]>
Commit | Line | Data |
---|---|---|
2c74a9ab TL |
1 | libpve-access-control (8.1.4) bookworm; urgency=medium |
2 | ||
3 | * fix #5335: sort ACL entries in user.cfg to make it easier to track changes | |
4 | ||
5 | -- Proxmox Support Team <support@proxmox.com> Mon, 22 Apr 2024 13:45:22 +0200 | |
6 | ||
787e4c06 TL |
7 | libpve-access-control (8.1.3) bookworm; urgency=medium |
8 | ||
9 | * user: password change: require confirmation-password parameter so that | |
10 | anybody gaining local or physical access to a device where a user is | |
11 | logged in on a Proxmox VE web-interface cannot give them more permanent | |
12 | access or deny the actual user accessing their account by changing the | |
13 | password. Note that such an attack scenario means that the attacker | |
14 | already has high privileges and can already control the resource | |
15 | completely through another attack. | |
16 | Such initial attacks (like stealing an unlocked device) are almost always | |
17 | are outside of the control of our projects. Still, hardening the API a bit | |
18 | by requiring a confirmation of the original password is to cheap to | |
19 | implement to not do so. | |
20 | ||
21 | * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes, | |
22 | like comments, correctly | |
23 | ||
24 | -- Proxmox Support Team <support@proxmox.com> Fri, 22 Mar 2024 14:14:36 +0100 | |
25 | ||
85f61297 TL |
26 | libpve-access-control (8.1.2) bookworm; urgency=medium |
27 | ||
28 | * add Sys.AccessNetwork privilege | |
29 | ||
30 | -- Proxmox Support Team <support@proxmox.com> Wed, 28 Feb 2024 15:42:12 +0100 | |
31 | ||
588927f1 TL |
32 | libpve-access-control (8.1.1) bookworm; urgency=medium |
33 | ||
34 | * LDAP sync: fix-up assembling valid attribute set | |
35 | ||
36 | -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 19:03:26 +0100 | |
37 | ||
6324cbb3 TL |
38 | libpve-access-control (8.1.0) bookworm; urgency=medium |
39 | ||
40 | * api: user: limit the legacy user-keys option to the depreacated values | |
41 | that could be set in the first limited TFA system, like e.g., 'x!yubico' | |
42 | or base32 encoded secrets. | |
43 | ||
44 | * oidc: enforce generic URI regex for the ACR value to align with OIDC | |
45 | specifications and with Proxmox Backup Server, which was recently changed | |
46 | to actually be less strict. | |
47 | ||
48 | * LDAP sync: improve validation of synced attributes, closely limit the | |
49 | mapped attributes names and their values to avoid glitches through odd | |
50 | LDIF entries. | |
51 | ||
52 | * api: user: limit maximum length for first & last name to 1024 characters, | |
53 | email to 254 characters (the maximum actually useable in practice) and | |
54 | comment properties to 2048 characters. This avoid that a few single users | |
55 | bloat the user.cfg to much by mistake, reducing the total amount of users | |
56 | and ACLs that can be set up. Note that only users with User.Modify and | |
57 | realm syncs (setup by admins) can change these in the first place, so this | |
58 | is mostly to avoid mishaps and just to be sure. | |
59 | ||
60 | -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 17:50:59 +0100 | |
61 | ||
ffc4e503 WB |
62 | libpve-access-control (8.0.7) bookworm; urgency=medium |
63 | ||
64 | * fix #1148: allow up to three levels of pool nesting | |
65 | ||
66 | * pools: record parent/subpool information | |
67 | ||
68 | -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100 | |
69 | ||
401e3205 TL |
70 | libpve-access-control (8.0.6) bookworm; urgency=medium |
71 | ||
72 | * perms: fix wrong /pools entry in default set of ACL paths | |
73 | ||
74 | * acl: add missing SDN ACL paths to allowed list | |
75 | ||
76 | -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100 | |
77 | ||
b8a52eac WB |
78 | libpve-access-control (8.0.5) bookworm; urgency=medium |
79 | ||
80 | * fix an issue where setting ldap passwords would refuse to work unless | |
81 | at least one additional property was changed as well | |
82 | ||
83 | * add 'check-connection' parameter to create and update endpoints for ldap | |
84 | based realms | |
85 | ||
86 | -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200 | |
87 | ||
33e4480a WB |
88 | libpve-access-control (8.0.4) bookworm; urgency=medium |
89 | ||
90 | * Lookup of second factors is no longer tied to the 'keys' field in the | |
91 | user.cfg. This fixes an issue where certain LDAP/AD sync job settings | |
92 | could disable user-configured 2nd factors. | |
93 | ||
94 | * Existing-but-disabled TFA factors can no longer circumvent realm-mandated | |
95 | TFA. | |
96 | ||
97 | -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200 | |
98 | ||
8a856968 TL |
99 | libpve-access-control (8.0.3) bookworm; urgency=medium |
100 | ||
101 | * pveum: list tfa: recovery keys have no descriptions | |
102 | ||
103 | * pveum: list tfa: sort by user ID | |
104 | ||
105 | * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format | |
106 | is understood since pve-manager 7.0-15, and users must upgrade to Proxmox | |
107 | VE 7.4 before upgrading to Proxmox VE 8 in addition to that. | |
108 | ||
109 | -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200 | |
110 | ||
1852a929 TL |
111 | libpve-access-control (8.0.2) bookworm; urgency=medium |
112 | ||
113 | * api: users: sort groups to avoid "flapping" text | |
114 | ||
115 | * api: tfa: don't block tokens from viewing and list TFA entries, both are | |
116 | safe to do for anybody with enough permissions to view a user. | |
117 | ||
118 | * api: tfa: add missing links for child-routes | |
119 | ||
120 | -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200 | |
121 | ||
ebf82c77 TL |
