v0.2.1
0.2.1 (2021/05/05)
Deprecations/Changes
- API
delete
actions now result in a204
status code and no body when
successful. This was not the case previously due to a technical limitation
which has now been solved. - When using a
delete
command within the CLI we now either show success or
treat the404
error the same as any other404
error, that is, it results
in a non-zero status code and an error message. This makesdelete
actions
behave the same as other commands, all of which pass through errors to the
CLI. Given-format json
capability, it's relatively easy to perform a check
to see whether an error was404
or something else from within scripts, in
conjunction with checking that the returned status code matches the API error
status code (1
). - When outputting from the CLI in JSON format, the resource information under
item
oritems
(depending on the action) now exactly matches the JSON sent
across the wire by the controller, as opposed to matching the Go SDK
representation which could result in some extra fields being shown or fields
having Go-specific types. This includesdelete
actions which previously
would show an object indicating existence, but now show noitem
on success
or the API's404
error. - Permissions in new scope default roles have been updated to include support
forlist
,read:self
, anddelete:self
onauth-token
resources. This
allows a user to list and manage their own authentication tokens. (As is the
case with other resources,list
will still be limited to returning tokens on
which the user has authorization to perform actions, so granting this
capability does not automatically give user the ability to list other users'
authentication tokens.)
New and Improved
-
permissions: Improving upon the work put into 0.2.0 to limit the fields that
are returned when listing as the anonymous user, grants now support a new
output_fields
section. This takes in a comma-delimited (or in JSON format,
array) set of values that correspond to the JSON fields returned from an API
call (for listing, this will be applied to each resource under theitems
field). If specified for a given ID or resource type (and scoped to specific
actions, if included), only the given values will be returned in the output.
If nooutput_fields
are specified, the defaults are used. For authenticated
users this defaults to all fields; foru_anon
this defaults to the fields
useful for navigating to and authenticating to the system. In either case,
this is overridable. See the permissions
documentation
for more information on why and when to use this. This currently only applies
to top-level fields in the response. -
cli/api/sdk: Add support to request additional OIDC claims scope values from
the OIDC provider when making an authentication request.
(PR).By default, Boundary only requests the "openid" claims scope value. Many
providers, like Okta and Auth0 for example, will not return the standard claims
of email and name when you request the default claims scope (openid).Boundary uses the standard email and name claims to populate an OIDC
account'sEmail
andFullName
attributes. If you'd like these account
attributes populated, you'll need to reference your OIDC provider's documentation
to learn which claims scopes are required to have these claims returned during
the authentication process.Boundary now provides a new OIDC auth method parameter
claims_scopes
which
allows you to add multiple additional claims scope values to an OIDC auth
method configuration.For information on claims scope values see: Scope Claims in the OIDC
specification -
cli: Match JSON format output with the across-the-wire API JSON format
(PR) -
api: Return
204
instead of an empty object on successfuldelete
operations
(PR) -
actions: The new
no-op
action allows a grant to be given to a principals
without conveying any actionable result. Since resources do not appear in list
results if the principal has no actions granted on that resource, this can be
used to allow principals to see values in list results without also giving
read
or other capabilities on the resources. The default scope permissions
have been updated to conveyno-op,list
instead ofread,list
.
(PR) -
cli/api/sdk: User resources have new attributes for:
- Primary Account ID
- Login Name
- Full Name
These new user attributes correspond to attributes from the user's primary
auth method account. These attributes will be empty when the user has no
account in the primary auth method for their scope, or there is no designated
primary auth method for their scope. -
cli: Support for reading and deleting the user's own token via the new
read:self
anddelete:self
actions on auth tokens. If no token ID is
provided, the stored token's ID will be used (after prompting), or"self"
can be set as the value of the-id
parameter to trigger this behavior
without prompting. (PR) -
cli: New
logout
command deletes the current token in Boundary and forgets it
from the local system credential store, respecting-token-name
(PR) -
config: The
name
field for workers and controllers now supports being set
from environment variables or a file on disk
(PR)