]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
api: tfa: add missing links for child-routes
[pve-access-control.git] / debian / changelog
CommitLineData
ebf82c77
TL		 1libpve-access-control (8.0.1) bookworm; urgency=medium
2
3 * tfa: cope with native versions in cluster version check
4
5 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
6
6004f25e
TL		 7libpve-access-control (8.0.0) bookworm; urgency=medium
8
9 * api: roles: forbid creating new roles starting with "PVE" namespace
10
11 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
12
8e8023b1
TL		 13libpve-access-control (8.0.0~3) bookworm; urgency=medium
14
15 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
16
17 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
18
19 * add helper for checking bridge access
20
21 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
22 which user are allowed to use a bridge (or vnet, if SDN is installed)
23
24 * add privileges and paths for cluster resource mapping
25
26 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
27
3ef602fe
TL		 28libpve-access-control (8.0.0~2) bookworm; urgency=medium
29
30 * api: user index: only include existing tfa lock flags
31
32 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
33
34 * roles: only include Permissions.Modify in Administrator built-in role.
35 As, depending on the ACL object path, this privilege might allow one to
36 change their own permissions, which was making the distinction between
37 Admin and PVEAdmin irrelevant.
38
39 * acls: restrict less-privileged ACL modifications. Through allocate
40 permissions in pools, storages and virtual guests one can do some ACL
41 modifications without having the Permissions.Modify privilege, lock those
42 better down to ensure that one can only hand out only the subset of their
43 own privileges, never more. Note that this is mostly future proofing, as
44 the ACL object paths one could give out more permissions where already
45 limiting the scope.
46
47 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
48
f63364a7
WB		 49libpve-access-control (8.0.0~1) bookworm; urgency=medium
50
51 * bump pve-rs dependency to 0.8.3
52
53 * drop old verify_tfa api call (POST /access/tfa)
54
55 * drop support for old login API:
56 - 'new-format' is now considured to be 1 and ignored by the API
57
58 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
59 address
60
61 * cli: add 'pveum tfa list'
62
63 * cli: add 'pveum tfa unlock'
64
65 * enable lockout of TFA:
66 - too many TOTP attempts will lock out of TOTP
67 - using a recovery key will unlock TOTP
68 - too many TFA attempts will lock a user's TFA auth for an hour
69
70 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
71 authentication if it was locked by too many wrong 2nd factor login attempts
72
73 * api: /access/tfa and /access/users now include the tfa lockout status
74
75 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
76
a3dc6ff4
TL		 77libpve-access-control (7.99.0) bookworm; urgency=medium
78
79 * initial re-build for Proxmox VE 8.x series
80
81 * switch to native versioning
82
83 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
84
f2762a03
WB		 85libpve-access-control (7.4-3) bullseye; urgency=medium
86
87 * use new 2nd factor verification from pve-rs
88
89 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
90
f0595d15
TL		 91libpve-access-control (7.4-2) bullseye; urgency=medium
92
93 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
94 wasn't accepted anymore
95
96 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
97
a23eaa1a
TL		 98libpve-access-control (7.4-1) bullseye; urgency=medium
99
100 * realm sync: refactor scope/remove-vanished into a standard option
101
102 * ldap: Allow quoted values for DN attribute values
103
104 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
105
df33b3b9
TL		 106libpve-access-control (7.3-2) bullseye; urgency=medium
107
108 * fix #4518: dramatically improve ACL computation performance
109
110 * userid format: clarify that this is the full name@realm in description
111
112 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
113
2da8c203
TL		 114libpve-access-control (7.3-1) bullseye; urgency=medium
115
116 * realm: sync: allow explicit 'none' for 'remove-vanished' option
117
118 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
119
b84bf623
TL		 120libpve-access-control (7.2-5) bullseye; urgency=medium
121
122 * api: realm sync: avoid separate log line for "remove-vanished" opt
123
124 * auth ldap/ad: compare group member dn case-insensitively
125
126 * two factor auth: only lock tfa config for recovery keys
127
128 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
129 migrations and storage migrations
130
131 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
132
f4e68e49
TL		 133libpve-access-control (7.2-4) bullseye; urgency=medium
134
135 * fix #4074: increase API OpenID code size limit to 2048
136
137 * auth key: protect against rare chance of a double rotation in clusters,
138 leaving the potential that some set of nodes have the earlier key cached,
139 that then got rotated out due to the race, resulting in a possible other
140 set of nodes having the newer key cached. This is a split view of the auth
141 key and may resulting in spurious failures if API requests are made to a
142 different node than the ticket was generated on.
143 In addition to that, the "keep validity of old tickets if signed in the
144 last two hours before rotation" logic was disabled too in such a case,
145 making such tickets invalid too early.
146 Note that both are cases where Proxmox VE was too strict, so while this
147 had no security implications it can be a nuisance, especially for
148 environments that use the API through an automated or scripted way
149
150 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
151
26dde491
TL		 152libpve-access-control (7.2-3) bullseye; urgency=medium
153
154 * api: token: use userid-group as API perm check to avoid being overly
155 strict through a misguided use of user id for non-root users.
156
157 * perm check: forbid undefined/empty ACL path for future proofing of against
158 above issue
159
160 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
161
1cf4389b
TL		 162libpve-access-control (7.2-2) bullseye; urgency=medium
163
164 * permissions: merge propagation flag for multiple roles on a path that
165 share privilege in a deterministic way, to avoid that it gets lost
166 depending on perl's random sort, which would result in returing less
167 privileges than an auth-id actually had.
168
169 * permissions: avoid that token and user privilege intersection is to strict
170 for user permissions that have propagation disabled.
