Canonical reference for changes, improvements, and bugfixes for Boundary.
passwordaccount IDs: When theoidcauth method came out, accounts were given the prefixacctoidc. Unfortunately, accounts in thepasswordmethod were usingapw...oops. We're standardizing onacctand have updated thepasswordmethod to generate new IDs withacctpwprefixes. Previously-generated prefixes will continue to work.
- oidc: The new Managed Groups feature allows groups of accounts to be created based on an authenticating user's JWT or User Info data. This data uses the same filtering syntax found elsewhere in Boundary to provide a rich way to specify the criteria for group membership. Once defined, authenticated users are added to or removed from these groups as appropriateds each time they authenticate. These groups are treated like other role principals and can be added to roles to provide grants to users.
- dev: Predictable IDs in
boundary devmode now extend to the accounts created in the defaultpasswordandoidcauth methods. - mlock: Add a Docker entrypoint script and modify Dockerfiles to handle mlock in a fashion similar to Vault (PR)
- The behavior when
cors_enabledis not specified for a listener is changing to be equivalent to acors_allowed_originsvalue of*; that is, accept all origins. This allows Boundary, by default, to have the admin UI and desktop client work without further specification of origins by the operator. This is only affecting default behavior; ifcors_enabledis explicitly set totrue, the behavior will be the same as before. This had been changed in v0.2.1 due to a bug found in v0.2.0 that caused all origins to always be allowed, but fixing that bug exposed that the default behavior was difficult for users to configure to simply get up and running. - If a
canceloperation is run on a session already in a canceling or terminated state, a200and the session information will be returned instead of an error.
- sessions: Return a
200and session information when canceling an already-canceled or terminated session (PR)
- cors: Change the default allowed origins when
cors_enabledis not specified to be*. (PR)
- Inline OIDC authentication flow: when the OIDC authentication flow succeeds, the third-party provider browser window is automatically closed and the user is returned to the admin UI.
- oidc: If provider returns an
audclaim as astringor[]string, Boundary will properly parse the claims JSON. (issue, PR) - sessions: Clean up connections that are dangling after a worker dies (is
restarted, powered off, etc.) This fixes some cases where a session never goes
to
terminatedstate because connections are not properly marked closed. (Issue 1, Issue 2, PR) - sessions: Add some missing API-level checks when session cancellation was requested. It's much easier than interpreting the domain-level check failures. (PR)
- authenticate: When authenticating with OIDC and
jsonformat output, the command will no longer print out a notice that it's opening your web browser (Issue, PR)
- API
deleteactions now result in a204status code and no body when successful. This was not the case previously due to a technical limitation which has now been solved. - When using a
deletecommand within the CLI we now either show success or treat the404error the same as any other404error, that is, it results in a non-zero status code and an error message. This makesdeleteactions behave the same as other commands, all of which pass through errors to the CLI. Given-format jsoncapability, it's relatively easy to perform a check to see whether an error was404or something else from within scripts, in conjunction with checking that the returned status code matches the API error status code (1). - When outputting from the CLI in JSON format, the resource information under
itemoritems(depending on the action) now exactly matches the JSON sent across the wire by the controller, as opposed to matching the Go SDK representation which could result in some extra fields being shown or fields having Go-specific types. This includesdeleteactions which previously would show an object indicating existence, but now show noitemon success or the API's404error. - Permissions in new scope default roles have been updated to include support
for
list,read:self, anddelete:selfonauth-tokenresources. This allows a user to list and manage their own authentication tokens. (As is the case with other resources,listwill still be limited to returning tokens on which the user has authorization to perform actions, so granting this capability does not automatically give user the ability to list other users' authentication tokens.)
-
permissions: Improving upon the work put into 0.2.0 to limit the fields that are returned when listing as the anonymous user, grants now support a new
output_fieldssection. This takes in a comma-delimited (or in JSON format, array) set of values that correspond to the JSON fields returned from an API call (for listing, this will be applied to each resource under theitemsfield). If specified for a given ID or resource type (and scoped to specific actions, if included), only the given values will be returned in the output. If nooutput_fieldsare specified, the defaults are used. For authenticated users this defaults to all fields; foru_anonthis defaults to the fields useful for navigating to and authenticating to the system. In either case, this is overridable. See the permissions documentation for more information on why and when to use this. This currently only applies to top-level fields in the response. -
cli/api/sdk: Add support to request additional OIDC claims scope values from the OIDC provider when making an authentication request. (PR).
By default, Boundary only requests the "openid" claims scope value. Many providers, like Okta and Auth0 for example, will not return the standard claims of email and name when you request the default claims scope (openid).
