v0.10.0

0.10.0 (2022/08/10)

Known Issues

• Migration to this version may fail if the cluster contains credential
  libraries. This will be fixed shortly in 0.10.1.

New and Improved

• ssh Target Type With Credential Injection (HCP Boundary only): Boundary has
  gained a new ssh target type. Using this type, username/password or SSH
  private key credentials can be sourced from vault credential libraries or
  static credentials and injected into the SSH session between a client and
  end host. This allows users to securely SSH to remote hosts while never being
  in possession of a valid credential for that target host.
• SSH Private Key Credentials: There is now an ssh_private_key credential type
  that allows submitting a username/private key (and optional passphrase) to
  Boundary for use with credential injection or brokering workflows.
• boundary connect ssh Credential Brokering Enhancements: we have extended
  support into the boundary connect ssh helper for brokered credentials of
  ssh_private_key type; the command will automatically pass the credentials to
  the ssh process (PR).
• boundary authenticate, boundary accounts: Enables use of env:// and
  file:// syntax to specify location of a password
  (PR)

Bug Fixes

• cli: Correctly cleanup plugins after exiting boundary dev, boundary server
  and boundary database init
  (Issue,
  PR).
• boundary accounts change-password: Fixed being prompted for confirmation of
  the current password instead of the new one
  (PR)

Deprecations/Changes

• API Module: Changed the return types that reference interfaces into their
  expected typed definition. Type casting is only allowed against interface
  types, therefore to mitigate compiler errors please remove any type casting
  done against the return values.
  (Issue,
  PR)
• Targets: Rename Application credentials to Brokered credentials
  (PR).
• Host plugins: Plugin-type host catalogs/sets/hosts now use typed prefixes for
  any newly-created resources. Existing resources will not be affected.
  (PR)
• Credential stores: Static-type credential stores/credentials now use typed
  prefixes for any newly-created resources. Existing resources will not be
  affected. (PR)
• Change of behavior on -token flag in CLI: Passing a token this way can
  reveal the token to any user or service that can look at process information.
  This flag must now reference a file on disk or an env var. Direct usage of the
  BOUNDARY_TOKEN env var is also deprecated as it can show up in environment
  information; the env:// format now supported by the -token flag causes the
  Boundary process to read it instead of the shell so is safer.
  (PR)
• Change of behavior on -password flag in CLI: The same change made above for
  -token has also been applied to -password or, for supporting resource
  types, -current-password and -new-password.
  (PR)

v0.9.1

0.9.1 (2022/07/06)

New and Improved

• azure host plugin: Support multiple MSI identities
  (PR

Bug Fixes

• scheduler: Fix regression causing controller names of less than 10 characters
  to fail to register jobs
  (PR).
• sessions: Fix an additional case from the changes in the 0.8.x series that
  could result in sessions never moving from canceling state to terminated.
  (PR)
• The plugin execution_dir configuration parameter is now respected by kms plugins too
  PR.

Deprecations/Changes

• sessions: The default connect limit for new sessions changed from 1 to unlimited (-1).
  Specific connection limits is an advanced feature of Boundary and this setting is
  more friendly for new users.
  (PR)

v0.9.0

0.9.0 (2022/06/20)

New and Improved

• PKI Workers: This release introduces a new worker type pki which
  authenticates to Boundary using a new certificate-based method, allowing for
  worker deployment without using a shared KMS.
• Credentials: This release introduces a new credential store type static,
  which simply takes in a user-supplied credential and stores it (encrypted)
  directly in Boundary. Currently, the static credential store can hold
  credentials of type username_password. These credentials can act as
  credential sources for targets, similar to credential libraries from the
  vault credential store, and thus can be brokered to users at session
  authorization time. PR
• boundary connect Credential Brokering Integration: we have extended integration
  into the boundary connect helpers. A new sshpass style has been added to the
  ssh helper, when used, if the credential contains a username/password and sshpass
  is installed, the command will automatically pass the credentials to the ssh process.
  Additionally, the default ssh helper will now use the username of the brokered credential.
  PR.
• controller: Improve response time for listing sessions.
  This also creates a new periodic job that will delete terminated
  sessions after 1 hour.
  See Deprecations/Changes for some additional details.
  PR.
• event filtering: Change event filters to use lowercase and snake case for data
  elements like the rest of Boundary filters do.
• ui: Use include_terminated flag for listing sessions.
  PR.
• ui: Add Quick Setup onboarding guide.
  PR.

Bug Fixes

• The plugin execution_dir configuration parameter is now respected.
  PR.
• ui: Fix Users page not updating fields correctly.
  PR.