122 | libpve-access-control (8.0.1) bookworm; urgency=medium |
123 | ||
124 | * tfa: cope with native versions in cluster version check | |
125 | ||
126 | -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200 | |
127 | ||
6004f25e TL |
128 | libpve-access-control (8.0.0) bookworm; urgency=medium |
129 | ||
130 | * api: roles: forbid creating new roles starting with "PVE" namespace | |
131 | ||
132 | -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200 | |
133 | ||
8e8023b1 TL |
134 | libpve-access-control (8.0.0~3) bookworm; urgency=medium |
135 | ||
136 | * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path | |
137 | ||
138 | * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path | |
139 | ||
140 | * add helper for checking bridge access | |
141 | ||
142 | * add new SDN.Use privilege in PVESDNUser role, allowing one to specify | |
143 | which user are allowed to use a bridge (or vnet, if SDN is installed) | |
144 | ||
145 | * add privileges and paths for cluster resource mapping | |
146 | ||
147 | -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200 | |
148 | ||
3ef602fe TL |
149 | libpve-access-control (8.0.0~2) bookworm; urgency=medium |
150 | ||
151 | * api: user index: only include existing tfa lock flags | |
152 | ||
153 | * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs | |
154 | ||
155 | * roles: only include Permissions.Modify in Administrator built-in role. | |
156 | As, depending on the ACL object path, this privilege might allow one to | |
157 | change their own permissions, which was making the distinction between | |
158 | Admin and PVEAdmin irrelevant. | |
159 | ||
160 | * acls: restrict less-privileged ACL modifications. Through allocate | |
161 | permissions in pools, storages and virtual guests one can do some ACL | |
162 | modifications without having the Permissions.Modify privilege, lock those | |
163 | better down to ensure that one can only hand out only the subset of their | |
164 | own privileges, never more. Note that this is mostly future proofing, as | |
165 | the ACL object paths one could give out more permissions where already | |
166 | limiting the scope. | |
167 | ||
168 | -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200 | |
169 | ||
f63364a7 WB |
170 | libpve-access-control (8.0.0~1) bookworm; urgency=medium |
171 | ||
172 | * bump pve-rs dependency to 0.8.3 | |
173 | ||
174 | * drop old verify_tfa api call (POST /access/tfa) | |
175 | ||
176 | * drop support for old login API: | |
177 | - 'new-format' is now considured to be 1 and ignored by the API | |
178 | ||
179 | * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote | |
180 | address | |
181 | ||
182 | * cli: add 'pveum tfa list' | |
183 | ||
184 | * cli: add 'pveum tfa unlock' | |
185 | ||
186 | * enable lockout of TFA: | |
187 | - too many TOTP attempts will lock out of TOTP | |
188 | - using a recovery key will unlock TOTP | |
189 | - too many TFA attempts will lock a user's TFA auth for an hour | |
190 | ||
191 | * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA | |
192 | authentication if it was locked by too many wrong 2nd factor login attempts | |
193 | ||
194 | * api: /access/tfa and /access/users now include the tfa lockout status | |
195 | ||
196 | -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200 | |
197 | ||
a3dc6ff4 TL |
198 | libpve-access-control (7.99.0) bookworm; urgency=medium |
199 | ||
200 | * initial re-build for Proxmox VE 8.x series | |
201 | ||
202 | * switch to native versioning | |
203 | ||
204 | -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200 | |
205 | ||
f2762a03 WB |
206 | libpve-access-control (7.4-3) bullseye; urgency=medium |
207 | ||
208 | * use new 2nd factor verification from pve-rs | |
209 | ||
210 | -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200 | |
211 | ||
f0595d15 TL |
212 | libpve-access-control (7.4-2) bullseye; urgency=medium |
213 | ||
214 | * fix #4609: fix regression where a valid DN in the ldap/ad realm config | |
215 | wasn't accepted anymore | |
216 | ||
217 | -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100 | |
218 | ||
a23eaa1a TL |
219 | libpve-access-control (7.4-1) bullseye; urgency=medium |
220 | ||
221 | * realm sync: refactor scope/remove-vanished into a standard option | |
222 | ||
223 | * ldap: Allow quoted values for DN attribute values | |
224 | ||
225 | -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100 | |
226 | ||
df33b3b9 TL |
227 | libpve-access-control (7.3-2) bullseye; urgency=medium |
228 | ||
229 | * fix #4518: dramatically improve ACL computation performance | |
230 | ||
231 | * userid format: clarify that this is the full name@realm in description | |
232 | ||
233 | -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100 | |
234 | ||
2da8c203 TL |
235 | libpve-access-control (7.3-1) bullseye; urgency=medium |
236 | ||
237 | * realm: sync: allow explicit 'none' for 'remove-vanished' option | |
238 | ||
239 | -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100 | |
240 | ||
b84bf623 TL |
241 | libpve-access-control (7.2-5) bullseye; urgency=medium |
242 | ||
243 | * api: realm sync: avoid separate log line for "remove-vanished" opt | |
244 | ||
245 | * auth ldap/ad: compare group member dn case-insensitively | |
246 | ||
247 | * two factor auth: only lock tfa config for recovery keys | |
248 | ||
249 | * privs: add Sys.Incoming for guarding cross-cluster data streams like guest | |
250 | migrations and storage migrations | |
251 | ||
252 | -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100 | |
253 | ||
f4e68e49 TL |
254 | libpve-access-control (7.2-4) bullseye; urgency=medium |
255 | ||
256 | * fix #4074: increase API OpenID code size limit to 2048 | |
