]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tfa: cope with native versions in cluster version check
[pve-access-control.git] / debian / changelog
CommitLineData
6004f25e
TL		 1libpve-access-control (8.0.0) bookworm; urgency=medium
2
3 * api: roles: forbid creating new roles starting with "PVE" namespace
4
5 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
6
8e8023b1
TL		 7libpve-access-control (8.0.0~3) bookworm; urgency=medium
8
9 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
10
11 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
12
13 * add helper for checking bridge access
14
15 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
16 which user are allowed to use a bridge (or vnet, if SDN is installed)
17
18 * add privileges and paths for cluster resource mapping
19
20 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
21
3ef602fe
TL		 22libpve-access-control (8.0.0~2) bookworm; urgency=medium
23
24 * api: user index: only include existing tfa lock flags
25
26 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
27
28 * roles: only include Permissions.Modify in Administrator built-in role.
29 As, depending on the ACL object path, this privilege might allow one to
30 change their own permissions, which was making the distinction between
31 Admin and PVEAdmin irrelevant.
32
33 * acls: restrict less-privileged ACL modifications. Through allocate
34 permissions in pools, storages and virtual guests one can do some ACL
35 modifications without having the Permissions.Modify privilege, lock those
36 better down to ensure that one can only hand out only the subset of their
37 own privileges, never more. Note that this is mostly future proofing, as
38 the ACL object paths one could give out more permissions where already
39 limiting the scope.
40
41 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
42
f63364a7
WB		 43libpve-access-control (8.0.0~1) bookworm; urgency=medium
44
45 * bump pve-rs dependency to 0.8.3
46
47 * drop old verify_tfa api call (POST /access/tfa)
48
49 * drop support for old login API:
50 - 'new-format' is now considured to be 1 and ignored by the API
51
52 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
53 address
54
55 * cli: add 'pveum tfa list'
56
57 * cli: add 'pveum tfa unlock'
58
59 * enable lockout of TFA:
60 - too many TOTP attempts will lock out of TOTP
61 - using a recovery key will unlock TOTP
62 - too many TFA attempts will lock a user's TFA auth for an hour
63
64 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
65 authentication if it was locked by too many wrong 2nd factor login attempts
66
67 * api: /access/tfa and /access/users now include the tfa lockout status
68
69 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
70
a3dc6ff4
TL		 71libpve-access-control (7.99.0) bookworm; urgency=medium
72
73 * initial re-build for Proxmox VE 8.x series
74
75 * switch to native versioning
76
77 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
78
f2762a03
WB		 79libpve-access-control (7.4-3) bullseye; urgency=medium
80
81 * use new 2nd factor verification from pve-rs
82
83 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
84
f0595d15
TL		 85libpve-access-control (7.4-2) bullseye; urgency=medium
86
87 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
88 wasn't accepted anymore
89
90 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
91
a23eaa1a
TL		 92libpve-access-control (7.4-1) bullseye; urgency=medium
93
94 * realm sync: refactor scope/remove-vanished into a standard option
95
96 * ldap: Allow quoted values for DN attribute values
97
98 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
99
df33b3b9
TL		 100libpve-access-control (7.3-2) bullseye; urgency=medium
101
102 * fix #4518: dramatically improve ACL computation performance
103
104 * userid format: clarify that this is the full name@realm in description
105
106 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
107
2da8c203
TL		 108libpve-access-control (7.3-1) bullseye; urgency=medium
109
110 * realm: sync: allow explicit 'none' for 'remove-vanished' option
111
112 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
113
b84bf623
TL		 114libpve-access-control (7.2-5) bullseye; urgency=medium
115
116 * api: realm sync: avoid separate log line for "remove-vanished" opt
117
118 * auth ldap/ad: compare group member dn case-insensitively
119
120 * two factor auth: only lock tfa config for recovery keys
121
122 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
123 migrations and storage migrations
124
125 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
126
f4e68e49
TL		 127libpve-access-control (7.2-4) bullseye; urgency=medium
128
129 * fix #4074: increase API OpenID code size limit to 2048
130
131 * auth key: protect against rare chance of a double rotation in clusters,
132 leaving the potential that some set of nodes have the earlier key cached,
133 that then got rotated out due to the race, resulting in a possible other
134 set of nodes having the newer key cached. This is a split view of the auth
135 key and may resulting in spurious failures if API requests are made to a
136 different node than the ticket was generated on.
