]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
pools: record parent/subpool information
[pve-access-control.git] / debian / changelog
CommitLineData
401e3205
TL		 1libpve-access-control (8.0.6) bookworm; urgency=medium
2
3 * perms: fix wrong /pools entry in default set of ACL paths
4
5 * acl: add missing SDN ACL paths to allowed list
6
7 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
8
b8a52eac
WB		 9libpve-access-control (8.0.5) bookworm; urgency=medium
10
11 * fix an issue where setting ldap passwords would refuse to work unless
12 at least one additional property was changed as well
13
14 * add 'check-connection' parameter to create and update endpoints for ldap
15 based realms
16
17 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
18
33e4480a
WB		 19libpve-access-control (8.0.4) bookworm; urgency=medium
20
21 * Lookup of second factors is no longer tied to the 'keys' field in the
22 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
23 could disable user-configured 2nd factors.
24
25 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
26 TFA.
27
28 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
29
8a856968
TL		 30libpve-access-control (8.0.3) bookworm; urgency=medium
31
32 * pveum: list tfa: recovery keys have no descriptions
33
34 * pveum: list tfa: sort by user ID
35
36 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
37 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
38 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
39
40 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
41
1852a929
TL		 42libpve-access-control (8.0.2) bookworm; urgency=medium
43
44 * api: users: sort groups to avoid "flapping" text
45
46 * api: tfa: don't block tokens from viewing and list TFA entries, both are
47 safe to do for anybody with enough permissions to view a user.
48
49 * api: tfa: add missing links for child-routes
50
51 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
52
ebf82c77
TL		 53libpve-access-control (8.0.1) bookworm; urgency=medium
54
55 * tfa: cope with native versions in cluster version check
56
57 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
58
6004f25e
TL		 59libpve-access-control (8.0.0) bookworm; urgency=medium
60
61 * api: roles: forbid creating new roles starting with "PVE" namespace
62
63 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
64
8e8023b1
TL		 65libpve-access-control (8.0.0~3) bookworm; urgency=medium
66
67 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
68
69 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
70
71 * add helper for checking bridge access
72
73 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
74 which user are allowed to use a bridge (or vnet, if SDN is installed)
75
76 * add privileges and paths for cluster resource mapping
77
78 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
79
3ef602fe
TL		 80libpve-access-control (8.0.0~2) bookworm; urgency=medium
81
82 * api: user index: only include existing tfa lock flags
83
84 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
85
86 * roles: only include Permissions.Modify in Administrator built-in role.
87 As, depending on the ACL object path, this privilege might allow one to
88 change their own permissions, which was making the distinction between
89 Admin and PVEAdmin irrelevant.
90
91 * acls: restrict less-privileged ACL modifications. Through allocate
92 permissions in pools, storages and virtual guests one can do some ACL
93 modifications without having the Permissions.Modify privilege, lock those
94 better down to ensure that one can only hand out only the subset of their
95 own privileges, never more. Note that this is mostly future proofing, as
96 the ACL object paths one could give out more permissions where already
97 limiting the scope.