257 | ||
258 | * auth key: protect against rare chance of a double rotation in clusters, | |
259 | leaving the potential that some set of nodes have the earlier key cached, | |
260 | that then got rotated out due to the race, resulting in a possible other | |
261 | set of nodes having the newer key cached. This is a split view of the auth | |
262 | key and may resulting in spurious failures if API requests are made to a | |
263 | different node than the ticket was generated on. | |
264 | In addition to that, the "keep validity of old tickets if signed in the | |
265 | last two hours before rotation" logic was disabled too in such a case, | |
266 | making such tickets invalid too early. | |
267 | Note that both are cases where Proxmox VE was too strict, so while this | |
268 | had no security implications it can be a nuisance, especially for | |
269 | environments that use the API through an automated or scripted way | |
270 | ||
271 | -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200 | |
272 | ||
26dde491 TL |
273 | libpve-access-control (7.2-3) bullseye; urgency=medium |
274 | ||
275 | * api: token: use userid-group as API perm check to avoid being overly | |
276 | strict through a misguided use of user id for non-root users. | |
277 | ||
278 | * perm check: forbid undefined/empty ACL path for future proofing of against | |
279 | above issue | |
280 | ||
281 | -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200 | |
282 | ||
1cf4389b TL |
283 | libpve-access-control (7.2-2) bullseye; urgency=medium |
284 | ||
285 | * permissions: merge propagation flag for multiple roles on a path that | |
286 | share privilege in a deterministic way, to avoid that it gets lost | |
287 | depending on perl's random sort, which would result in returing less | |
288 | privileges than an auth-id actually had. | |
289 | ||
290 | * permissions: avoid that token and user privilege intersection is to strict | |
291 | for user permissions that have propagation disabled. | |
292 | ||
293 | -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200 | |
294 | ||
e3604d48 TL |
295 | libpve-access-control (7.2-1) bullseye; urgency=medium |
296 | ||
297 | * user check: fix expiration/enable order | |
298 | ||
299 | -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200 | |
300 | ||
79ae250f TL |
301 | libpve-access-control (7.1-8) bullseye; urgency=medium |
302 | ||
303 | * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove- | |
304 | vanished' | |
305 | ||
306 | -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200 | |
307 | ||
eed46286 TL |
308 | libpve-access-control (7.1-7) bullseye; urgency=medium |
309 | ||
310 | * userid-group check: distinguish create and update | |
311 | ||
312 | * api: get user: declare token schema | |
313 | ||
314 | -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100 | |
315 | ||
cd78b295 FG |
316 | libpve-access-control (7.1-6) bullseye; urgency=medium |
317 | ||
318 | * fix #3768: warn on bad u2f or webauthn settings | |
319 | ||
320 | * tfa: when modifying others, verify the current user's password | |
321 | ||
322 | * tfa list: account for admin permissions | |
323 | ||
324 | * fix realm sync permissions | |
325 | ||
326 | * fix token permission display bug | |
327 | ||
328 | * include SDN permissions in permission tree | |
329 | ||
330 | -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100 | |
331 | ||
118088d8 TL |
332 | libpve-access-control (7.1-5) bullseye; urgency=medium |
333 | ||
334 | * openid: fix username-claim fallback | |
335 | ||
336 | -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100 | |
337 | ||
ebb14277 WB |
338 | libpve-access-control (7.1-4) bullseye; urgency=medium |
339 | ||
340 | * set current origin in the webauthn config if no fixed origin was | |
341 | configured, to support webauthn via subdomains | |
342 | ||
343 | -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100 | |
344 | ||
44a55ff7 TL |
345 | libpve-access-control (7.1-3) bullseye; urgency=medium |
346 | ||
347 | * openid: allow arbitrary username-claims | |
348 | ||
349 | * openid: support configuring the prompt, scopes and ACR values | |
350 | ||
351 | -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100 | |
352 | ||
6f643e79 TL |
353 | libpve-access-control (7.1-2) bullseye; urgency=medium |
354 | ||
355 | * catch incompatible tfa entries with a nice error | |
356 | ||
357 | -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100 | |
358 | ||
92bca71e TL |
359 | libpve-access-control (7.1-1) bullseye; urgency=medium |
360 | ||
361 | * tfa: map HTTP 404 error in get_tfa_entry correctly | |
362 | ||
363 | -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100 | |
364 | ||
1c9b6501 TL |
365 | libpve-access-control (7.0-7) bullseye; urgency=medium |
366 | ||
367 | * fix #3513: pass configured proxy to OpenID | |
368 | ||
369 | * use rust based parser for TFA config | |
370 | ||
371 | * use PBS-like auth api call flow, | |
372 | ||
373 | * merge old user.cfg keys to tfa config when adding entries | |
374 | ||
375 | * implement version checks for new tfa config writer to ensure all | |
376 | cluster nodes are ready to avoid login issues | |
377 | ||
378 | * tickets: add tunnel ticket | |
379 | ||
380 | -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100 | |
381 | ||
cd46b379 TL |
382 | libpve-access-control (7.0-6) bullseye; urgency=medium |
383 | ||
384 | * fix regression in user deletion when realm does not enforce TFA | |
385 | ||
386 | -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200 | |
387 | ||
52da88a8 TL |
388 | libpve-access-control (7.0-5) bullseye; urgency=medium |
389 | ||
390 | * acl: check path: add /sdn/vnets/* path | |