137 In addition to that, the "keep validity of old tickets if signed in the
138 last two hours before rotation" logic was disabled too in such a case,
139 making such tickets invalid too early.
140 Note that both are cases where Proxmox VE was too strict, so while this
141 had no security implications it can be a nuisance, especially for
142 environments that use the API through an automated or scripted way
143
144 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
145
26dde491
TL		 146libpve-access-control (7.2-3) bullseye; urgency=medium
147
148 * api: token: use userid-group as API perm check to avoid being overly
149 strict through a misguided use of user id for non-root users.
150
151 * perm check: forbid undefined/empty ACL path for future proofing of against
152 above issue
153
154 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
155
1cf4389b
TL		 156libpve-access-control (7.2-2) bullseye; urgency=medium
157
158 * permissions: merge propagation flag for multiple roles on a path that
159 share privilege in a deterministic way, to avoid that it gets lost
160 depending on perl's random sort, which would result in returing less
161 privileges than an auth-id actually had.
162
163 * permissions: avoid that token and user privilege intersection is to strict
164 for user permissions that have propagation disabled.
165
166 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
167
e3604d48
TL		 168libpve-access-control (7.2-1) bullseye; urgency=medium
169
170 * user check: fix expiration/enable order
171
172 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
173
79ae250f
TL		 174libpve-access-control (7.1-8) bullseye; urgency=medium
175
176 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
177 vanished'
178
179 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
180
eed46286
TL		 181libpve-access-control (7.1-7) bullseye; urgency=medium
182
183 * userid-group check: distinguish create and update
184
185 * api: get user: declare token schema
186
187 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
188
cd78b295
FG		 189libpve-access-control (7.1-6) bullseye; urgency=medium
190
191 * fix #3768: warn on bad u2f or webauthn settings
192
193 * tfa: when modifying others, verify the current user's password
194
195 * tfa list: account for admin permissions
196
197 * fix realm sync permissions
198
199 * fix token permission display bug
200
201 * include SDN permissions in permission tree
202
203 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
204
118088d8
TL		 205libpve-access-control (7.1-5) bullseye; urgency=medium
206
207 * openid: fix username-claim fallback
208
209 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
210
ebb14277
WB		 211libpve-access-control (7.1-4) bullseye; urgency=medium
212
213 * set current origin in the webauthn config if no fixed origin was
214 configured, to support webauthn via subdomains
215
216 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
217
44a55ff7
TL		 218libpve-access-control (7.1-3) bullseye; urgency=medium
219
220 * openid: allow arbitrary username-claims
221
222 * openid: support configuring the prompt, scopes and ACR values
223
224 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
225
6f643e79
TL		 226libpve-access-control (7.1-2) bullseye; urgency=medium
227
228 * catch incompatible tfa entries with a nice error
229
230 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
231
92bca71e
TL		 232libpve-access-control (7.1-1) bullseye; urgency=medium
233
234 * tfa: map HTTP 404 error in get_tfa_entry correctly
235
236 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
237
1c9b6501
TL		 238libpve-access-control (7.0-7) bullseye; urgency=medium
239
240 * fix #3513: pass configured proxy to OpenID
241
242 * use rust based parser for TFA config
243
244 * use PBS-like auth api call flow,
245
246 * merge old user.cfg keys to tfa config when adding entries
247
248 * implement version checks for new tfa config writer to ensure all
249 cluster nodes are ready to avoid login issues
250
251 * tickets: add tunnel ticket
252
253 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
254
cd46b379
TL		 255libpve-access-control (7.0-6) bullseye; urgency=medium
256
257 * fix regression in user deletion when realm does not enforce TFA
258
259 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
260
52da88a8
TL		 261libpve-access-control (7.0-5) bullseye; urgency=medium
262
263 * acl: check path: add /sdn/vnets/* path
264
265 * fix #2302: allow deletion of users when realm enforces TFA
266
267 * api: delete user: disable user first to avoid surprise on error during the
268 various cleanup action required for user deletion (e.g., TFA, ACL, group)