Boundary uses the standard email and name claims to populate an OIDC account's
EmailandFullNameattributes. If you'd like these account attributes populated, you'll need to reference your OIDC provider's documentation to learn which claims scopes are required to have these claims returned during the authentication process.Boundary now provides a new OIDC auth method parameter
claims_scopeswhich allows you to add multiple additional claims scope values to an OIDC auth method configuration.For information on claims scope values see: Scope Claims in the OIDC specification
-
cli: Match JSON format output with the across-the-wire API JSON format (PR)
-
api: Return
204instead of an empty object on successfuldeleteoperations (PR) -
actions: The new
no-opaction allows a grant to be given to a principals without conveying any actionable result. Since resources do not appear in list results if the principal has no actions granted on that resource, this can be used to allow principals to see values in list results without also givingreador other capabilities on the resources. The default scope permissions have been updated to conveyno-op,listinstead ofread,list. (PR) -
cli/api/sdk: User resources have new attributes for:
- Primary Account ID
- Login Name
- Full Name
These new user attributes correspond to attributes from the user's primary auth method account. These attributes will be empty when the user has no account in the primary auth method for their scope, or there is no designated primary auth method for their scope.
-
cli: Support for reading and deleting the user's own token via the new
read:selfanddelete:selfactions on auth tokens. If no token ID is provided, the stored token's ID will be used (after prompting), or"self"can be set as the value of the-idparameter to trigger this behavior without prompting. (PR) -
cli: New
logoutcommand deletes the current token in Boundary and forgets it from the local system credential store, respecting-token-name(PR) -
config: The
namefield for workers and controllers now supports being set from environment variables or a file on disk (PR)
- cors: Fix allowing all origins by default (PR)
- cli: It is now an error to run
boundary database migrateon an uninitalized db. Useboundary database initinstead. (PR) - cli: Correctly honor the
-formatflag when runningboundary database init(PR)
- By default, CORS support will allow all origins. This is due to a bug in how
the set of allowed origins was processed, in conjunction with changes to CORS
behavior to automatically include the origin of the Desktop Client. This will
be fixed in 0.2.1. In the meantime, this can be worked around by either
explicitly disabing CORS with
cors_enabled = falsein thelistenerconfig block with purposeapi; or setting acors_allowed_originsfield to have values other thanserve://boundary(including values that do not map to any real origin).
- The
auth-methods/<id>:authenticate:loginaction is deprecated and will be removed in a few releases. (Yes, this was meant to deprecate theauthenticateaction; apologies for going back on this!) To better support future auth methods, and especially the potential for plugins, rather than defining custom actions on the URL path theauthenticateaction will consume both a map of parameters but also acommandparameter that specifies the type of command. This allows workflows that require multiple steps, such as OIDC, to not require custom subactions. Additionally, thecredentialsmap in theauthenticateaction has been renamedattributesto better match other types of resources.credentialswill still work for now but will be removed in a few releases. Finally, in the Go SDK, theAuthenticatefunction now requires acommandvalue to be passed in. - Related to the above change, the output of an API
auth-methods/<id>:authenticatecall will return the givencommandvalue and a map of attributes that depend on the given command. On the SDK side, the output of theAuthenticatefunction returns a map, from which a concrete type can be easily umarshaled (see the updatedauthenticate passwordcommand for an example). - Anonymous scope/auth method listing: When listing auth methods and scopes
without authentication (that is, as the anonymous user
u_anon), only information necessary for navigation to an auth method and authenticating to the auth method is now output. Grantingu_anonlist access to other resource types will not currently filter any information out.
- cli/api/sdk: New OIDC auth method type added with support for create, read,
update, delete, and list (see new cli
oidcsubcommands available on CRUDL operations for examples), as well as the ability to authenticate against it via the SDK, CLI, admin UI, and desktop client. (PR) - server: When performing recursive listing,
listaction is no longer required to be granted to the calling user. Instead, the given scope acts as the root point (so only results under that scope will be shown), andlistgrant is evaluated per-scope. (PR) - database init: If the database is already initialized, return 0 as the exit
code. This matches how the
database migratecommand works. (PR)
- server: Roles for auto generated scopes are now generated at database init. (PR)
- cli: Don't panic on certain commands when outputting in
jsonformat (Issue, PR)
These are specific known issues in the release that we feel are impactful enough to call out in this changelog. The full set of open issues is on GitHub.