98
99 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
100
f63364a7
WB		 101libpve-access-control (8.0.0~1) bookworm; urgency=medium
102
103 * bump pve-rs dependency to 0.8.3
104
105 * drop old verify_tfa api call (POST /access/tfa)
106
107 * drop support for old login API:
108 - 'new-format' is now considured to be 1 and ignored by the API
109
110 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
111 address
112
113 * cli: add 'pveum tfa list'
114
115 * cli: add 'pveum tfa unlock'
116
117 * enable lockout of TFA:
118 - too many TOTP attempts will lock out of TOTP
119 - using a recovery key will unlock TOTP
120 - too many TFA attempts will lock a user's TFA auth for an hour
121
122 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
123 authentication if it was locked by too many wrong 2nd factor login attempts
124
125 * api: /access/tfa and /access/users now include the tfa lockout status
126
127 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
128
a3dc6ff4
TL		 129libpve-access-control (7.99.0) bookworm; urgency=medium
130
131 * initial re-build for Proxmox VE 8.x series
132
133 * switch to native versioning
134
135 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
136
f2762a03
WB		 137libpve-access-control (7.4-3) bullseye; urgency=medium
138
139 * use new 2nd factor verification from pve-rs
140
141 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
142
f0595d15
TL		 143libpve-access-control (7.4-2) bullseye; urgency=medium
144
145 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
146 wasn't accepted anymore
147
148 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
149
a23eaa1a
TL		 150libpve-access-control (7.4-1) bullseye; urgency=medium
151
152 * realm sync: refactor scope/remove-vanished into a standard option
153
154 * ldap: Allow quoted values for DN attribute values
155
156 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
157
df33b3b9
TL		 158libpve-access-control (7.3-2) bullseye; urgency=medium
159
160 * fix #4518: dramatically improve ACL computation performance
161
162 * userid format: clarify that this is the full name@realm in description
163
164 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
165
2da8c203
TL		 166libpve-access-control (7.3-1) bullseye; urgency=medium
167
168 * realm: sync: allow explicit 'none' for 'remove-vanished' option
169
170 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
171
b84bf623
TL		 172libpve-access-control (7.2-5) bullseye; urgency=medium
173
174 * api: realm sync: avoid separate log line for "remove-vanished" opt
175
176 * auth ldap/ad: compare group member dn case-insensitively
177
178 * two factor auth: only lock tfa config for recovery keys
179
180 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
181 migrations and storage migrations
182
183 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
184
f4e68e49
TL		 185libpve-access-control (7.2-4) bullseye; urgency=medium
186
187 * fix #4074: increase API OpenID code size limit to 2048
188
189 * auth key: protect against rare chance of a double rotation in clusters,
190 leaving the potential that some set of nodes have the earlier key cached,
191 that then got rotated out due to the race, resulting in a possible other
192 set of nodes having the newer key cached. This is a split view of the auth
193 key and may resulting in spurious failures if API requests are made to a
194 different node than the ticket was generated on.
195 In addition to that, the "keep validity of old tickets if signed in the
196 last two hours before rotation" logic was disabled too in such a case,
197 making such tickets invalid too early.
198 Note that both are cases where Proxmox VE was too strict, so while this
199 had no security implications it can be a nuisance, especially for
200 environments that use the API through an automated or scripted way
201
202 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
203
26dde491
TL		 204libpve-access-control (7.2-3) bullseye; urgency=medium
205
206 * api: token: use userid-group as API perm check to avoid being overly
207 strict through a misguided use of user id for non-root users.
208
209 * perm check: forbid undefined/empty ACL path for future proofing of against
210 above issue
211
212 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
213
1cf4389b
TL		 214libpve-access-control (7.2-2) bullseye; urgency=medium
215
216 * permissions: merge propagation flag for multiple roles on a path that
217 share privilege in a deterministic way, to avoid that it gets lost
218 depending on perl's random sort, which would result in returing less
219 privileges than an auth-id actually had.
220
221 * permissions: avoid that token and user privilege intersection is to strict
222 for user permissions that have propagation disabled.
223
224 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
225
e3604d48
TL		 226libpve-access-control (7.2-1) bullseye; urgency=medium
227
228 * user check: fix expiration/enable order
229
230 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
231
79ae250f
TL		 232libpve-access-control (7.1-8) bullseye; urgency=medium
233
234 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
235 vanished'
236
237 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
238
eed46286
TL		 239libpve-access-control (7.1-7) bullseye; urgency=medium
240
241 * userid-group check: distinguish create and update
242
243 * api: get user: declare token schema
244
245 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
246
cd78b295
FG		 247libpve-access-control (7.1-6) bullseye; urgency=medium
248