269
270 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
271
543d646c
TL		 272libpve-access-control (7.0-4) bullseye; urgency=medium
273
274 * realm: add OpenID configuration
275
276 * api: implement OpenID related endpoints
277
278 * implement opt-in OpenID autocreate user feature
279
280 * api: user: add 'realm-type' to user list response
281
282 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
283
7a4c4fd8
TL		 284libpve-access-control (7.0-3) bullseye; urgency=medium
285
286 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
287 `/sdn/zones/<zone>` to allowed ACL paths
288
289 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
290
0902a936
FG		 291libpve-access-control (7.0-2) bullseye; urgency=medium
292
293 * fix #3402: add Pool.Audit privilege - custom roles containing
294 Pool.Allocate must be updated to include the new privilege.
295
296 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
297
67febb69
TL		 298libpve-access-control (7.0-1) bullseye; urgency=medium
299
300 * re-build for Debian 11 Bullseye based releases
301
302 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
303
2942ba41
TL		 304libpve-access-control (6.4-1) pve; urgency=medium
305
306 * fix #1670: change PAM service name to project specific name
307
308 * fix #1500: permission path syntax check for access control
309
310 * pveum: add resource pool CLI commands
311
312 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
313
54d312f3
TL		 314libpve-access-control (6.1-3) pve; urgency=medium
315
316 * partially fix #2825: authkey: rotate if it was generated in the
317 future
318
319 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
320 insensitive
321
322 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
323
6a9be12f
TL		 324libpve-access-control (6.1-2) pve; urgency=medium
325
326 * also check SDN permission path when computing coarse permissions heuristic
327 for UIs
328
329 * add SDN Permissions.Modify
330
331 * add VM.Config.Cloudinit
332
333 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
334
e6624f50
TL		 335libpve-access-control (6.1-1) pve; urgency=medium
336
337 * pveum: add tfa delete subcommand for deleting user-TFA
338
339 * LDAP: don't complain about missing credentials on realm removal
340
341 * LDAP: skip anonymous bind when client certificate and key is configured
342
343 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
344
8f4a522f
TL		 345libpve-access-control (6.0-7) pve; urgency=medium
346
347 * fix #2575: die when trying to edit built-in roles
348
349 * add realm sub commands to pveum CLI tool
350
7d23b7ca 351 * api: domains: add user group sync API endpoint
8f4a522f
TL		 352
353 * allow one to sync and import users and groups from LDAP/AD based realms
354
355 * realm: add default-sync-options to config for more convenient sync configuration
356
357 * api: token create: return also full token id for convenience
358
359 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
360
23059f35
TL		 361libpve-access-control (6.0-6) pve; urgency=medium
362
363 * API: add group members to group index
364
365 * implement API token support and management
366
367 * pveum: add 'pveum user token add/update/remove/list'
368
369 * pveum: add permissions sub-commands
370
371 * API: add 'permissions' API endpoint
372
373 * user.cfg: skip inexisting roles when parsing ACLs
374
375 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
376
3dd692e9
TL		 377libpve-access-control (6.0-5) pve; urgency=medium
378
379 * pveum: add list command for users, groups, ACLs and roles
380
381 * add initial permissions for experimental SDN integration
382
383 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
384
4ef92d0d
FG		 385libpve-access-control (6.0-4) pve; urgency=medium
386
387 * ticket: use clinfo to get cluster name
388
389 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
390 SSL version
391
392 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
393
6e5bbca4
TL		 394libpve-access-control (6.0-3) pve; urgency=medium
395
396 * fix #2433: increase possible TFA secret length
397
398 * parse user configuration: correctly parse group names in ACLs, for users
399 which begin their name with an @
400
401 * sort user.cfg entries alphabetically
402
403 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
404
e073493c
TL		 405libpve-access-control (6.0-2) pve; urgency=medium
406
407 * improve CSRF verification compatibility with newer PVE
408
409 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
410
a237dc2e
TL		 411libpve-access-control (6.0-1) pve; urgency=medium
412
413 * ticket: properly verify exactly 5 minute old tickets
414
415 * use hmac_sha256 instead of sha1 for CSRF token generation
416
417 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
418
f1531f22
TL		 419libpve-access-control (6.0-0+1) pve; urgency=medium
420
421 * bump for Debian buster
422
423 * fix #2079: add periodic auth key rotation
424
425 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
426
ef761f51
TL		 427libpve-access-control (5.1-10) unstable; urgency=medium
428
429 * add /access/user/{id}/tfa api call to get tfa types
430
431 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
432
860ddcba
TL		 433libpve-access-control (5.1-9) unstable; urgency=medium
434
435 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 436 to a higher privileged daemon.
