manager rotation_schedules as UTC to prevent inadvertent use of tz-local time.
  • Secrets/Azure: Ensured proper installation of the Azure enterprise secrets plugin.
  • Secrets/PKI: Return an error when issuing/signing certificates where NotAfter is before NotBefore or the validity period is not contained within the CA's validity period.
  • Secrets/PKI: sign-verbatim endpoints no longer ignore the basic constraints extension in CSRs; they are now used in generated certificates if isCA=false or an error is returned if isCA=true.
  • Enterprise (UI): Fixed KV v2 secrets not displaying in namespaces.
  • Enterprise (UI): Fixed the login form so input renders correctly when a token is the preferred login method for a namespace.
  • UI/PKI: Fixed certificate parsing of the key_usage extension to accurately reflect certificate values.
  • UI/PKI: Fixed creating and updating a role so basic_constraints_valid_for_non_ca is correctly set.
  • UI: Fixed KV v2 metadata list requests failing if the path lacked a trailing slash.
  • UI: Resolved a regression preventing users with create and update permissions on KV v1 secrets from opening the edit view; the UI now correctly recognizes these capabilities without requiring full read access.
  • UI: Updated LDAP accounts checked-in table to display hierarchical LDAP libraries.
  • UI: Updated LDAP library count to reflect the total number of nodes instead of the number of directories.
  • Activity (Enterprise): Fixed sys/internal/counters/activity to output the correct mount type when called from a non-root namespace.
  • UI: Disabled scarf analytics for UI builds.

🔧 Affected Symbols

sys/reporting/scanvault.route.read-snapshot.{mount_point}vault.route.list-snapshot.{mount_point}sys/billing/certificatesauth/ldap login commandsign-verbatim endpoints (secrets/pki)auth/approle role parameter alias_metadataauth/aws role parameter alias_metadataauth/cert role parameter alias_metadataauth/github role parameter alias_metadataauth/ldap role parameter alias_metadataauth/okta role parameter alias_metadataauth/radius role parameter alias_metadataauth/scep role parameter alias_metadataauth/userpass role parameter alias_metadatalease_id renewal logicrotation manager rotation_schedulesKV v2 metadata list path handlingKV v1 secret edit view permission checks