391 | ||
392 | * fix #2302: allow deletion of users when realm enforces TFA | |
393 | ||
394 | * api: delete user: disable user first to avoid surprise on error during the | |
395 | various cleanup action required for user deletion (e.g., TFA, ACL, group) | |
396 | ||
397 | -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200 | |
398 | ||
543d646c TL |
399 | libpve-access-control (7.0-4) bullseye; urgency=medium |
400 | ||
401 | * realm: add OpenID configuration | |
402 | ||
403 | * api: implement OpenID related endpoints | |
404 | ||
405 | * implement opt-in OpenID autocreate user feature | |
406 | ||
407 | * api: user: add 'realm-type' to user list response | |
408 | ||
409 | -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200 | |
410 | ||
7a4c4fd8 TL |
411 | libpve-access-control (7.0-3) bullseye; urgency=medium |
412 | ||
413 | * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and | |
414 | `/sdn/zones/<zone>` to allowed ACL paths | |
415 | ||
416 | -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200 | |
417 | ||
0902a936 FG |
418 | libpve-access-control (7.0-2) bullseye; urgency=medium |
419 | ||
420 | * fix #3402: add Pool.Audit privilege - custom roles containing | |
421 | Pool.Allocate must be updated to include the new privilege. | |
422 | ||
423 | -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200 | |
424 | ||
67febb69 TL |
425 | libpve-access-control (7.0-1) bullseye; urgency=medium |
426 | ||
427 | * re-build for Debian 11 Bullseye based releases | |
428 | ||
429 | -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200 | |
430 | ||
2942ba41 TL |
431 | libpve-access-control (6.4-1) pve; urgency=medium |
432 | ||
433 | * fix #1670: change PAM service name to project specific name | |
434 | ||
435 | * fix #1500: permission path syntax check for access control | |
436 | ||
437 | * pveum: add resource pool CLI commands | |
438 | ||
439 | -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200 | |
440 | ||
54d312f3 TL |
441 | libpve-access-control (6.1-3) pve; urgency=medium |
442 | ||
443 | * partially fix #2825: authkey: rotate if it was generated in the | |
444 | future | |
445 | ||
446 | * fix #2947: add an option to LDAP or AD realm to switch user lookup to case | |
447 | insensitive | |
448 | ||
449 | -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200 | |
450 | ||
6a9be12f TL |
451 | libpve-access-control (6.1-2) pve; urgency=medium |
452 | ||
453 | * also check SDN permission path when computing coarse permissions heuristic | |
454 | for UIs | |
455 | ||
456 | * add SDN Permissions.Modify | |
457 | ||
458 | * add VM.Config.Cloudinit | |
459 | ||
460 | -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200 | |
461 | ||
e6624f50 TL |
462 | libpve-access-control (6.1-1) pve; urgency=medium |
463 | ||
464 | * pveum: add tfa delete subcommand for deleting user-TFA | |
465 | ||
466 | * LDAP: don't complain about missing credentials on realm removal | |
467 | ||
468 | * LDAP: skip anonymous bind when client certificate and key is configured | |
469 | ||
470 | -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200 | |
471 | ||
8f4a522f TL |
472 | libpve-access-control (6.0-7) pve; urgency=medium |
473 | ||
474 | * fix #2575: die when trying to edit built-in roles | |
475 | ||
476 | * add realm sub commands to pveum CLI tool | |
477 | ||
7d23b7ca | 478 | * api: domains: add user group sync API endpoint |
8f4a522f TL |
479 | |
480 | * allow one to sync and import users and groups from LDAP/AD based realms | |
481 | ||
482 | * realm: add default-sync-options to config for more convenient sync configuration | |
483 | ||
484 | * api: token create: return also full token id for convenience | |
485 | ||
486 | -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200 | |
487 | ||
23059f35 TL |
488 | libpve-access-control (6.0-6) pve; urgency=medium |
489 | ||
490 | * API: add group members to group index | |
491 | ||
492 | * implement API token support and management | |
493 | ||
494 | * pveum: add 'pveum user token add/update/remove/list' | |
495 | ||
496 | * pveum: add permissions sub-commands | |
497 | ||
498 | * API: add 'permissions' API endpoint | |
499 | ||
500 | * user.cfg: skip inexisting roles when parsing ACLs | |
501 | ||
502 | -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100 | |
503 | ||
3dd692e9 TL |
504 | libpve-access-control (6.0-5) pve; urgency=medium |
505 | ||
506 | * pveum: add list command for users, groups, ACLs and roles | |
507 | ||
508 | * add initial permissions for experimental SDN integration | |
509 | ||
510 | -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100 | |
511 | ||
4ef92d0d FG |
512 | libpve-access-control (6.0-4) pve; urgency=medium |
513 | ||
514 | * ticket: use clinfo to get cluster name | |
515 | ||
516 | * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as | |
517 | SSL version | |
518 | ||
519 | -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100 | |
520 | ||
6e5bbca4 TL |
521 | libpve-access-control (6.0-3) pve; urgency=medium |
522 | ||
523 | * fix #2433: increase possible TFA secret length | |
524 | ||
525 | * parse user configuration: correctly parse group names in ACLs, for users | |
526 | which begin their name with an @ | |
527 | ||
528 | * sort user.cfg entries alphabetically | |
529 | ||
530 | -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100 | |
531 | ||
e073493c TL |
532 | libpve-access-control (6.0-2) pve; urgency=medium |
533 | ||
534 | * improve CSRF verification compatibility with newer PVE | |
535 | ||
536 | -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200 | |
537 | ||
a237dc2e TL |
538 | libpve-access-control (6.0-1) pve; urgency=medium |