860ddcba
TL		 437
438 * tfa: realm required TFA should lock out users without TFA configured, as it
439 was done before Proxmox VE 5.4
440
441 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
442
9fbad012
TL		 443libpve-access-control (5.1-8) unstable; urgency=medium
444
445 * U2F: ensure we save correct public key on registration
446
447 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
448
4473c96c
TL		 449libpve-access-control (5.1-7) unstable; urgency=medium
450
451 * verify_ticket: allow general non-challenge tfa to be run as two step
452 call
453
454 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
455
a270d4e1
TL		 456libpve-access-control (5.1-6) unstable; urgency=medium
457
458 * more general 2FA configuration via priv/tfa.cfg
459
460 * add u2f api endpoints
461
462 * delete TFA entries when deleting a user
463
464 * allow users to change their TOTP settings
465
466 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
467
374647e8
TL		 468libpve-access-control (5.1-5) unstable; urgency=medium
469
470 * fix vnc ticket verification without authkey lifetime
471
472 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
473
7fb70c94
TL		 474libpve-access-control (5.1-4) unstable; urgency=medium
475
476 * fix #1891: Add zsh command completion for pveum
477
478 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
479 to avoid issues on upgrade, will be enabled with 6.0
480
481 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
482
6e010cde
TL		 483libpve-access-control (5.1-3) unstable; urgency=medium
484
485 * api/ticket: move getting cluster name into an eval
486
487 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
488
f5a9380a
TL		 489libpve-access-control (5.1-2) unstable; urgency=medium
490
491 * fix #1998: correct return properties for read_role
492
493 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
494
b54b7474
TL		 495libpve-access-control (5.1-1) unstable; urgency=medium
496
497 * pveum: introduce sub-commands
498
499 * register userid with completion
500
501 * fix #233: return cluster name on successful login
502
503 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
504
52192dd4
WB		 505libpve-access-control (5.0-8) unstable; urgency=medium
506
507 * fix #1612: ldap: make 2nd server work with bind domains again
508
509 * fix an error message where passing a bad pool id to an API function would
510 make it complain about a wrong group name instead
511
512 * fix the API-returned permission list so that the GUI knows to show the
513 'Permissions' tab for a storage to an administrator apart from root@pam
514
515 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
516
3dadf8cf
FG		 517libpve-access-control (5.0-7) unstable; urgency=medium
518
519 * VM.Snapshot.Rollback privilege added
520
521 * api: check for special roles before locking the usercfg
522
523 * fix #1501: pveum: die when deleting special role
524
525 * API/ticket: rework coarse grained permission computation
526
527 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
528
ec4141f4
WB		 529libpve-access-control (5.0-6) unstable; urgency=medium
530
531 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
532 'verify' option. For compatibility reasons this defaults to off for now,
533 but that might change with future updates.
534
535 * AD, LDAP: Add ability to specify a CA path or file, and a client
536 certificate via the 'capath', 'cert' and 'certkey' options.
