]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.4
[pve-access-control.git] / debian / changelog
CommitLineData
33e4480a
WB		 1libpve-access-control (8.0.4) bookworm; urgency=medium
2
3 * Lookup of second factors is no longer tied to the 'keys' field in the
4 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
5 could disable user-configured 2nd factors.
6
7 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
8 TFA.
9
10 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
11
8a856968
TL		 12libpve-access-control (8.0.3) bookworm; urgency=medium
13
14 * pveum: list tfa: recovery keys have no descriptions
15
16 * pveum: list tfa: sort by user ID
17
18 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
19 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
20 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
21
22 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
23
1852a929
TL		 24libpve-access-control (8.0.2) bookworm; urgency=medium
25
26 * api: users: sort groups to avoid "flapping" text
27
28 * api: tfa: don't block tokens from viewing and list TFA entries, both are
29 safe to do for anybody with enough permissions to view a user.
30
31 * api: tfa: add missing links for child-routes
32
33 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
34
ebf82c77
TL		 35libpve-access-control (8.0.1) bookworm; urgency=medium
36
37 * tfa: cope with native versions in cluster version check
38
39 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
40
6004f25e
TL		 41libpve-access-control (8.0.0) bookworm; urgency=medium
42
43 * api: roles: forbid creating new roles starting with "PVE" namespace
44
45 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
46
8e8023b1
TL		 47libpve-access-control (8.0.0~3) bookworm; urgency=medium
48
49 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
50
51 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
52
53 * add helper for checking bridge access
54
55 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
56 which user are allowed to use a bridge (or vnet, if SDN is installed)
57
58 * add privileges and paths for cluster resource mapping
59
60 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
61
3ef602fe
TL		 62libpve-access-control (8.0.0~2) bookworm; urgency=medium
63
64 * api: user index: only include existing tfa lock flags
65
66 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
67
68 * roles: only include Permissions.Modify in Administrator built-in role.
69 As, depending on the ACL object path, this privilege might allow one to
70 change their own permissions, which was making the distinction between
71 Admin and PVEAdmin irrelevant.
72
73 * acls: restrict less-privileged ACL modifications. Through allocate
74 permissions in pools, storages and virtual guests one can do some ACL
75 modifications without having the Permissions.Modify privilege, lock those
76 better down to ensure that one can only hand out only the subset of their
77 own privileges, never more. Note that this is mostly future proofing, as
78 the ACL object paths one could give out more permissions where already
79 limiting the scope.
80
81 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
82
f63364a7
WB		 83libpve-access-control (8.0.0~1) bookworm; urgency=medium
84
85 * bump pve-rs dependency to 0.8.3
86
87 * drop old verify_tfa api call (POST /access/tfa)
88
89 * drop support for old login API:
90 - 'new-format' is now considured to be 1 and ignored by the API
91
92 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
93 address
94
95 * cli: add 'pveum tfa list'
96
97 * cli: add 'pveum tfa unlock'
98
99 * enable lockout of TFA:
100 - too many TOTP attempts will lock out of TOTP
101 - using a recovery key will unlock TOTP
102 - too many TFA attempts will lock a user's TFA auth for an hour
103
104 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
105 authentication if it was locked by too many wrong 2nd factor login attempts
106
107 * api: /access/tfa and /access/users now include the tfa lockout status
108
109 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
110
a3dc6ff4
TL		 111libpve-access-control (7.99.0) bookworm; urgency=medium
112
113 * initial re-build for Proxmox VE 8.x series
114
115 * switch to native versioning
116
117 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
118
f2762a03
WB		 119libpve-access-control (7.4-3) bullseye; urgency=medium
120
121 * use new 2nd factor verification from pve-rs
122
123 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
124
f0595d15
TL		 125libpve-access-control (7.4-2) bullseye; urgency=medium
126
127 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
128 wasn't accepted anymore
129
130 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
131
a23eaa1a
TL		 132libpve-access-control (7.4-1) bullseye; urgency=medium
133
134 * realm sync: refactor scope/remove-vanished into a standard option
135
136 * ldap: Allow quoted values for DN attribute values
137
138 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
139
df33b3b9
TL		 140libpve-access-control (7.3-2) bullseye; urgency=medium
141
142 * fix #4518: dramatically improve ACL computation performance
143
144 * userid format: clarify that this is the full name@realm in description
145
146 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
147
2da8c203
TL		 148libpve-access-control (7.3-1) bullseye; urgency=medium
149
150 * realm: sync: allow explicit 'none' for 'remove-vanished' option
151
152 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
153
b84bf623
TL		 154libpve-access-control (7.2-5) bullseye; urgency=medium
155
156 * api: realm sync: avoid separate log line for "remove-vanished" opt
157
158 * auth ldap/ad: compare group member dn case-insensitively
159
160 * two factor auth: only lock tfa config for recovery keys
161
162 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
163 migrations and storage migrations
164
165 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
166
f4e68e49
TL		 167libpve-access-control (7.2-4) bullseye; urgency=medium
168
169 * fix #4074: increase API OpenID code size limit to 2048
170
171 * auth key: protect against rare chance of a double rotation in clusters,
172 leaving the potential that some set of nodes have the earlier key cached,
173 that then got rotated out due to the race, resulting in a possible other
174 set of nodes having the newer key cached. This is a split view of the auth
175 key and may resulting in spurious failures if API requests are made to a
176 different node than the ticket was generated on.
