Skip to content

v0.2.1

Compare
Choose a tag to compare

0.2.1 (2021/05/05)

Deprecations/Changes

  • API delete actions now result in a 204 status code and no body when
    successful. This was not the case previously due to a technical limitation
    which has now been solved.
  • When using a delete command within the CLI we now either show success or
    treat the 404 error the same as any other 404 error, that is, it results
    in a non-zero status code and an error message. This makes delete actions
    behave the same as other commands, all of which pass through errors to the
    CLI. Given -format json capability, it's relatively easy to perform a check
    to see whether an error was 404 or something else from within scripts, in
    conjunction with checking that the returned status code matches the API error
    status code (1).
  • When outputting from the CLI in JSON format, the resource information under
    item or items (depending on the action) now exactly matches the JSON sent
    across the wire by the controller, as opposed to matching the Go SDK
    representation which could result in some extra fields being shown or fields
    having Go-specific types. This includes delete actions which previously
    would show an object indicating existence, but now show no item on success
    or the API's 404 error.
  • Permissions in new scope default roles have been updated to include support
    for list, read:self, and delete:self on auth-token resources. This
    allows a user to list and manage their own authentication tokens. (As is the
    case with other resources, list will still be limited to returning tokens on
    which the user has authorization to perform actions, so granting this
    capability does not automatically give user the ability to list other users'
    authentication tokens.)

New and Improved

  • permissions: Improving upon the work put into 0.2.0 to limit the fields that
    are returned when listing as the anonymous user, grants now support a new
    output_fields section. This takes in a comma-delimited (or in JSON format,
    array) set of values that correspond to the JSON fields returned from an API
    call (for listing, this will be applied to each resource under the items
    field). If specified for a given ID or resource type (and scoped to specific
    actions, if included), only the given values will be returned in the output.
    If no output_fields are specified, the defaults are used. For authenticated
    users this defaults to all fields; for u_anon this defaults to the fields
    useful for navigating to and authenticating to the system. In either case,
    this is overridable. See the permissions
    documentation

    for more information on why and when to use this. This currently only applies
    to top-level fields in the response.

  • cli/api/sdk: Add support to request additional OIDC claims scope values from
    the OIDC provider when making an authentication request.
    (PR).

    By default, Boundary only requests the "openid" claims scope value. Many
    providers, like Okta and Auth0 for example, will not return the standard claims
    of email and name when you request the default claims scope (openid).

    Boundary uses the standard email and name claims to populate an OIDC
    account's Email and FullName attributes. If you'd like these account
    attributes populated, you'll need to reference your OIDC provider's documentation
    to learn which claims scopes are required to have these claims returned during
    the authentication process.

    Boundary now provides a new OIDC auth method parameter claims_scopes which
    allows you to add multiple additional claims scope values to an OIDC auth
    method configuration.

    For information on claims scope values see: Scope Claims in the OIDC
    specification

  • cli: Match JSON format output with the across-the-wire API JSON format
    (PR)

  • api: Return 204 instead of an empty object on successful delete operations
    (PR)

  • actions: The new no-op action allows a grant to be given to a principals
    without conveying any actionable result. Since resources do not appear in list
    results if the principal has no actions granted on that resource, this can be
    used to allow principals to see values in list results without also giving
    read or other capabilities on the resources. The default scope permissions
    have been updated to convey no-op,list instead of read,list.
    (PR)

  • cli/api/sdk: User resources have new attributes for:

    • Primary Account ID
    • Login Name
    • Full Name
    • Email

    These new user attributes correspond to attributes from the user's primary
    auth method account. These attributes will be empty when the user has no
    account in the primary auth method for their scope, or there is no designated
    primary auth method for their scope.

  • cli: Support for reading and deleting the user's own token via the new
    read:self and delete:self actions on auth tokens. If no token ID is
    provided, the stored token's ID will be used (after prompting), or "self"
    can be set as the value of the -id parameter to trigger this behavior
    without prompting. (PR)

  • cli: New logout command deletes the current token in Boundary and forgets it
    from the local system credential store, respecting -token-name
    (PR)

  • config: The name field for workers and controllers now supports being set
    from environment variables or a file on disk
    (PR)

Bug Fixes

  • cors: Fix allowing all origins by default
    (PR)
  • cli: It is now an error to run boundary database migrate on an uninitalized db.
    Use boundary database init instead.
    (PR)
  • cli: Correctly honor the -format flag when running boundary database init
    (PR)