249 * fix #3768: warn on bad u2f or webauthn settings
250
251 * tfa: when modifying others, verify the current user's password
252
253 * tfa list: account for admin permissions
254
255 * fix realm sync permissions
256
257 * fix token permission display bug
258
259 * include SDN permissions in permission tree
260
261 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
262
118088d8
TL		 263libpve-access-control (7.1-5) bullseye; urgency=medium
264
265 * openid: fix username-claim fallback
266
267 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
268
ebb14277
WB		 269libpve-access-control (7.1-4) bullseye; urgency=medium
270
271 * set current origin in the webauthn config if no fixed origin was
272 configured, to support webauthn via subdomains
273
274 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
275
44a55ff7
TL		 276libpve-access-control (7.1-3) bullseye; urgency=medium
277
278 * openid: allow arbitrary username-claims
279
280 * openid: support configuring the prompt, scopes and ACR values
281
282 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
283
6f643e79
TL		 284libpve-access-control (7.1-2) bullseye; urgency=medium
285
286 * catch incompatible tfa entries with a nice error
287
288 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
289
92bca71e
TL		 290libpve-access-control (7.1-1) bullseye; urgency=medium
291
292 * tfa: map HTTP 404 error in get_tfa_entry correctly
293
294 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
295
1c9b6501
TL		 296libpve-access-control (7.0-7) bullseye; urgency=medium
297
298 * fix #3513: pass configured proxy to OpenID
299
300 * use rust based parser for TFA config
301
302 * use PBS-like auth api call flow,
303
304 * merge old user.cfg keys to tfa config when adding entries
305
306 * implement version checks for new tfa config writer to ensure all
307 cluster nodes are ready to avoid login issues
308
309 * tickets: add tunnel ticket
310
311 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
312
cd46b379
TL		 313libpve-access-control (7.0-6) bullseye; urgency=medium
314
315 * fix regression in user deletion when realm does not enforce TFA
316
317 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
318
52da88a8
TL		 319libpve-access-control (7.0-5) bullseye; urgency=medium
320
321 * acl: check path: add /sdn/vnets/* path
322
323 * fix #2302: allow deletion of users when realm enforces TFA
324
325 * api: delete user: disable user first to avoid surprise on error during the
326 various cleanup action required for user deletion (e.g., TFA, ACL, group)
327
328 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
329
543d646c
TL		 330libpve-access-control (7.0-4) bullseye; urgency=medium
331
332 * realm: add OpenID configuration
333
334 * api: implement OpenID related endpoints
335
336 * implement opt-in OpenID autocreate user feature
337
338 * api: user: add 'realm-type' to user list response
339
340 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
341
7a4c4fd8
TL		 342libpve-access-control (7.0-3) bullseye; urgency=medium
343
344 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
345 `/sdn/zones/<zone>` to allowed ACL paths
346
347 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
348
0902a936
FG		 349libpve-access-control (7.0-2) bullseye; urgency=medium
350
351 * fix #3402: add Pool.Audit privilege - custom roles containing
352 Pool.Allocate must be updated to include the new privilege.
353
354 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
355
67febb69
TL		 356libpve-access-control (7.0-1) bullseye; urgency=medium
357
358 * re-build for Debian 11 Bullseye based releases
359
360 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
361
2942ba41
TL		 362libpve-access-control (6.4-1) pve; urgency=medium
363
364 * fix #1670: change PAM service name to project specific name
365
366 * fix #1500: permission path syntax check for access control
367
368 * pveum: add resource pool CLI commands
369
370 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
371
54d312f3
TL		 372libpve-access-control (6.1-3) pve; urgency=medium
373
374 * partially fix #2825: authkey: rotate if it was generated in the
375 future
376
377 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
378 insensitive
379
380 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
381
6a9be12f
TL		 382libpve-access-control (6.1-2) pve; urgency=medium
383
384 * also check SDN permission path when computing coarse permissions heuristic
385 for UIs
386
387 * add SDN Permissions.Modify
388
389 * add VM.Config.Cloudinit
390
391 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
392
e6624f50
TL		 393libpve-access-control (6.1-1) pve; urgency=medium
394
395 * pveum: add tfa delete subcommand for deleting user-TFA
396
397 * LDAP: don't complain about missing credentials on realm removal
398
399 * LDAP: skip anonymous bind when client certificate and key is configured
400
401 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
402
8f4a522f
TL		 403libpve-access-control (6.0-7) pve; urgency=medium
404
405 * fix #2575: die when trying to edit built-in roles
406
407 * add realm sub commands to pveum CLI tool
408
7d23b7ca 409 * api: domains: add user group sync API endpoint
8f4a522f
TL		 410
411 * allow one to sync and import users and groups from LDAP/AD based realms
412
413 * realm: add default-sync-options to config for more convenient sync configuration
414
415 * api: token create: return also full token id for convenience
416
417 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
418
23059f35
TL		 419libpve-access-control (6.0-6) pve; urgency=medium
420