177 In addition to that, the "keep validity of old tickets if signed in the
178 last two hours before rotation" logic was disabled too in such a case,
179 making such tickets invalid too early.
180 Note that both are cases where Proxmox VE was too strict, so while this
181 had no security implications it can be a nuisance, especially for
182 environments that use the API through an automated or scripted way
183
184 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
185
26dde491
TL		 186libpve-access-control (7.2-3) bullseye; urgency=medium
187
188 * api: token: use userid-group as API perm check to avoid being overly
189 strict through a misguided use of user id for non-root users.
190
191 * perm check: forbid undefined/empty ACL path for future proofing of against
192 above issue
193
194 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
195
1cf4389b
TL		 196libpve-access-control (7.2-2) bullseye; urgency=medium
197
198 * permissions: merge propagation flag for multiple roles on a path that
199 share privilege in a deterministic way, to avoid that it gets lost
200 depending on perl's random sort, which would result in returing less
201 privileges than an auth-id actually had.
202
203 * permissions: avoid that token and user privilege intersection is to strict
204 for user permissions that have propagation disabled.
205
206 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
207
e3604d48
TL		 208libpve-access-control (7.2-1) bullseye; urgency=medium
209
210 * user check: fix expiration/enable order
211
212 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
213
79ae250f
TL		 214libpve-access-control (7.1-8) bullseye; urgency=medium
215
216 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
217 vanished'
218
219 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
220
eed46286
TL		 221libpve-access-control (7.1-7) bullseye; urgency=medium
222
223 * userid-group check: distinguish create and update
224
225 * api: get user: declare token schema
226
227 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
228
cd78b295
FG		 229libpve-access-control (7.1-6) bullseye; urgency=medium
230
231 * fix #3768: warn on bad u2f or webauthn settings
232
233 * tfa: when modifying others, verify the current user's password
234
235 * tfa list: account for admin permissions
236
237 * fix realm sync permissions
238
239 * fix token permission display bug
240
241 * include SDN permissions in permission tree
242
243 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
244
118088d8
TL		 245libpve-access-control (7.1-5) bullseye; urgency=medium
246
247 * openid: fix username-claim fallback
248
249 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
250
ebb14277
WB		 251libpve-access-control (7.1-4) bullseye; urgency=medium
252
253 * set current origin in the webauthn config if no fixed origin was
254 configured, to support webauthn via subdomains
255
256 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
257
44a55ff7
TL		 258libpve-access-control (7.1-3) bullseye; urgency=medium
259
260 * openid: allow arbitrary username-claims
261
262 * openid: support configuring the prompt, scopes and ACR values
263
264 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
265
6f643e79
TL		 266libpve-access-control (7.1-2) bullseye; urgency=medium
267
268 * catch incompatible tfa entries with a nice error
269
270 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
271
92bca71e
TL		 272libpve-access-control (7.1-1) bullseye; urgency=medium
273
274 * tfa: map HTTP 404 error in get_tfa_entry correctly
275
276 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
277
1c9b6501
TL		 278libpve-access-control (7.0-7) bullseye; urgency=medium
279
280 * fix #3513: pass configured proxy to OpenID
281
282 * use rust based parser for TFA config
283
284 * use PBS-like auth api call flow,
285
286 * merge old user.cfg keys to tfa config when adding entries
287
288 * implement version checks for new tfa config writer to ensure all
289 cluster nodes are ready to avoid login issues
290
291 * tickets: add tunnel ticket
292
293 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
294
cd46b379
TL		 295libpve-access-control (7.0-6) bullseye; urgency=medium
296
297 * fix regression in user deletion when realm does not enforce TFA
298
299 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
300
52da88a8
TL		 301libpve-access-control (7.0-5) bullseye; urgency=medium
302
303 * acl: check path: add /sdn/vnets/* path