537
538 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
539
63134bd4
DM		 540libpve-access-control (5.0-5) unstable; urgency=medium
541
542 * change from dpkg-deb to dpkg-buildpackage
543
544 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
545
868fb1ea
DM		 546libpve-access-control (5.0-4) unstable; urgency=medium
547
548 * PVE/CLI/pveum.pm: call setup_default_cli_env()
549
550 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
551
552 * check_api2_permissions: avoid warning about uninitialized value
553
554 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
555
63358f40
DM		 556libpve-access-control (5.0-3) unstable; urgency=medium
557
558 * use new PVE::OTP class from pve-common
559
560 * use new PVE::Tools::encrypt_pw from pve-common
561
562 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
563
05fd50af
DM		 564libpve-access-control (5.0-2) unstable; urgency=medium
565
566 * encrypt_pw: avoid '+' for crypt salt
567
568 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
569
0835385b
FG		 570libpve-access-control (5.0-1) unstable; urgency=medium
571
572 * rebuild for PVE 5.0
573
574 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
575
730f8863
DM		 576libpve-access-control (4.0-23) unstable; urgency=medium
577
578 * use new PVE::Ticket class
579
580 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
581
1f1c4593
DM		 582libpve-access-control (4.0-22) unstable; urgency=medium
583
584 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
585 (moved to PVE::Storage)
586
587 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
588
589 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
590
f9105063
DM		 591libpve-access-control (4.0-21) unstable; urgency=medium
592
593 * setup_default_cli_env: expect $class as first parameter
594
595 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
596
9595066e
DM		 597libpve-access-control (4.0-20) unstable; urgency=medium
598
599 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
600
601 * PVE/API2/Domains.pm: fix property description
602
603 * use new repoman for upload target
604
605 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
606
2af5a793
DM		 607libpve-access-control (4.0-19) unstable; urgency=medium
608
609 * Close #833: ldap: non-anonymous bind support
610
611 * don't import 'RFC' from MIME::Base32
612
613 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
614
5d87bb77
WB		 615libpve-access-control (4.0-18) unstable; urgency=medium
616
617 * fix #1062: recognize base32 otp keys again
618
619 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
620
28ddf48b
WB		 621libpve-access-control (4.0-17) unstable; urgency=medium
622
623 * drop oathtool and libdigest-hmac-perl dependencies
624
625 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
626
15cebb28
DM		 627libpve-access-control (4.0-16) unstable; urgency=medium
628
629 * use pve-doc-generator to generate man pages
630
631 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
632
678df887
DM		 633libpve-access-control (4.0-15) unstable; urgency=medium
634
635 * Fix uninitialized warning when shadow.cfg does not exist
636
637 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
638
cca9761a
DM		 639libpve-access-control (4.0-14) unstable; urgency=medium
640
641 * Add is_worker to RPCEnvironment
642
643 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
644
8643c99d
DM		 645libpve-access-control (4.0-13) unstable; urgency=medium
646
647 * fix #916: allow HTTPS to access custom yubico url
648
649 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
650
ae2a6bf9
DM		 651libpve-access-control (4.0-12) unstable; urgency=medium
652
653 * Catch certificate errors instead of segfaulting
654
655 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
656
4836db5f
DM		 657libpve-access-control (4.0-11) unstable; urgency=medium
658
659 * Fix #861: use safer sprintf formatting
660
661 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
662
ccbe23dc
DM		 663libpve-access-control (4.0-10) unstable; urgency=medium
664
665 * Auth::LDAP, Auth::AD: ipv6 support
666
667 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
668
90399ca4
DM		 669libpve-access-control (4.0-9) unstable; urgency=medium
670
671 * pveum: implement bash completion
672
673 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
674
364ffc13
DM		 675libpve-access-control (4.0-8) unstable; urgency=medium
676
677 * remove_storage_access: cleanup of access permissions for removed storage
678
679 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
680
7c26cb4a
DM		 681libpve-access-control (4.0-7) unstable; urgency=medium
682
683 * new helper to remove access permissions for removed VMs
684
685 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
686
296afbd1
DM		 687libpve-access-control (4.0-6) unstable; urgency=medium
688
689 * improve parse_user_config, parse_shadow_config
690
691 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
692
7d2df2ef
DM		 693libpve-access-control (4.0-5) unstable; urgency=medium
694
695 * pveum: check for $cmd being defined
696
697 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
698
98a34e3f
DM		 699libpve-access-control (4.0-4) unstable; urgency=medium
700
701 * use activate-noawait triggers
702
703 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
704
15462727
DM		 705libpve-access-control (4.0-3) unstable; urgency=medium
706
707 * IPv6 fixes
708
709 * non-root buildfix
710
711 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
712
bbf4cc9a
DM		 713libpve-access-control (4.0-2) unstable; urgency=medium
714
715 * trigger pve-api-updates event
716
717 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
718
dfbcf6d3
DM		 719libpve-access-control (4.0-1) unstable; urgency=medium
720
721 * bump version for Debian Jessie
722
723 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
724
94971b3a
DM		 725libpve-access-control (3.0-16) unstable; urgency=low
726
727 * root@pam can now be disabled in GUI.