539 | ||
540 | * ticket: properly verify exactly 5 minute old tickets | |
541 | ||
542 | * use hmac_sha256 instead of sha1 for CSRF token generation | |
543 | ||
544 | -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200 | |
545 | ||
f1531f22 TL |
546 | libpve-access-control (6.0-0+1) pve; urgency=medium |
547 | ||
548 | * bump for Debian buster | |
549 | ||
550 | * fix #2079: add periodic auth key rotation | |
551 | ||
552 | -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200 | |
553 | ||
ef761f51 TL |
554 | libpve-access-control (5.1-10) unstable; urgency=medium |
555 | ||
556 | * add /access/user/{id}/tfa api call to get tfa types | |
557 | ||
558 | -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200 | |
559 | ||
860ddcba TL |
560 | libpve-access-control (5.1-9) unstable; urgency=medium |
561 | ||
562 | * store the tfa type in user.cfg allowing to get it without proxying the call | |
7d23b7ca | 563 | to a higher privileged daemon. |
860ddcba TL |
564 | |
565 | * tfa: realm required TFA should lock out users without TFA configured, as it | |
566 | was done before Proxmox VE 5.4 | |
567 | ||
568 | -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000 | |
569 | ||
9fbad012 TL |
570 | libpve-access-control (5.1-8) unstable; urgency=medium |
571 | ||
572 | * U2F: ensure we save correct public key on registration | |
573 | ||
574 | -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200 | |
575 | ||
4473c96c TL |
576 | libpve-access-control (5.1-7) unstable; urgency=medium |
577 | ||
578 | * verify_ticket: allow general non-challenge tfa to be run as two step | |
579 | call | |
580 | ||
581 | -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200 | |
582 | ||
a270d4e1 TL |
583 | libpve-access-control (5.1-6) unstable; urgency=medium |
584 | ||
585 | * more general 2FA configuration via priv/tfa.cfg | |
586 | ||
587 | * add u2f api endpoints | |
588 | ||
589 | * delete TFA entries when deleting a user | |
590 | ||
591 | * allow users to change their TOTP settings | |
592 | ||
593 | -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200 | |
594 | ||
374647e8 TL |
595 | libpve-access-control (5.1-5) unstable; urgency=medium |
596 | ||
597 | * fix vnc ticket verification without authkey lifetime | |
598 | ||
599 | -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100 | |
600 | ||
7fb70c94 TL |
601 | libpve-access-control (5.1-4) unstable; urgency=medium |
602 | ||
603 | * fix #1891: Add zsh command completion for pveum | |
604 | ||
605 | * ground work to fix #2079: add periodic auth key rotation. Not yet enabled | |
606 | to avoid issues on upgrade, will be enabled with 6.0 | |
607 | ||
608 | -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100 | |
609 | ||
6e010cde TL |
610 | libpve-access-control (5.1-3) unstable; urgency=medium |
611 | ||
612 | * api/ticket: move getting cluster name into an eval | |
613 | ||
614 | -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100 | |
615 | ||
f5a9380a TL |
616 | libpve-access-control (5.1-2) unstable; urgency=medium |
617 | ||
618 | * fix #1998: correct return properties for read_role | |
619 | ||
620 | -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100 | |
621 | ||
b54b7474 TL |
622 | libpve-access-control (5.1-1) unstable; urgency=medium |
623 | ||
624 | * pveum: introduce sub-commands | |
625 | ||
626 | * register userid with completion | |
627 | ||
628 | * fix #233: return cluster name on successful login | |
629 | ||
630 | -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100 | |
631 | ||
52192dd4 WB |
632 | libpve-access-control (5.0-8) unstable; urgency=medium |
633 | ||
634 | * fix #1612: ldap: make 2nd server work with bind domains again | |
635 | ||
636 | * fix an error message where passing a bad pool id to an API function would | |
637 | make it complain about a wrong group name instead | |
638 | ||
639 | * fix the API-returned permission list so that the GUI knows to show the | |
640 | 'Permissions' tab for a storage to an administrator apart from root@pam | |
641 | ||
642 | -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100 | |
643 | ||
3dadf8cf FG |
644 | libpve-access-control (5.0-7) unstable; urgency=medium |
645 | ||
646 | * VM.Snapshot.Rollback privilege added | |
647 | ||
648 | * api: check for special roles before locking the usercfg | |
649 | ||
650 | * fix #1501: pveum: die when deleting special role | |
651 | ||
652 | * API/ticket: rework coarse grained permission computation | |
653 | ||
654 | -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200 | |
655 | ||
ec4141f4 WB |
656 | libpve-access-control (5.0-6) unstable; urgency=medium |
657 | ||
658 | * Close #1470: Add server ceritifcate verification for AD and LDAP via the | |
659 | 'verify' option. For compatibility reasons this defaults to off for now, | |
660 | but that might change with future updates. | |
661 | ||
662 | * AD, LDAP: Add ability to specify a CA path or file, and a client | |
663 | certificate via the 'capath', 'cert' and 'certkey' options. | |
664 | ||
665 | -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200 | |
666 | ||
63134bd4 DM |
667 | libpve-access-control (5.0-5) unstable; urgency=medium |
668 | ||
669 | * change from dpkg-deb to dpkg-buildpackage | |
670 | ||
671 | -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200 | |
672 | ||
868fb1ea DM |
673 | libpve-access-control (5.0-4) unstable; urgency=medium |
674 | ||
675 | * PVE/CLI/pveum.pm: call setup_default_cli_env() | |
676 | ||
677 | * PVE/Auth/PVE.pm: encode uft8 password before calling crypt | |
678 | ||
679 | * check_api2_permissions: avoid warning about uninitialized value | |
680 | ||
681 | -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200 | |