304
305 * fix #2302: allow deletion of users when realm enforces TFA
306
307 * api: delete user: disable user first to avoid surprise on error during the
308 various cleanup action required for user deletion (e.g., TFA, ACL, group)
309
310 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
311
543d646c
TL		 312libpve-access-control (7.0-4) bullseye; urgency=medium
313
314 * realm: add OpenID configuration
315
316 * api: implement OpenID related endpoints
317
318 * implement opt-in OpenID autocreate user feature
319
320 * api: user: add 'realm-type' to user list response
321
322 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
323
7a4c4fd8
TL		 324libpve-access-control (7.0-3) bullseye; urgency=medium
325
326 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
327 `/sdn/zones/<zone>` to allowed ACL paths
328
329 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
330
0902a936
FG		 331libpve-access-control (7.0-2) bullseye; urgency=medium
332
333 * fix #3402: add Pool.Audit privilege - custom roles containing
334 Pool.Allocate must be updated to include the new privilege.
335
336 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
337
67febb69
TL		 338libpve-access-control (7.0-1) bullseye; urgency=medium
339
340 * re-build for Debian 11 Bullseye based releases
341
342 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
343
2942ba41
TL		 344libpve-access-control (6.4-1) pve; urgency=medium
345
346 * fix #1670: change PAM service name to project specific name
347
348 * fix #1500: permission path syntax check for access control
349
350 * pveum: add resource pool CLI commands
351
352 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
353
54d312f3
TL		 354libpve-access-control (6.1-3) pve; urgency=medium
355
356 * partially fix #2825: authkey: rotate if it was generated in the
357 future
358
359 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
360 insensitive
361
362 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
363
6a9be12f
TL		 364libpve-access-control (6.1-2) pve; urgency=medium
365
366 * also check SDN permission path when computing coarse permissions heuristic
367 for UIs
368
369 * add SDN Permissions.Modify
370
371 * add VM.Config.Cloudinit
372
373 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
374
e6624f50
TL		 375libpve-access-control (6.1-1) pve; urgency=medium
376
377 * pveum: add tfa delete subcommand for deleting user-TFA
378
379 * LDAP: don't complain about missing credentials on realm removal
380
381 * LDAP: skip anonymous bind when client certificate and key is configured
382
383 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
384
8f4a522f
TL		 385libpve-access-control (6.0-7) pve; urgency=medium
386
387 * fix #2575: die when trying to edit built-in roles
388
389 * add realm sub commands to pveum CLI tool
390
7d23b7ca 391 * api: domains: add user group sync API endpoint
8f4a522f
TL		 392
393 * allow one to sync and import users and groups from LDAP/AD based realms
394
395 * realm: add default-sync-options to config for more convenient sync configuration
396
397 * api: token create: return also full token id for convenience
398
399 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
400
23059f35
TL		 401libpve-access-control (6.0-6) pve; urgency=medium
402
403 * API: add group members to group index
404
405 * implement API token support and management
406
407 * pveum: add 'pveum user token add/update/remove/list'
408
409 * pveum: add permissions sub-commands
410
411 * API: add 'permissions' API endpoint
412
413 * user.cfg: skip inexisting roles when parsing ACLs
414
415 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
416
3dd692e9
TL		 417libpve-access-control (6.0-5) pve; urgency=medium
418
419 * pveum: add list command for users, groups, ACLs and roles
420
421 * add initial permissions for experimental SDN integration
422
423 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
424
4ef92d0d
FG		 425libpve-access-control (6.0-4) pve; urgency=medium
426
427 * ticket: use clinfo to get cluster name
428
429 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
430 SSL version
431
432 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
433
6e5bbca4
TL		 434libpve-access-control (6.0-3) pve; urgency=medium
435
436 * fix #2433: increase possible TFA secret length
437
438 * parse user configuration: correctly parse group names in ACLs, for users
439 which begin their name with an @
440