- cli: When authenticating, changing a password, or a couple of other specific
actions on the CLI, if the output format is specified as
json, the command will panic (after the API call executes). This is due to a preexisting bug that was exposed by the JSON changes described in the changes section below. Although most of our CLI-level tests operate onjson-format output, because our CLI-level tests use the token helper during execution, the authentication test was using the normal table output since the output was ignored anyways. As a result, our CLI tests did not catch this panic. Our apologies, and we will fix this in the next release. - Initially Created Scopes: Starting in 0.1.6, When initial scopes are created
when executing
boundary database init, the associated admin roles aren't created. The intended behavior is to have a role which granted the auto created admin the grant"id=*;type=*;actions=*"for each auto generated scope. To set your data to the intended state you can add a role for the admin user in the generated scopes. An outline of the steps to do this can be found in this gist. This will be fixed in the next release.
- sdk (Go API library): A few functions have changed places. Notably, instead of
ResponseMap()andResponseBody(), resources simply exposeResponse(). This higher-level response object contains the map and body, and also exposesStatusCode()in place of indivdidual resources. (PR) - cli: In
jsonoutput format, a resource item is now an object under the top-level keyitem; a list of resource items is now an list of objects under the top-level keyitems. This preserves the top level for putting in other useful information later on (and the HTTP status code is included now). (PR) - cli: In
jsonoutput format, errors are now serialized as a JSON object with anerrorkey instead of outputting normal text (PR) - cli: All errors, including API errors, are now written to
stderr. Previously in the default table format, API errors would be written tostdout. (PR) - cli: Error return codes have been standardized across CLI commands. An error
code of
1indicates an error generated from the actual controller API; an error code of2is an error encountered due to the CLI command's logic; and an error code of3indicates an error that was caused due to user input to the command. (There is some nuance sometimes whether an error is really due to user input or not, but we attempt to be consistent.) (PR)
- list filtering: Listing now supports filtering results before being returned to the user. The filtering takes place server side and uses boolean expressions against the JSON representation of returned items. See the documentation for more details. (PR 1) (PR 2) (PR 3)
- server: Officially support reloading TLS parameters on
SIGHUP. (This likely worked before but wasn't fully tested.) (PR) - server: On
SIGHUP, worker tags will be re-parsed and new values used (PR) - server: In addition to the existing
tls_min_versionlistener configuration value,tls_max_versionis now supported. This should generally be left blank but can be useful for situations where e.g. a load balancer has broken TLS 1.3 support, or does not support TLS 1.3 and flags it as a disallowed value.
Note: This release fixes an upgrade issue affecting users on Postgres 11
upgrading to 0.1.5 or 0.1.6 and makes a modification to the boundary dev
environment. It is otherwise identical to 0.1.6; see the entry for that version
for more details.
boundary devnow uses Postgres 11 by default, rather than Postgres 12.
- server: Fix an issue with migrations affecting Postgres 11 (PR)
- authentication: The
auth-methods/<id>:authenticateaction is deprecated and will be removed in a few releases. Instead, each auth method will define its own action or actions that are valid. This is necessary to support multi-step authentication schemes in upcoming releases. For thepasswordauth method, the new action isauth-methods/<id>:authenticate:login. - permissions: Update some errors to make them more descriptive, and disallow
permissions in some forms where they will never take effect, preventing
possible confusion (existing grants already saved to the database will not be
affected as this is only filtered when grants are added/set on a role):
id=<some_id>;actions=<some_actions>where one of the actions iscreateorlist. By definition this format operates only on individual resources socreateandlistwill never worktype=<some_type>;actions=<some_actions>where one of the actions is notcreateorlist. This format operates only on collections so assigning more actions this way will never work
- CORS: CORS is now turned on by default when running with
boundary serverwith acors_allowed_originsvalue ofserve://boundary. You can disable it withcors_enabled = false, or if you want to change parameters, setcors_enabled = trueand the other related configuration values.
- server: When running single-server mode and
controllersis not specified in theworkerblock, usepublic_cluster_addrif given (PR) - server:
public_cluster_addrin thecontrollerblock can now be specified as afile://orenv://URL to read the value from a file or env var (PR) - server: Add
readaction to default scope grant (PR) - server:
public_cluster_addrin thecontrollerblock can now be specified as afile://orenv://URL to read the value from a file or env var (PR) - sessions: Add
read:selfandcancel:selfactions and enable them by default (in new project scopes) for all sessions. This allows a user to read or cancel any session that is associated with their user ID.readandcancelactions are still available that allow performing these actions on sessions that are associated with other users.
- api: Fix nil pointer panic that could occur when using TLS (Issue, PR)
- server: When shutting down a controller release the shared advisory lock with a non-canceled context. (Issue, PR)
- targets: If a worker filter references a key that doesn't exist, treat it as a non-match rather than an error (PR)
NOTE: This version requires a database migration via the new boundary database migrate command.