Deprecations/Changes

• Targets: Removes support for credential libraries with respect to Target resources.
  The library fields and actions were deprecated in Boundary 0.5.0,
  please use credential sources instead. See changelog referenced above for
  more details (PR).
• Credential Libraries: The user_password credential type has been renamed to
  username_password to remove any inconsistency over what the credential type is.
  All existing user_password typed credential libraries will be migrated to
  username_password (PR).
• controller: Change the default behavior of the session list endpoint
  to no longer include sessions in a terminated state and introduces
  a new query parameter/cli flag to include the terminated sessions.
  This also removes the connection information from the list response.
  PR.
• Anonymous user permissions: In order to reduce the risk of accidental and
  unintended granting of permissions to anonymous users, the permissions system
  now only allows certain actions on certain resources to be assigned to the
  anonymous user; currently these are the same permissions as assigned in
  Boundary's default role permissions. If other use-cases arise this list can be
  expanded. See the
  documentation
  for more details.

v0.8.1

0.8.1 (2022/05/13)

Bug Fixes

• controller: Do not shut down cluster listener when it receives an invalid
  packet (Issue,
  PR)
• session: update cancel_session() function to check for terminated state (Issue,
  PR)

v0.8.0

0.8.0 (2022/05/03)

New and Improved

• metrics: provide metrics for controllers and workers
• controller: new health endpoint (PR).
• Improve response time for listing sessions and targets.
  PR
• ui: Add support for worker filters in targets.
• ui: Add manual refresh button in sessions list.

Bug Fixes

• worker: create new error to prevent event.newError: missing error: invalid parameter and handle session cancel
  with no TOFU token (Issue,
  PR)
• controller: Reconcile DEKs with existing scopes (Issue,
  PR)
• Fix for retrieving sessions that could result in incomplete results when
  there is a large number (10k+) of sessions.
  PR
• session: update session state trigger to prevent transitions to invalid states (Issue,
  PR)

v0.7.6

0.7.6 (2022/03/15)

Bug Fixes

• sessions: Sessions and session connections have been refactored
  to better isolate transactions and prevent resource contention that caused deadlocks.
  (Issue,
  PR)
• scheduler: Fix bug that causes erroneous logs when racing controllers
  attempted to run jobs
  (Issue,
  PR).

v0.7.5

0.7.5 (2022/02/17)

New and Improved

• cli: Update authentication examples to remove password flag and make
  subcommend selection a bit clearer
  (PR)
• Data Warehouse: Add addresses on plugin based hosts to the database warehouse.
  3 new dimension tables have been added including wh_network_address_group
  (which is now referenced by wh_host_dimension),
  wh_network_address_dimension, and wh_network_address_group_membership.
  (PR)
• ui: Add support for dynamic host catalog. AWS and Azure plugin-based CRUD operations.

Bug Fixes

• targets: Specifying a plugin based host id when authorizing a session
  now works. (PR)
• targets: DNS names are now properly parsed when selecting an endpoint
  for authorizing a session.
  (PR)
• hosts: Static hosts now include the host sets they are in.
  (PR)

v0.7.4

0.7.4 (2022/01/18)

Deprecations/Changes

• In newly-created scopes, if default role creation is not disabled, the roles
  will now contain a grant to allow listing targets. This will still be subject
  to listing visibility rules, so only targets the user is granted some action
  on (such as authorize-session) will be returned.

New and Improved

• config: The description field for workers now supports being set
  from environment variables or a file on disk
  (PR)
• config: The max_open_connections field for the database field in controllers now supports being set
  from environment variables or a file on disk
  (PR)
• config: The execution_dir field for plugins now supports being set from environment variables
  or a file on disk.(PR)
• config: Add support for reading worker controllers off of environment
  variables as well as files. (PR)
• config: The description field for controllers now supports being set
  from environment variables or a file on disk
  (PR)
• config: Add support for reading worker tags off of environment variables
  as well as files. (PR)
• config: Add support for go-sockaddr templates to Worker and Controller
  addresses. (PR)
• controllers/workers: Add client IP to inbound request information which is included in
  Boundary events (PR)
• host: Plugin-based host catalogs will now schedule updates for all
  of its host sets when its attributes are updated.
  (PR)
• scopes: Default roles in newly-created scopes now contain a grant to allow
  listing targets. (PR)
• plugins/aws: AWS plugin based hosts now include DNS names in addition to the
  IP addresses they already provide.

Bug Fixes

• session: Fix duplicate sessions and invalid session state transitions. (PR)

v0.7.3

0.7.3 (2021/12/16)

Bug Fixes

• target: Fix permission bug which prevents the UI from being able to add and remove
  host sources on a target. (PR)
• credential: Fix panic during credential issue when a nil secret is received. This can
  occur when using the Vault KV backend which returns a nil secret and no error if the
  secret does not exist. (PR)

v0.7.2

0.7.2 (2021/12/14)

Security

• Boundary now uses Go 1.17.5 to address a security vulnerability (CVE-2021-44716) where
  an attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
  See the Go announcement for
  more details. (PR)