441 * sort user.cfg entries alphabetically
442
443 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
444
e073493c
TL		 445libpve-access-control (6.0-2) pve; urgency=medium
446
447 * improve CSRF verification compatibility with newer PVE
448
449 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
450
a237dc2e
TL		 451libpve-access-control (6.0-1) pve; urgency=medium
452
453 * ticket: properly verify exactly 5 minute old tickets
454
455 * use hmac_sha256 instead of sha1 for CSRF token generation
456
457 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
458
f1531f22
TL		 459libpve-access-control (6.0-0+1) pve; urgency=medium
460
461 * bump for Debian buster
462
463 * fix #2079: add periodic auth key rotation
464
465 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
466
ef761f51
TL		 467libpve-access-control (5.1-10) unstable; urgency=medium
468
469 * add /access/user/{id}/tfa api call to get tfa types
470
471 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
472
860ddcba
TL		 473libpve-access-control (5.1-9) unstable; urgency=medium
474
475 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 476 to a higher privileged daemon.
860ddcba
TL		 477
478 * tfa: realm required TFA should lock out users without TFA configured, as it
479 was done before Proxmox VE 5.4
480
481 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
482
9fbad012
TL		 483libpve-access-control (5.1-8) unstable; urgency=medium
484
485 * U2F: ensure we save correct public key on registration
486
487 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
488
4473c96c
TL		 489libpve-access-control (5.1-7) unstable; urgency=medium
490
491 * verify_ticket: allow general non-challenge tfa to be run as two step
492 call
493
494 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
495
a270d4e1
TL		 496libpve-access-control (5.1-6) unstable; urgency=medium
497
498 * more general 2FA configuration via priv/tfa.cfg
499
500 * add u2f api endpoints
501
502 * delete TFA entries when deleting a user
503
504 * allow users to change their TOTP settings
505
506 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
507
374647e8
TL		 508libpve-access-control (5.1-5) unstable; urgency=medium
509
510 * fix vnc ticket verification without authkey lifetime
511
512 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
513
7fb70c94
TL		 514libpve-access-control (5.1-4) unstable; urgency=medium
515
516 * fix #1891: Add zsh command completion for pveum
517
518 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
519 to avoid issues on upgrade, will be enabled with 6.0
520
521 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
522
6e010cde
TL		 523libpve-access-control (5.1-3) unstable; urgency=medium
524
525 * api/ticket: move getting cluster name into an eval
526
527 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
528
f5a9380a
TL		 529libpve-access-control (5.1-2) unstable; urgency=medium
530
531 * fix #1998: correct return properties for read_role
532
533 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
534
b54b7474
TL		 535libpve-access-control (5.1-1) unstable; urgency=medium
536
537 * pveum: introduce sub-commands
538
539 * register userid with completion
540
541 * fix #233: return cluster name on successful login
542
543 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
544
52192dd4
WB		 545libpve-access-control (5.0-8) unstable; urgency=medium
546
547 * fix #1612: ldap: make 2nd server work with bind domains again
548
549 * fix an error message where passing a bad pool id to an API function would
550 make it complain about a wrong group name instead
551
552 * fix the API-returned permission list so that the GUI knows to show the
553 'Permissions' tab for a storage to an administrator apart from root@pam
554
555 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
556
3dadf8cf
FG		 557libpve-access-control (5.0-7) unstable; urgency=medium
558
559 * VM.Snapshot.Rollback privilege added
560
561 * api: check for special roles before locking the usercfg
562
563 * fix #1501: pveum: die when deleting special role
564
565 * API/ticket: rework coarse grained permission computation
566
567 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
568
ec4141f4
WB		 569libpve-access-control (5.0-6) unstable; urgency=medium
570
571 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
572 'verify' option. For compatibility reasons this defaults to off for now,
573 but that might change with future updates.