421 * API: add group members to group index
422
423 * implement API token support and management
424
425 * pveum: add 'pveum user token add/update/remove/list'
426
427 * pveum: add permissions sub-commands
428
429 * API: add 'permissions' API endpoint
430
431 * user.cfg: skip inexisting roles when parsing ACLs
432
433 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
434
3dd692e9
TL		 435libpve-access-control (6.0-5) pve; urgency=medium
436
437 * pveum: add list command for users, groups, ACLs and roles
438
439 * add initial permissions for experimental SDN integration
440
441 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
442
4ef92d0d
FG		 443libpve-access-control (6.0-4) pve; urgency=medium
444
445 * ticket: use clinfo to get cluster name
446
447 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
448 SSL version
449
450 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
451
6e5bbca4
TL		 452libpve-access-control (6.0-3) pve; urgency=medium
453
454 * fix #2433: increase possible TFA secret length
455
456 * parse user configuration: correctly parse group names in ACLs, for users
457 which begin their name with an @
458
459 * sort user.cfg entries alphabetically
460
461 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
462
e073493c
TL		 463libpve-access-control (6.0-2) pve; urgency=medium
464
465 * improve CSRF verification compatibility with newer PVE
466
467 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
468
a237dc2e
TL		 469libpve-access-control (6.0-1) pve; urgency=medium
470
471 * ticket: properly verify exactly 5 minute old tickets
472
473 * use hmac_sha256 instead of sha1 for CSRF token generation
474
475 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
476
f1531f22
TL		 477libpve-access-control (6.0-0+1) pve; urgency=medium
478
479 * bump for Debian buster
480
481 * fix #2079: add periodic auth key rotation
482
483 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
484
ef761f51
TL		 485libpve-access-control (5.1-10) unstable; urgency=medium
486
487 * add /access/user/{id}/tfa api call to get tfa types
488
489 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
490
860ddcba
TL		 491libpve-access-control (5.1-9) unstable; urgency=medium
492
493 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 494 to a higher privileged daemon.
860ddcba
TL		 495
496 * tfa: realm required TFA should lock out users without TFA configured, as it
497 was done before Proxmox VE 5.4
498
499 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
500
9fbad012
TL		 501libpve-access-control (5.1-8) unstable; urgency=medium
502
503 * U2F: ensure we save correct public key on registration
504
505 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
506
4473c96c
TL		 507libpve-access-control (5.1-7) unstable; urgency=medium
508
509 * verify_ticket: allow general non-challenge tfa to be run as two step
510 call
511
512 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
513
a270d4e1
TL		 514libpve-access-control (5.1-6) unstable; urgency=medium
515
516 * more general 2FA configuration via priv/tfa.cfg
517
518 * add u2f api endpoints
519
520 * delete TFA entries when deleting a user
521
522 * allow users to change their TOTP settings
523
524 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
525
374647e8
TL		 526libpve-access-control (5.1-5) unstable; urgency=medium
527
528 * fix vnc ticket verification without authkey lifetime
529
530 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
531
7fb70c94
TL		 532libpve-access-control (5.1-4) unstable; urgency=medium
533
534 * fix #1891: Add zsh command completion for pveum
535
536 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
537 to avoid issues on upgrade, will be enabled with 6.0
538
539 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
540
6e010cde
TL		 541libpve-access-control (5.1-3) unstable; urgency=medium
542
543 * api/ticket: move getting cluster name into an eval
544
545 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
546
f5a9380a
TL		 547libpve-access-control (5.1-2) unstable; urgency=medium
548
549 * fix #1998: correct return properties for read_role
550
551 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
552
b54b7474
TL		 553libpve-access-control (5.1-1) unstable; urgency=medium
554
555 * pveum: introduce sub-commands
556
557 * register userid with completion
558
559 * fix #233: return cluster name on successful login
560
561 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
562
52192dd4
WB		 563libpve-access-control (5.0-8) unstable; urgency=medium
564
565 * fix #1612: ldap: make 2nd server work with bind domains again
566
567 * fix an error message where passing a bad pool id to an API function would
568 make it complain about a wrong group name instead
569
570 * fix the API-returned permission list so that the GUI knows to show the
571 'Permissions' tab for a storage to an administrator apart from root@pam
572
573 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
574
3dadf8cf
FG		 575libpve-access-control (5.0-7) unstable; urgency=medium
576
577 * VM.Snapshot.Rollback privilege added
578
579 * api: check for special roles before locking the usercfg
580
581 * fix #1501: pveum: die when deleting special role
582
583 * API/ticket: rework coarse grained permission computation
584
585 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
586
ec4141f4
WB		 587libpve-access-control (5.0-6) unstable; urgency=medium
588
589 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
590 'verify' option. For compatibility reasons this defaults to off for now,
591 but that might change with future updates.