728
729 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
730
7b17c7cb
DM		 731libpve-access-control (3.0-15) unstable; urgency=low
732
733 * oath: add 'step' and 'digits' option
734
735 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
736
1abc2c0a
DM		 737libpve-access-control (3.0-14) unstable; urgency=low
738
739 * add oath two factor auth
740
741 * add oathkeygen binary to generate keys for oath
742
743 * add yubico two factor auth
744
745 * dedend on oathtool
746
747 * depend on libmime-base32-perl
30be0de9
DM		 748
749 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 750
751 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
752
298450ab
DM		 753libpve-access-control (3.0-13) unstable; urgency=low
754
755 * use correct connection string for AD auth
756
757 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
758
396034e4
DM		 759libpve-access-control (3.0-12) unstable; urgency=low
760
761 * add dummy API for GET /access/ticket (useful to generate login pages)
762
763 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
764
26361123
DM		 765libpve-access-control (3.0-11) unstable; urgency=low
766
767 * Sets common hot keys for spice client
768
769 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
770
3643383d
DM		 771libpve-access-control (3.0-10) unstable; urgency=low
772
773 * implement helper to generate SPICE remote-viewer configuration
774
775 * depend on libnet-ssleay-perl
776
777 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
778
0baedcf7
DM		 779libpve-access-control (3.0-9) unstable; urgency=low
780
781 * prevent user enumeration attacks
e4f8fc2e
DM		 782
783 * allow dots in access paths
0baedcf7
DM		 784
785 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
786
d4b63eae
DM		 787libpve-access-control (3.0-8) unstable; urgency=low
788
789 * spice: use lowercase hostname in ticktet signature
790
791 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
792
49594944
DM		 793libpve-access-control (3.0-7) unstable; urgency=low
794
795 * check_volume_access : use parse_volname instead of path, and remove
796 path related code.
7c410d63
DM		 797
798 * use warnings instead of global -w flag.
49594944
DM		 799
800 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
801
fe7de5d0
DM		 802libpve-access-control (3.0-6) unstable; urgency=low
803
804 * use shorter spiceproxy tickets
805
806 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
807
4cdd9507
DM		 808libpve-access-control (3.0-5) unstable; urgency=low
809
810 * add code to generate tickets for SPICE
811
812 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
813
677f9ab0
DM		 814libpve-access-control (3.0-4) unstable; urgency=low
815
816 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
817
818 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
819
139a8ecf
DM		 820libpve-access-control (3.0-3) unstable; urgency=low
821
7d23b7ca 822 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 823
824 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
825
b78ce7c2
DM		 826libpve-access-control (3.0-2) unstable; urgency=low
827
828 * remove CGI.pm related code (pveproxy does not need that)
829
830 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
831
786820f9
DM		 832libpve-access-control (3.0-1) unstable; urgency=low
833
834 * bump version for wheezy release
835
836 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
837
e5ae5487
DM		 838libpve-access-control (1.0-26) unstable; urgency=low
839
840 * check_volume_access: fix access permissions for backup files
841
842 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
843
e3e6510c
DM		 844libpve-access-control (1.0-25) unstable; urgency=low
845
846 * add VM.Snapshot permission
847
848 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
849
1e15ebe7
DM		 850libpve-access-control (1.0-24) unstable; urgency=low
851
852 * untaint path (allow root to restore arbitrary paths)
853
854 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
855
437be042
DM		 856libpve-access-control (1.0-23) unstable; urgency=low
857
858 * correctly compute GUI capabilities (consider pools)
859
860 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
861
5bb4e06a
DM		 862libpve-access-control (1.0-22) unstable; urgency=low
863
864 * new plugin architecture for Auth modules, minor API change for Auth
865 domains (new 'delete' parameter)
866
867 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