682 | ||
63358f40 DM |
683 | libpve-access-control (5.0-3) unstable; urgency=medium |
684 | ||
685 | * use new PVE::OTP class from pve-common | |
686 | ||
687 | * use new PVE::Tools::encrypt_pw from pve-common | |
688 | ||
689 | -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200 | |
690 | ||
05fd50af DM |
691 | libpve-access-control (5.0-2) unstable; urgency=medium |
692 | ||
693 | * encrypt_pw: avoid '+' for crypt salt | |
694 | ||
695 | -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200 | |
696 | ||
0835385b FG |
697 | libpve-access-control (5.0-1) unstable; urgency=medium |
698 | ||
699 | * rebuild for PVE 5.0 | |
700 | ||
701 | -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100 | |
702 | ||
730f8863 DM |
703 | libpve-access-control (4.0-23) unstable; urgency=medium |
704 | ||
705 | * use new PVE::Ticket class | |
706 | ||
707 | -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100 | |
708 | ||
1f1c4593 DM |
709 | libpve-access-control (4.0-22) unstable; urgency=medium |
710 | ||
711 | * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency | |
712 | (moved to PVE::Storage) | |
713 | ||
714 | * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class | |
715 | ||
716 | -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100 | |
717 | ||
f9105063 DM |
718 | libpve-access-control (4.0-21) unstable; urgency=medium |
719 | ||
720 | * setup_default_cli_env: expect $class as first parameter | |
721 | ||
722 | -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100 | |
723 | ||
9595066e DM |
724 | libpve-access-control (4.0-20) unstable; urgency=medium |
725 | ||
726 | * PVE/RPCEnvironment.pm: new function setup_default_cli_env | |
727 | ||
728 | * PVE/API2/Domains.pm: fix property description | |
729 | ||
730 | * use new repoman for upload target | |
731 | ||
732 | -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100 | |
733 | ||
2af5a793 DM |
734 | libpve-access-control (4.0-19) unstable; urgency=medium |
735 | ||
736 | * Close #833: ldap: non-anonymous bind support | |
737 | ||
738 | * don't import 'RFC' from MIME::Base32 | |
739 | ||
740 | -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200 | |
741 | ||
5d87bb77 WB |
742 | libpve-access-control (4.0-18) unstable; urgency=medium |
743 | ||
744 | * fix #1062: recognize base32 otp keys again | |
745 | ||
746 | -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200 | |
747 | ||
28ddf48b WB |
748 | libpve-access-control (4.0-17) unstable; urgency=medium |
749 | ||
750 | * drop oathtool and libdigest-hmac-perl dependencies | |
751 | ||
752 | -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200 | |
753 | ||
15cebb28 DM |
754 | libpve-access-control (4.0-16) unstable; urgency=medium |
755 | ||
756 | * use pve-doc-generator to generate man pages | |
757 | ||
758 | -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200 | |
759 | ||
678df887 DM |
760 | libpve-access-control (4.0-15) unstable; urgency=medium |
761 | ||
762 | * Fix uninitialized warning when shadow.cfg does not exist | |
763 | ||
764 | -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200 | |
765 | ||
cca9761a DM |
766 | libpve-access-control (4.0-14) unstable; urgency=medium |
767 | ||
768 | * Add is_worker to RPCEnvironment | |
769 | ||
770 | -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100 | |
771 | ||
8643c99d DM |
772 | libpve-access-control (4.0-13) unstable; urgency=medium |
773 | ||
774 | * fix #916: allow HTTPS to access custom yubico url | |
775 | ||
776 | -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100 | |
777 | ||
ae2a6bf9 DM |
778 | libpve-access-control (4.0-12) unstable; urgency=medium |
779 | ||
780 | * Catch certificate errors instead of segfaulting | |
781 | ||
782 | -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100 | |
783 | ||
4836db5f DM |
784 | libpve-access-control (4.0-11) unstable; urgency=medium |
785 | ||
786 | * Fix #861: use safer sprintf formatting | |
787 | ||
788 | -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100 | |
789 | ||
ccbe23dc DM |
790 | libpve-access-control (4.0-10) unstable; urgency=medium |
791 | ||
792 | * Auth::LDAP, Auth::AD: ipv6 support | |
793 | ||
794 | -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100 | |
795 | ||
90399ca4 DM |
796 | libpve-access-control (4.0-9) unstable; urgency=medium |
797 | ||
798 | * pveum: implement bash completion | |
799 | ||
800 | -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200 | |
801 | ||
364ffc13 DM |
802 | libpve-access-control (4.0-8) unstable; urgency=medium |
803 | ||
804 | * remove_storage_access: cleanup of access permissions for removed storage | |
805 | ||
806 | -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200 | |
807 | ||
7c26cb4a DM |
808 | libpve-access-control (4.0-7) unstable; urgency=medium |
809 | ||
810 | * new helper to remove access permissions for removed VMs | |
811 | ||
812 | -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200 | |
813 | ||
296afbd1 DM |
814 | libpve-access-control (4.0-6) unstable; urgency=medium |
815 | ||
816 | * improve parse_user_config, parse_shadow_config | |
817 | ||
818 | -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200 | |
819 | ||
7d2df2ef DM |
820 | libpve-access-control (4.0-5) unstable; urgency=medium |
821 | ||
822 | * pveum: check for $cmd being defined | |
823 | ||
824 | -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200 | |
825 | ||
98a34e3f DM |
826 | libpve-access-control (4.0-4) unstable; urgency=medium |
827 | ||
828 | * use activate-noawait triggers | |
829 | ||
830 | -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200 | |
831 | ||
15462727 DM |