592
593 * AD, LDAP: Add ability to specify a CA path or file, and a client
594 certificate via the 'capath', 'cert' and 'certkey' options.
595
596 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
597
63134bd4
DM		 598libpve-access-control (5.0-5) unstable; urgency=medium
599
600 * change from dpkg-deb to dpkg-buildpackage
601
602 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
603
868fb1ea
DM		 604libpve-access-control (5.0-4) unstable; urgency=medium
605
606 * PVE/CLI/pveum.pm: call setup_default_cli_env()
607
608 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
609
610 * check_api2_permissions: avoid warning about uninitialized value
611
612 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
613
63358f40
DM		 614libpve-access-control (5.0-3) unstable; urgency=medium
615
616 * use new PVE::OTP class from pve-common
617
618 * use new PVE::Tools::encrypt_pw from pve-common
619
620 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
621
05fd50af
DM		 622libpve-access-control (5.0-2) unstable; urgency=medium
623
624 * encrypt_pw: avoid '+' for crypt salt
625
626 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
627
0835385b
FG		 628libpve-access-control (5.0-1) unstable; urgency=medium
629
630 * rebuild for PVE 5.0
631
632 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
633
730f8863
DM		 634libpve-access-control (4.0-23) unstable; urgency=medium
635
636 * use new PVE::Ticket class
637
638 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
639
1f1c4593
DM		 640libpve-access-control (4.0-22) unstable; urgency=medium
641
642 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
643 (moved to PVE::Storage)
644
645 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
646
647 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
648
f9105063
DM		 649libpve-access-control (4.0-21) unstable; urgency=medium
650
651 * setup_default_cli_env: expect $class as first parameter
652
653 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
654
9595066e
DM		 655libpve-access-control (4.0-20) unstable; urgency=medium
656
657 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
658
659 * PVE/API2/Domains.pm: fix property description
660
661 * use new repoman for upload target
662
663 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
664
2af5a793
DM		 665libpve-access-control (4.0-19) unstable; urgency=medium
666
667 * Close #833: ldap: non-anonymous bind support
668
669 * don't import 'RFC' from MIME::Base32
670
671 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
672
5d87bb77
WB		 673libpve-access-control (4.0-18) unstable; urgency=medium
674
675 * fix #1062: recognize base32 otp keys again
676
677 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
678
28ddf48b
WB		 679libpve-access-control (4.0-17) unstable; urgency=medium
680
681 * drop oathtool and libdigest-hmac-perl dependencies
682
683 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
684
15cebb28
DM		 685libpve-access-control (4.0-16) unstable; urgency=medium
686
687 * use pve-doc-generator to generate man pages
688
689 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
690
678df887
DM		 691libpve-access-control (4.0-15) unstable; urgency=medium
692
693 * Fix uninitialized warning when shadow.cfg does not exist
694
695 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
696
cca9761a
DM		 697libpve-access-control (4.0-14) unstable; urgency=medium
698
699 * Add is_worker to RPCEnvironment
700
701 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
702
8643c99d
DM		 703libpve-access-control (4.0-13) unstable; urgency=medium
704
705 * fix #916: allow HTTPS to access custom yubico url
706
707 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
708
ae2a6bf9
DM		 709libpve-access-control (4.0-12) unstable; urgency=medium
710
711 * Catch certificate errors instead of segfaulting
712
713 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
714
4836db5f
DM		 715libpve-access-control (4.0-11) unstable; urgency=medium
716
717 * Fix #861: use safer sprintf formatting
718
719 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
720
ccbe23dc
DM		 721libpve-access-control (4.0-10) unstable; urgency=medium
722
723 * Auth::LDAP, Auth::AD: ipv6 support
724
725 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
726
90399ca4
DM		 727libpve-access-control (4.0-9) unstable; urgency=medium
728
729 * pveum: implement bash completion
730
731 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
732
364ffc13
DM		 733libpve-access-control (4.0-8) unstable; urgency=medium
734
735 * remove_storage_access: cleanup of access permissions for removed storage
736
737 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
738
7c26cb4a
DM		 739libpve-access-control (4.0-7) unstable; urgency=medium
740
741 * new helper to remove access permissions for removed VMs
742
743 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
744
296afbd1
DM		 745libpve-access-control (4.0-6) unstable; urgency=medium
746
747 * improve parse_user_config, parse_shadow_config
748
749 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
750
7d2df2ef
DM		 751libpve-access-control (4.0-5) unstable; urgency=medium
752
753 * pveum: check for $cmd being defined
754
755 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
756
98a34e3f
DM		 757libpve-access-control (4.0-4) unstable; urgency=medium
758
759 * use activate-noawait triggers
760
761 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
762
15462727
DM		 763libpve-access-control (4.0-3) unstable; urgency=medium
764
765 * IPv6 fixes
766
767 * non-root buildfix
768
769 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
770
bbf4cc9a
DM		 771libpve-access-control (4.0-2) unstable; urgency=medium
772
773 * trigger pve-api-updates event
774
775 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
776
dfbcf6d3
DM		 777libpve-access-control (4.0-1) unstable; urgency=medium
778
779 * bump version for Debian Jessie
780
781 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
782
94971b3a
DM		 783libpve-access-control (3.0-16) unstable; urgency=low
784
785 * root@pam can now be disabled in GUI.