- Boundary now uses Go's new execabs package for execution of binaries in
boundary connect. This is for defense-in-depth rather than a specific issue. See the Go blog post for more details. (PR)
- controller/worker: Require names to be all lowercase. This removes ambiguity or accidental mismatching when using upcoming filtering features.
- api/cli: Due to visibility changes on collection listing, a list will not
include any resources if the user only has
listas an authorized action. As a resultscope list, which is used by the UI to populate the login scope dropdown, will be empty if the role granting theu_anonuserlistprivileges is not updated to also contain areadaction
- targets: You can now specify a Boolean-expression filter against worker tags to control which workers are allowed to handle any given target's sessions (PR)
- api/cli: On listing/reading, return a list of actions the user is authorized to perform on the identified resources or their associated collections (PR)
- api/cli: Most resource types now support recursive listing, allowing listing to occur down a scope tree (PR)
- cli: Add a
database migratecommand which updates a database's schema to the version supported by the boundary binary (PR).
- controller/db: Correctly check if db init previously completed successfully
when starting a controller or when running
database init(Issue) (PR) - cli: When
output-curl-stringis used withupdateoradd-/remove-/set-commands and automatic versioning is being used (that is, no-versionflag is given), it will now display the final call instead of theGETthat fetches the current version (Issue) (PR) - db: Fix panic in
database initwhen controller config block is missing (Issue) (PR)
- servers: Fix erronious global unicast check that disallowed valid addresses from being assigned (PR)
- cli: Fix (hopefully) panic some users experience depending on their Linux setup when running the binary (Issue) (PR)
- controller: Switch the session connection limit for dev mode and the initial
target when doing database initialization to
-1. This makes it easier for people to start understanding Boundary while not hitting issues related to some programs/protocols needing multiple connections as they may not be easy for new users to understand. (PR)
- controller, worker, cli: When the client quits before the session time is over, but in a manner where the TOFU token will be locked, attempt canceling the session rather than leaving it open to time out (PR)
- controller: Improved error handling in hosts, host catalog and host set (PR)
- controller: Relax account login name constraints to allow dash as valid character (Issue) (PR)
- cli/connect/http: Pass endpoint address through to allow setting TLS server name directly in most cases (PR)
- cli/connect/kube: New
kubesubcommand forboundary connectthat makes it easy to routekubectlcommands through Boundary, including when usingkubectl proxy(PR) - cli/server: Add some extra checks around valid/invalid combinations of addresses to avoid hard-to-understand runtime issues (PR)
- cli: Ensure errors print to stderr when token is not found (Issue) (PR)
- controller: Fix grant IDs being lowercased when being read back (and when being used for permission evaluation) (Issue) (PR)
- docker: Official Docker image for
hashicorp/boundary(PR) - controller: Add ability to set public address for cluster purposes (Issue) (PR)
- ui: Improve scope awareness and navigation, including IAM for global scope (PR)
- ui: Add dark mode toggle (Issue) (PR)
- ui: Add scope grants to roles (PR)
- ui: Add IAM resources to global scope (PR)
- controller, worker: Fix IPv4-only check so
0.0.0.0specified without a port only listens on IPv4 (PR) - ui: Fix grant string corruption on updates (Issue) (PR)
- controller, cli: Fix mutual exclusivity bug with using -authz-token on
boundary connect(PR)
Note: in addition to changes marked below in this section, be aware that currently names of resources are case-sensitive, but in a future update they will become case-preserving but case-insensitive for comparisons (e.g. if using them to access targets).
- cli: There are two changes to token storage handling:
- Specifying
nonefor the-token-nameparameter has been deprecated in favor of specifyingnonefor the new-keyring-typeparameter. passis now the default keyring type on non-Windows/non-macOS platforms. See the CLI docs page for more information.
- Specifying
- cli: New
-keyring-typeoption andpasskeyring type for token storage (Issue) (PR) - connect: Allow using
-target-namein conjunction with either-target-scope-idor-target-scope-nameto connect to targets, rather than the target's ID (PR) - controller: Allow API/Cluster listeners to be Unix domain sockets (Issue) (PR)
- ui: Allow creating and assigning a host to a host set directly from the host set view (Issue) (PR)
- cli: Fix database init when locale isn't English (Issue) (PR)
- cli: Fix hyphenation in help output for resources with compound names (Issue) (PR)
- controller: Allow connecting to Postgres when using remote Docker in dev mode (Issue (PR)
- controller, worker: Fix listening on IPv6 addresses (Issue) (PR)
- worker: Fix setting controller address for worker in dev mode (Issue) (PR)
v0.1.0 is the first release of Boundary. As a result there are no changes, improvements, or bugfixes from past versions.