832 | libpve-access-control (4.0-3) unstable; urgency=medium |
833 | ||
834 | * IPv6 fixes | |
835 | ||
836 | * non-root buildfix | |
837 | ||
838 | -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200 | |
839 | ||
bbf4cc9a DM |
840 | libpve-access-control (4.0-2) unstable; urgency=medium |
841 | ||
842 | * trigger pve-api-updates event | |
843 | ||
844 | -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200 | |
845 | ||
dfbcf6d3 DM |
846 | libpve-access-control (4.0-1) unstable; urgency=medium |
847 | ||
848 | * bump version for Debian Jessie | |
849 | ||
850 | -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100 | |
851 | ||
94971b3a DM |
852 | libpve-access-control (3.0-16) unstable; urgency=low |
853 | ||
854 | * root@pam can now be disabled in GUI. | |
855 | ||
856 | -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100 | |
857 | ||
7b17c7cb DM |
858 | libpve-access-control (3.0-15) unstable; urgency=low |
859 | ||
860 | * oath: add 'step' and 'digits' option | |
861 | ||
862 | -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200 | |
863 | ||
1abc2c0a DM |
864 | libpve-access-control (3.0-14) unstable; urgency=low |
865 | ||
866 | * add oath two factor auth | |
867 | ||
868 | * add oathkeygen binary to generate keys for oath | |
869 | ||
870 | * add yubico two factor auth | |
871 | ||
872 | * dedend on oathtool | |
873 | ||
874 | * depend on libmime-base32-perl | |
30be0de9 DM |
875 | |
876 | * allow to write builtin auth domains config (comment/tfa/default) | |
1abc2c0a DM |
877 | |
878 | -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200 | |
879 | ||
298450ab DM |
880 | libpve-access-control (3.0-13) unstable; urgency=low |
881 | ||
882 | * use correct connection string for AD auth | |
883 | ||
884 | -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200 | |
885 | ||
396034e4 DM |
886 | libpve-access-control (3.0-12) unstable; urgency=low |
887 | ||
888 | * add dummy API for GET /access/ticket (useful to generate login pages) | |
889 | ||
890 | -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200 | |
891 | ||
26361123 DM |
892 | libpve-access-control (3.0-11) unstable; urgency=low |
893 | ||
894 | * Sets common hot keys for spice client | |
895 | ||
896 | -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100 | |
897 | ||
3643383d DM |
898 | libpve-access-control (3.0-10) unstable; urgency=low |
899 | ||
900 | * implement helper to generate SPICE remote-viewer configuration | |
901 | ||
902 | * depend on libnet-ssleay-perl | |
903 | ||
904 | -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100 | |
905 | ||
0baedcf7 DM |
906 | libpve-access-control (3.0-9) unstable; urgency=low |
907 | ||
908 | * prevent user enumeration attacks | |
e4f8fc2e DM |
909 | |
910 | * allow dots in access paths | |
0baedcf7 DM |
911 | |
912 | -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100 | |
913 | ||
d4b63eae DM |
914 | libpve-access-control (3.0-8) unstable; urgency=low |
915 | ||
916 | * spice: use lowercase hostname in ticktet signature | |
917 | ||
918 | -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100 | |
919 | ||
49594944 DM |
920 | libpve-access-control (3.0-7) unstable; urgency=low |
921 | ||
922 | * check_volume_access : use parse_volname instead of path, and remove | |
923 | path related code. | |
7c410d63 DM |
924 | |
925 | * use warnings instead of global -w flag. | |
49594944 DM |
926 | |
927 | -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200 | |
928 | ||
fe7de5d0 DM |
929 | libpve-access-control (3.0-6) unstable; urgency=low |
930 | ||
931 | * use shorter spiceproxy tickets | |
932 | ||
933 | -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200 | |
934 | ||
4cdd9507 DM |
935 | libpve-access-control (3.0-5) unstable; urgency=low |
936 | ||
937 | * add code to generate tickets for SPICE | |
938 | ||
939 | -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200 | |
940 | ||
677f9ab0 DM |
941 | libpve-access-control (3.0-4) unstable; urgency=low |
942 | ||
943 | * moved add_vm_to_pool/remove_vm_from_pool from qemu-server | |
944 | ||
945 | -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200 | |
946 | ||
139a8ecf DM |
947 | libpve-access-control (3.0-3) unstable; urgency=low |
948 | ||
7d23b7ca | 949 | * Add new role PVETemplateUser (and VM.Clone privilege) |
139a8ecf DM |
950 | |
951 | -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200 | |
952 | ||
b78ce7c2 DM |
953 | libpve-access-control (3.0-2) unstable; urgency=low |
954 | ||
955 | * remove CGI.pm related code (pveproxy does not need that) | |
956 | ||
957 | -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200 | |
958 | ||
786820f9 DM |
959 | libpve-access-control (3.0-1) unstable; urgency=low |
960 | ||
961 | * bump version for wheezy release | |
962 | ||
963 | -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100 | |
964 | ||
e5ae5487 DM |
965 | libpve-access-control (1.0-26) unstable; urgency=low |
966 | ||
967 | * check_volume_access: fix access permissions for backup files | |
968 | ||
969 | -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100 | |
970 | ||
e3e6510c DM |
971 | libpve-access-control (1.0-25) unstable; urgency=low |
972 | ||
973 | * add VM.Snapshot permission | |
974 | ||
975 | -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200 | |
976 | ||
1e15ebe7 DM |
977 | libpve-access-control (1.0-24) unstable; urgency=low |
978 | ||
979 | * untaint path (allow root to restore arbitrary paths) | |
980 | ||
981 | -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200 | |
982 | ||
437be042 DM |
983 | libpve-access-control (1.0-23) unstable; urgency=low |
984 | ||
985 | * correctly compute GUI capabilities (consider pools) | |
986 | ||