786
787 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
788
7b17c7cb
DM		 789libpve-access-control (3.0-15) unstable; urgency=low
790
791 * oath: add 'step' and 'digits' option
792
793 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
794
1abc2c0a
DM		 795libpve-access-control (3.0-14) unstable; urgency=low
796
797 * add oath two factor auth
798
799 * add oathkeygen binary to generate keys for oath
800
801 * add yubico two factor auth
802
803 * dedend on oathtool
804
805 * depend on libmime-base32-perl
30be0de9
DM		 806
807 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 808
809 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
810
298450ab
DM		 811libpve-access-control (3.0-13) unstable; urgency=low
812
813 * use correct connection string for AD auth
814
815 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
816
396034e4
DM		 817libpve-access-control (3.0-12) unstable; urgency=low
818
819 * add dummy API for GET /access/ticket (useful to generate login pages)
820
821 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
822
26361123
DM		 823libpve-access-control (3.0-11) unstable; urgency=low
824
825 * Sets common hot keys for spice client
826
827 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
828
3643383d
DM		 829libpve-access-control (3.0-10) unstable; urgency=low
830
831 * implement helper to generate SPICE remote-viewer configuration
832
833 * depend on libnet-ssleay-perl
834
835 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
836
0baedcf7
DM		 837libpve-access-control (3.0-9) unstable; urgency=low
838
839 * prevent user enumeration attacks
e4f8fc2e
DM		 840
841 * allow dots in access paths
0baedcf7
DM		 842
843 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
844
d4b63eae
DM		 845libpve-access-control (3.0-8) unstable; urgency=low
846
847 * spice: use lowercase hostname in ticktet signature
848
849 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
850
49594944
DM		 851libpve-access-control (3.0-7) unstable; urgency=low
852
853 * check_volume_access : use parse_volname instead of path, and remove
854 path related code.
7c410d63
DM		 855
856 * use warnings instead of global -w flag.