574
575 * AD, LDAP: Add ability to specify a CA path or file, and a client
576 certificate via the 'capath', 'cert' and 'certkey' options.
577
578 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
579
63134bd4
DM		 580libpve-access-control (5.0-5) unstable; urgency=medium
581
582 * change from dpkg-deb to dpkg-buildpackage
583
584 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
585
868fb1ea
DM		 586libpve-access-control (5.0-4) unstable; urgency=medium
587
588 * PVE/CLI/pveum.pm: call setup_default_cli_env()
589
590 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
591
592 * check_api2_permissions: avoid warning about uninitialized value
593
594 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
595
63358f40
DM		 596libpve-access-control (5.0-3) unstable; urgency=medium
597
598 * use new PVE::OTP class from pve-common
599
600 * use new PVE::Tools::encrypt_pw from pve-common
601
602 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
603
05fd50af
DM		 604libpve-access-control (5.0-2) unstable; urgency=medium
605
606 * encrypt_pw: avoid '+' for crypt salt
607
608 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
609
0835385b
FG		 610libpve-access-control (5.0-1) unstable; urgency=medium
611
612 * rebuild for PVE 5.0
613
614 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
615
730f8863
DM		 616libpve-access-control (4.0-23) unstable; urgency=medium
617
618 * use new PVE::Ticket class
619
620 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
621
1f1c4593
DM		 622libpve-access-control (4.0-22) unstable; urgency=medium
623
624 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
625 (moved to PVE::Storage)
626
627 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
628
629 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
630
f9105063
DM		 631libpve-access-control (4.0-21) unstable; urgency=medium
632
633 * setup_default_cli_env: expect $class as first parameter
634
635 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
636
9595066e
DM		 637libpve-access-control (4.0-20) unstable; urgency=medium
638
639 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
640
641 * PVE/API2/Domains.pm: fix property description
642
643 * use new repoman for upload target
644
645 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
646
2af5a793
DM		 647libpve-access-control (4.0-19) unstable; urgency=medium
648
649 * Close #833: ldap: non-anonymous bind support
650
651 * don't import 'RFC' from MIME::Base32
652
653 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
654
5d87bb77
WB		 655libpve-access-control (4.0-18) unstable; urgency=medium
656
657 * fix #1062: recognize base32 otp keys again
658
659 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
660
28ddf48b
WB		 661libpve-access-control (4.0-17) unstable; urgency=medium
662
663 * drop oathtool and libdigest-hmac-perl dependencies
664
665 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
666
15cebb28
DM		 667libpve-access-control (4.0-16) unstable; urgency=medium
668
669 * use pve-doc-generator to generate man pages
670
671 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
672
678df887
DM		 673libpve-access-control (4.0-15) unstable; urgency=medium
674
675 * Fix uninitialized warning when shadow.cfg does not exist
676
677 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
678
cca9761a
DM		 679libpve-access-control (4.0-14) unstable; urgency=medium
680
681 * Add is_worker to RPCEnvironment
682
683 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
684
8643c99d
DM		 685libpve-access-control (4.0-13) unstable; urgency=medium
686
687 * fix #916: allow HTTPS to access custom yubico url
688
689 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
690
ae2a6bf9
DM		 691libpve-access-control (4.0-12) unstable; urgency=medium
692
693 * Catch certificate errors instead of segfaulting
694
695 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
696
4836db5f
DM		 697libpve-access-control (4.0-11) unstable; urgency=medium
698
699 * Fix #861: use safer sprintf formatting
700
701 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
702
ccbe23dc
DM		 703libpve-access-control (4.0-10) unstable; urgency=medium
704
705 * Auth::LDAP, Auth::AD: ipv6 support
706
707 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
708
90399ca4
DM		 709libpve-access-control (4.0-9) unstable; urgency=medium
710
711 * pveum: implement bash completion
712
713 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
714
364ffc13
DM		 715libpve-access-control (4.0-8) unstable; urgency=medium
716
717 * remove_storage_access: cleanup of access permissions for removed storage
718
719 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
720
7c26cb4a
DM		 721libpve-access-control (4.0-7) unstable; urgency=medium
722
723 * new helper to remove access permissions for removed VMs
724
725 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
726
296afbd1
DM		 727libpve-access-control (4.0-6) unstable; urgency=medium
728
729 * improve parse_user_config, parse_shadow_config
730
731 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
732
7d2df2ef
DM		 733libpve-access-control (4.0-5) unstable; urgency=medium
734
735 * pveum: check for $cmd being defined
736
737 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
738
98a34e3f
DM		 739libpve-access-control (4.0-4) unstable; urgency=medium
740
741 * use activate-noawait triggers
742
743 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
744
15462727
DM		 745libpve-access-control (4.0-3) unstable; urgency=medium
746
747 * IPv6 fixes
748
749 * non-root buildfix
750
751 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
752
bbf4cc9a
DM		 753libpve-access-control (4.0-2) unstable; urgency=medium
754
755 * trigger pve-api-updates event
756
757 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
758
dfbcf6d3
DM		 759libpve-access-control (4.0-1) unstable; urgency=medium
760
761 * bump version for Debian Jessie
762
763 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
764
94971b3a
DM		 765libpve-access-control (3.0-16) unstable; urgency=low
766
767 * root@pam can now be disabled in GUI.