987 | -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200 | |
988 | ||
5bb4e06a DM |
989 | libpve-access-control (1.0-22) unstable; urgency=low |
990 | ||
991 | * new plugin architecture for Auth modules, minor API change for Auth | |
992 | domains (new 'delete' parameter) | |
993 | ||
994 | -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200 | |
995 | ||
3030a176 DM |
996 | libpve-access-control (1.0-21) unstable; urgency=low |
997 | ||
998 | * do not allow user names including slash | |
999 | ||
1000 | -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200 | |
1001 | ||
1002 | libpve-access-control (1.0-20) unstable; urgency=low | |
1003 | ||
1004 | * add ability to fork cli workers in background | |
1005 | ||
1006 | -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200 | |
1007 | ||
dd2cfee0 DM |
1008 | libpve-access-control (1.0-19) unstable; urgency=low |
1009 | ||
1010 | * return set of privileges on login - can be used to adopt GUI | |
1011 | ||
1012 | -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200 | |
1013 | ||
1cf154b7 DM |
1014 | libpve-access-control (1.0-18) unstable; urgency=low |
1015 | ||
7d23b7ca | 1016 | * fix bug #151: correctly parse username inside ticket |
533219a1 DM |
1017 | |
1018 | * fix bug #152: allow user to change his own password | |
1cf154b7 DM |
1019 | |
1020 | -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200 | |
1021 | ||
2de14407 DM |
1022 | libpve-access-control (1.0-17) unstable; urgency=low |
1023 | ||
1024 | * set propagate flag by default | |
1025 | ||
1026 | -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100 | |
1027 | ||
bdc61d7a DM |
1028 | libpve-access-control (1.0-16) unstable; urgency=low |
1029 | ||
1030 | * add 'pveum passwd' method | |
1031 | ||
1032 | -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100 | |
1033 | ||
cc7bdf33 DM |
1034 | libpve-access-control (1.0-15) unstable; urgency=low |
1035 | ||
1036 | * Add VM.Config.CDROM privilege to PVEVMUser rule | |
1037 | ||
1038 | -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100 | |
1039 | ||
a69bbe2e DM |
1040 | libpve-access-control (1.0-14) unstable; urgency=low |
1041 | ||
1042 | * fix buf in userid-param permission check | |
1043 | ||
1044 | -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100 | |
1045 | ||
d9483d94 DM |
1046 | libpve-access-control (1.0-13) unstable; urgency=low |
1047 | ||
1048 | * allow more characters in ldap base_dn attribute | |
1049 | ||
1050 | -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100 | |
1051 | ||
84619607 DM |
1052 | libpve-access-control (1.0-12) unstable; urgency=low |
1053 | ||
1054 | * allow more characters with realm IDs | |
1055 | ||
1056 | -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100 | |
1057 | ||
09d27058 DM |
1058 | libpve-access-control (1.0-11) unstable; urgency=low |
1059 | ||
1060 | * fix bug in exec_api2_perm_check | |
1061 | ||
1062 | -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100 | |
1063 | ||
7a4c849e DM |
1064 | libpve-access-control (1.0-10) unstable; urgency=low |
1065 | ||
1066 | * fix ACL group name parser | |
1067 | ||
1068 | * changed 'pveum aclmod' command line arguments | |
1069 | ||
1070 | -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100 | |
1071 | ||
3eac4e35 DM |
1072 | libpve-access-control (1.0-9) unstable; urgency=low |
1073 | ||
1074 | * fix bug in check_volume_access (fixes vzrestore) | |
1075 | ||
1076 | -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100 | |
1077 | ||
4384e19e DM |
1078 | libpve-access-control (1.0-8) unstable; urgency=low |
1079 | ||
1080 | * fix return value for empty ACL list. | |
1081 | ||
1082 | -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100 | |
1083 | ||
d8a56966 DM |
1084 | libpve-access-control (1.0-7) unstable; urgency=low |
1085 | ||
1086 | * fix bug #85: allow root@pam to generate tickets for other users | |
1087 | ||
1088 | -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100 | |
1089 | ||
cb6f2f93 DM |
1090 | libpve-access-control (1.0-6) unstable; urgency=low |
1091 | ||
1092 | * API change: allow to filter enabled/disabled users. | |
1093 | ||
1094 | -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100 | |
1095 | ||
272fe9ff DM |
1096 | libpve-access-control (1.0-5) unstable; urgency=low |
1097 | ||
1098 | * add a way to return file changes (diffs): set_result_changes() | |
1099 | ||
1100 | -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100 | |
1101 | ||
e42eedbc DM |
1102 | libpve-access-control (1.0-4) unstable; urgency=low |
1103 | ||
1104 | * new environment type for ha agents | |
1105 | ||
1106 | -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100 | |
1107 | ||
1fba27e0 DM |
1108 | libpve-access-control (1.0-3) unstable; urgency=low |
1109 | ||
1110 | * add support for delayed parameter parsing - We need that to disable | |
7d23b7ca | 1111 | file upload for normal API request (avoid DOS attacks) |
1fba27e0 DM |
1112 | |
1113 | -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100 | |
1114 | ||
5bf71a96 DM |
1115 | libpve-access-control (1.0-2) unstable; urgency=low |
1116 | ||
1117 | * fix bug in fork_worker | |
1118 | ||
1119 | -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200 | |
1120 | ||
2c3a6c0a DM |
1121 | libpve-access-control (1.0-1) unstable; urgency=low |
1122 | ||
1123 | * allow '-' in permission paths | |
1124 | ||
1125 | * bump version to 1.0 | |
1126 | ||
1127 | -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200 | |
1128 | ||
1129 | libpve-access-control (0.1) unstable; urgency=low | |
1130 | ||
1131 | * first dummy package - no functionality | |
1132 | ||
1133 | -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200 | |
1134 |