49594944
DM		 857
858 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
859
fe7de5d0
DM		 860libpve-access-control (3.0-6) unstable; urgency=low
861
862 * use shorter spiceproxy tickets
863
864 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
865
4cdd9507
DM		 866libpve-access-control (3.0-5) unstable; urgency=low
867
868 * add code to generate tickets for SPICE
869
870 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
871
677f9ab0
DM		 872libpve-access-control (3.0-4) unstable; urgency=low
873
874 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
875
876 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
877
139a8ecf
DM		 878libpve-access-control (3.0-3) unstable; urgency=low
879
7d23b7ca 880 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 881
882 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
883
b78ce7c2
DM		 884libpve-access-control (3.0-2) unstable; urgency=low
885
886 * remove CGI.pm related code (pveproxy does not need that)
887
888 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
889
786820f9
DM		 890libpve-access-control (3.0-1) unstable; urgency=low
891
892 * bump version for wheezy release
893
894 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
895
e5ae5487
DM		 896libpve-access-control (1.0-26) unstable; urgency=low
897
898 * check_volume_access: fix access permissions for backup files
899
900 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
901
e3e6510c
DM		 902libpve-access-control (1.0-25) unstable; urgency=low
903
904 * add VM.Snapshot permission
905
906 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
907
1e15ebe7
DM		 908libpve-access-control (1.0-24) unstable; urgency=low
909
910 * untaint path (allow root to restore arbitrary paths)
911
912 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
913
437be042
DM		 914libpve-access-control (1.0-23) unstable; urgency=low
915
916 * correctly compute GUI capabilities (consider pools)
917
918 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
919
5bb4e06a
DM		 920libpve-access-control (1.0-22) unstable; urgency=low
921
922 * new plugin architecture for Auth modules, minor API change for Auth
923 domains (new 'delete' parameter)
924
925 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
926
3030a176
DM		 927libpve-access-control (1.0-21) unstable; urgency=low
928
929 * do not allow user names including slash
930
931 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
932
933libpve-access-control (1.0-20) unstable; urgency=low
934
935 * add ability to fork cli workers in background
936
937 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
938
dd2cfee0
DM		 939libpve-access-control (1.0-19) unstable; urgency=low
940
941 * return set of privileges on login - can be used to adopt GUI
942
943 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
944
1cf154b7
DM		 945libpve-access-control (1.0-18) unstable; urgency=low
946
7d23b7ca 947 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 948
949 * fix bug #152: allow user to change his own password
1cf154b7
DM		 950
951 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
952
2de14407
DM		 953libpve-access-control (1.0-17) unstable; urgency=low
954
955 * set propagate flag by default
956
957 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
958
bdc61d7a
DM		 959libpve-access-control (1.0-16) unstable; urgency=low
960
961 * add 'pveum passwd' method
962
963 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
964
cc7bdf33
DM		 965libpve-access-control (1.0-15) unstable; urgency=low
966
967 * Add VM.Config.CDROM privilege to PVEVMUser rule
968
969 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
970
a69bbe2e
DM		 971libpve-access-control (1.0-14) unstable; urgency=low
972
973 * fix buf in userid-param permission check
974
975 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
976
d9483d94
DM		 977libpve-access-control (1.0-13) unstable; urgency=low
978
979 * allow more characters in ldap base_dn attribute
980
981 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
982
84619607
DM		 983libpve-access-control (1.0-12) unstable; urgency=low
984
985 * allow more characters with realm IDs
986
987 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
988
09d27058
DM		 989libpve-access-control (1.0-11) unstable; urgency=low
990
991 * fix bug in exec_api2_perm_check
992
993 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
994
7a4c849e
DM		 995libpve-access-control (1.0-10) unstable; urgency=low
996
997 * fix ACL group name parser
998
999 * changed 'pveum aclmod' command line arguments
1000
1001 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1002
3eac4e35
DM		 1003libpve-access-control (1.0-9) unstable; urgency=low
1004
1005 * fix bug in check_volume_access (fixes vzrestore)
1006
1007 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1008
4384e19e
DM		 1009libpve-access-control (1.0-8) unstable; urgency=low
1010
1011 * fix return value for empty ACL list.
1012
1013 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1014
d8a56966
DM		 1015libpve-access-control (1.0-7) unstable; urgency=low
1016
1017 * fix bug #85: allow root@pam to generate tickets for other users
1018
1019 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1020
cb6f2f93
DM		 1021libpve-access-control (1.0-6) unstable; urgency=low
1022
1023 * API change: allow to filter enabled/disabled users.
1024
1025 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1026
272fe9ff
DM		 1027libpve-access-control (1.0-5) unstable; urgency=low
1028
1029 * add a way to return file changes (diffs): set_result_changes()
1030
1031 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1032
e42eedbc
DM		 1033libpve-access-control (1.0-4) unstable; urgency=low
1034
1035 * new environment type for ha agents
1036
1037 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1038
1fba27e0
DM		 1039libpve-access-control (1.0-3) unstable; urgency=low
1040
1041 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 1042 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 1043
1044 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1045
5bf71a96
DM		 1046libpve-access-control (1.0-2) unstable; urgency=low
1047
1048 * fix bug in fork_worker
1049
1050 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1051
2c3a6c0a
DM		 1052libpve-access-control (1.0-1) unstable; urgency=low
1053
1054 * allow '-' in permission paths
1055
1056 * bump version to 1.0
1057
1058 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1059
1060libpve-access-control (0.1) unstable; urgency=low
1061
1062 * first dummy package - no functionality
1063
1064 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1065
Access control framework