768
769 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
770
7b17c7cb
DM		 771libpve-access-control (3.0-15) unstable; urgency=low
772
773 * oath: add 'step' and 'digits' option
774
775 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
776
1abc2c0a
DM		 777libpve-access-control (3.0-14) unstable; urgency=low
778
779 * add oath two factor auth
780
781 * add oathkeygen binary to generate keys for oath
782
783 * add yubico two factor auth
784
785 * dedend on oathtool
786
787 * depend on libmime-base32-perl
30be0de9
DM		 788
789 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 790
791 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
792
298450ab
DM		 793libpve-access-control (3.0-13) unstable; urgency=low
794
795 * use correct connection string for AD auth
796
797 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
798
396034e4
DM		 799libpve-access-control (3.0-12) unstable; urgency=low
800
801 * add dummy API for GET /access/ticket (useful to generate login pages)
802
803 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
804
26361123
DM		 805libpve-access-control (3.0-11) unstable; urgency=low
806
807 * Sets common hot keys for spice client
808
809 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
810
3643383d
DM		 811libpve-access-control (3.0-10) unstable; urgency=low
812
813 * implement helper to generate SPICE remote-viewer configuration
814
815 * depend on libnet-ssleay-perl
816
817 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
818
0baedcf7
DM		 819libpve-access-control (3.0-9) unstable; urgency=low
820
821 * prevent user enumeration attacks
e4f8fc2e
DM		 822
823 * allow dots in access paths
0baedcf7
DM		 824
825 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
826
d4b63eae
DM		 827libpve-access-control (3.0-8) unstable; urgency=low
828
829 * spice: use lowercase hostname in ticktet signature
830
831 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
832
49594944
DM		 833libpve-access-control (3.0-7) unstable; urgency=low
834
835 * check_volume_access : use parse_volname instead of path, and remove
836 path related code.
7c410d63
DM		 837
838 * use warnings instead of global -w flag.
49594944
DM		 839
840 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
841
fe7de5d0
DM		 842libpve-access-control (3.0-6) unstable; urgency=low
843
844 * use shorter spiceproxy tickets
845
846 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
847
4cdd9507
DM		 848libpve-access-control (3.0-5) unstable; urgency=low
849
850 * add code to generate tickets for SPICE
851
852 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
853
677f9ab0
DM		 854libpve-access-control (3.0-4) unstable; urgency=low
855
856 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
857
858 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
859
139a8ecf
DM		 860libpve-access-control (3.0-3) unstable; urgency=low
861
7d23b7ca 862 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 863
864 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
865
b78ce7c2
DM		 866libpve-access-control (3.0-2) unstable; urgency=low
867
868 * remove CGI.pm related code (pveproxy does not need that)
869
870 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
871
786820f9
DM		 872libpve-access-control (3.0-1) unstable; urgency=low
873
874 * bump version for wheezy release
875
876 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
877
e5ae5487
DM		 878libpve-access-control (1.0-26) unstable; urgency=low
879
880 * check_volume_access: fix access permissions for backup files
881
882 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
883
e3e6510c
DM		 884libpve-access-control (1.0-25) unstable; urgency=low
885
886 * add VM.Snapshot permission
887
888 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
889
1e15ebe7
DM		 890libpve-access-control (1.0-24) unstable; urgency=low
891
892 * untaint path (allow root to restore arbitrary paths)
893
894 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
895
437be042
DM		 896libpve-access-control (1.0-23) unstable; urgency=low
897
898 * correctly compute GUI capabilities (consider pools)
899
900 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
901
5bb4e06a
DM		 902libpve-access-control (1.0-22) unstable; urgency=low
903
904 * new plugin architecture for Auth modules, minor API change for Auth
905 domains (new 'delete' parameter)
906
907 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