868
3030a176
DM		 869libpve-access-control (1.0-21) unstable; urgency=low
870
871 * do not allow user names including slash
872
873 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
874
875libpve-access-control (1.0-20) unstable; urgency=low
876
877 * add ability to fork cli workers in background
878
879 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
880
dd2cfee0
DM		 881libpve-access-control (1.0-19) unstable; urgency=low
882
883 * return set of privileges on login - can be used to adopt GUI
884
885 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
886
1cf154b7
DM		 887libpve-access-control (1.0-18) unstable; urgency=low
888
7d23b7ca 889 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 890
891 * fix bug #152: allow user to change his own password
1cf154b7
DM		 892
893 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
894
2de14407
DM		 895libpve-access-control (1.0-17) unstable; urgency=low
896
897 * set propagate flag by default
898
899 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
900
bdc61d7a
DM		 901libpve-access-control (1.0-16) unstable; urgency=low
902
903 * add 'pveum passwd' method
904
905 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
906
cc7bdf33
DM		 907libpve-access-control (1.0-15) unstable; urgency=low
908
909 * Add VM.Config.CDROM privilege to PVEVMUser rule
910
911 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
912
a69bbe2e
DM		 913libpve-access-control (1.0-14) unstable; urgency=low
914
915 * fix buf in userid-param permission check
916
917 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
918
d9483d94
DM		 919libpve-access-control (1.0-13) unstable; urgency=low
920
921 * allow more characters in ldap base_dn attribute
922
923 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
924
84619607
DM		 925libpve-access-control (1.0-12) unstable; urgency=low
926
927 * allow more characters with realm IDs
928
929 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
930
09d27058
DM		 931libpve-access-control (1.0-11) unstable; urgency=low
932
933 * fix bug in exec_api2_perm_check
934
935 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
936
7a4c849e
DM		 937libpve-access-control (1.0-10) unstable; urgency=low
938
939 * fix ACL group name parser
940
941 * changed 'pveum aclmod' command line arguments
942
943 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
944
3eac4e35
DM		 945libpve-access-control (1.0-9) unstable; urgency=low
946
947 * fix bug in check_volume_access (fixes vzrestore)
948
949 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
950
4384e19e
DM		 951libpve-access-control (1.0-8) unstable; urgency=low
952
953 * fix return value for empty ACL list.
954
955 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
956
d8a56966
DM		 957libpve-access-control (1.0-7) unstable; urgency=low
958
959 * fix bug #85: allow root@pam to generate tickets for other users
960
961 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
962
cb6f2f93
DM		 963libpve-access-control (1.0-6) unstable; urgency=low
964
965 * API change: allow to filter enabled/disabled users.
966
967 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
968
272fe9ff
DM		 969libpve-access-control (1.0-5) unstable; urgency=low
970
971 * add a way to return file changes (diffs): set_result_changes()
972
973 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
974
e42eedbc
DM		 975libpve-access-control (1.0-4) unstable; urgency=low
976
977 * new environment type for ha agents
978
979 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
980
1fba27e0
DM		 981libpve-access-control (1.0-3) unstable; urgency=low
982
983 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 984 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 985
986 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
987
5bf71a96
DM		 988libpve-access-control (1.0-2) unstable; urgency=low
989
990 * fix bug in fork_worker
991
992 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
993
2c3a6c0a
DM		 994libpve-access-control (1.0-1) unstable; urgency=low
995
996 * allow '-' in permission paths
997
998 * bump version to 1.0
999
1000 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1001
1002libpve-access-control (0.1) unstable; urgency=low
1003
1004 * first dummy package - no functionality
1005
1006 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1007
Access control framework