908
3030a176
DM		 909libpve-access-control (1.0-21) unstable; urgency=low
910
911 * do not allow user names including slash
912
913 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
914
915libpve-access-control (1.0-20) unstable; urgency=low
916
917 * add ability to fork cli workers in background
918
919 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
920
dd2cfee0
DM		 921libpve-access-control (1.0-19) unstable; urgency=low
922
923 * return set of privileges on login - can be used to adopt GUI
924
925 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
926
1cf154b7
DM		 927libpve-access-control (1.0-18) unstable; urgency=low
928
7d23b7ca 929 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 930
931 * fix bug #152: allow user to change his own password
1cf154b7
DM		 932
933 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
934
2de14407
DM		 935libpve-access-control (1.0-17) unstable; urgency=low
936
937 * set propagate flag by default
938
939 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
940
bdc61d7a
DM		 941libpve-access-control (1.0-16) unstable; urgency=low
942
943 * add 'pveum passwd' method
944
945 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
946
cc7bdf33
DM		 947libpve-access-control (1.0-15) unstable; urgency=low
948
949 * Add VM.Config.CDROM privilege to PVEVMUser rule
950
951 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
952
a69bbe2e
DM		 953libpve-access-control (1.0-14) unstable; urgency=low
954
955 * fix buf in userid-param permission check
956
957 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
958
d9483d94
DM		 959libpve-access-control (1.0-13) unstable; urgency=low
960
961 * allow more characters in ldap base_dn attribute
962
963 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
964
84619607
DM		 965libpve-access-control (1.0-12) unstable; urgency=low
966
967 * allow more characters with realm IDs
968
969 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
970
09d27058
DM		 971libpve-access-control (1.0-11) unstable; urgency=low
972
973 * fix bug in exec_api2_perm_check
974
975 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
976
7a4c849e
DM		 977libpve-access-control (1.0-10) unstable; urgency=low
978
979 * fix ACL group name parser
980
981 * changed 'pveum aclmod' command line arguments
982
983 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
984
3eac4e35
DM		 985libpve-access-control (1.0-9) unstable; urgency=low
986
987 * fix bug in check_volume_access (fixes vzrestore)
988
989 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
990
4384e19e
DM		 991libpve-access-control (1.0-8) unstable; urgency=low
992
993 * fix return value for empty ACL list.
994
995 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
996
d8a56966
DM		 997libpve-access-control (1.0-7) unstable; urgency=low
998
999 * fix bug #85: allow root@pam to generate tickets for other users
1000
1001 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1002
cb6f2f93
DM		 1003libpve-access-control (1.0-6) unstable; urgency=low
1004
1005 * API change: allow to filter enabled/disabled users.
1006
1007 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1008
272fe9ff
DM		 1009libpve-access-control (1.0-5) unstable; urgency=low
1010
1011 * add a way to return file changes (diffs): set_result_changes()
1012
1013 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1014
e42eedbc
DM		 1015libpve-access-control (1.0-4) unstable; urgency=low
1016
1017 * new environment type for ha agents
1018
1019 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1020
1fba27e0
DM		 1021libpve-access-control (1.0-3) unstable; urgency=low
1022
1023 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 1024 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 1025
1026 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1027
5bf71a96
DM		 1028libpve-access-control (1.0-2) unstable; urgency=low
1029
1030 * fix bug in fork_worker
1031
1032 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1033
2c3a6c0a
DM		 1034libpve-access-control (1.0-1) unstable; urgency=low
1035
1036 * allow '-' in permission paths
1037
1038 * bump version to 1.0
1039
1040 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1041
1042libpve-access-control (0.1) unstable; urgency=low
1043
1044 * first dummy package - no functionality
1045
1046 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1047
Access control framework