171
172 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
173
e3604d48
TL		 174libpve-access-control (7.2-1) bullseye; urgency=medium
175
176 * user check: fix expiration/enable order
177
178 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
179
79ae250f
TL		 180libpve-access-control (7.1-8) bullseye; urgency=medium
181
182 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
183 vanished'
184
185 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
186
eed46286
TL		 187libpve-access-control (7.1-7) bullseye; urgency=medium
188
189 * userid-group check: distinguish create and update
190
191 * api: get user: declare token schema
192
193 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
194
cd78b295
FG		 195libpve-access-control (7.1-6) bullseye; urgency=medium
196
197 * fix #3768: warn on bad u2f or webauthn settings
198
199 * tfa: when modifying others, verify the current user's password
200
201 * tfa list: account for admin permissions
202
203 * fix realm sync permissions
204
205 * fix token permission display bug
206
207 * include SDN permissions in permission tree
208
209 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
210
118088d8
TL		 211libpve-access-control (7.1-5) bullseye; urgency=medium
212
213 * openid: fix username-claim fallback
214
215 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
216
ebb14277
WB		 217libpve-access-control (7.1-4) bullseye; urgency=medium
218
219 * set current origin in the webauthn config if no fixed origin was
220 configured, to support webauthn via subdomains
221
222 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
223
44a55ff7
TL		 224libpve-access-control (7.1-3) bullseye; urgency=medium
225
226 * openid: allow arbitrary username-claims
227
228 * openid: support configuring the prompt, scopes and ACR values
229
230 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
231
6f643e79
TL		 232libpve-access-control (7.1-2) bullseye; urgency=medium
233
234 * catch incompatible tfa entries with a nice error
235
236 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
237
92bca71e
TL		 238libpve-access-control (7.1-1) bullseye; urgency=medium
239
240 * tfa: map HTTP 404 error in get_tfa_entry correctly
241
242 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
243
1c9b6501
TL		 244libpve-access-control (7.0-7) bullseye; urgency=medium
245
246 * fix #3513: pass configured proxy to OpenID
247
248 * use rust based parser for TFA config
249
250 * use PBS-like auth api call flow,
251
252 * merge old user.cfg keys to tfa config when adding entries
253
254 * implement version checks for new tfa config writer to ensure all
255 cluster nodes are ready to avoid login issues
256
257 * tickets: add tunnel ticket
258
259 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
260
cd46b379
TL		 261libpve-access-control (7.0-6) bullseye; urgency=medium
262
263 * fix regression in user deletion when realm does not enforce TFA
264
265 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
266
52da88a8
TL		 267libpve-access-control (7.0-5) bullseye; urgency=medium
268
269 * acl: check path: add /sdn/vnets/* path
270
271 * fix #2302: allow deletion of users when realm enforces TFA
272
273 * api: delete user: disable user first to avoid surprise on error during the
274 various cleanup action required for user deletion (e.g., TFA, ACL, group)
275
276 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
277
543d646c
TL		 278libpve-access-control (7.0-4) bullseye; urgency=medium
279
280 * realm: add OpenID configuration
281
282 * api: implement OpenID related endpoints
283
284 * implement opt-in OpenID autocreate user feature
285
286 * api: user: add 'realm-type' to user list response
287
288 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
289
7a4c4fd8
TL		 290libpve-access-control (7.0-3) bullseye; urgency=medium
291
292 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
293 `/sdn/zones/<zone>` to allowed ACL paths
294
295 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
296
0902a936
FG		 297libpve-access-control (7.0-2) bullseye; urgency=medium
298
299 * fix #3402: add Pool.Audit privilege - custom roles containing
300 Pool.Allocate must be updated to include the new privilege.
301
302 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
303
67febb69
TL		 304libpve-access-control (7.0-1) bullseye; urgency=medium
305
306 * re-build for Debian 11 Bullseye based releases
307
308 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
309
2942ba41
TL		 310libpve-access-control (6.4-1) pve; urgency=medium
311
312 * fix #1670: change PAM service name to project specific name
313
314 * fix #1500: permission path syntax check for access control
315
316 * pveum: add resource pool CLI commands
317
318 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
319
54d312f3
TL		 320libpve-access-control (6.1-3) pve; urgency=medium
321
322 * partially fix #2825: authkey: rotate if it was generated in the
323 future
324
325 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
326 insensitive
327
328 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
329
6a9be12f
TL		 330libpve-access-control (6.1-2) pve; urgency=medium
331
332 * also check SDN permission path when computing coarse permissions heuristic
333 for UIs
334
335 * add SDN Permissions.Modify
336
337 * add VM.Config.Cloudinit
338
339 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
340
e6624f50
TL		 341libpve-access-control (6.1-1) pve; urgency=medium
342
343 * pveum: add tfa delete subcommand for deleting user-TFA
344
345 * LDAP: don't complain about missing credentials on realm removal
346
347 * LDAP: skip anonymous bind when client certificate and key is configured
348
349 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
350
8f4a522f
TL		 351libpve-access-control (6.0-7) pve; urgency=medium
352
353 * fix #2575: die when trying to edit built-in roles
354
355 * add realm sub commands to pveum CLI tool
356
7d23b7ca 357 * api: domains: add user group sync API endpoint
8f4a522f
TL		 358
359 * allow one to sync and import users and groups from LDAP/AD based realms
360
361 * realm: add default-sync-options to config for more convenient sync configuration
362
363 * api: token create: return also full token id for convenience
364
365 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
366
23059f35
TL		 367libpve-access-control (6.0-6) pve; urgency=medium
368
369 * API: add group members to group index
370
371 * implement API token support and management
372
373 * pveum: add 'pveum user token add/update/remove/list'
374
375 * pveum: add permissions sub-commands
376
377 * API: add 'permissions' API endpoint
378
379 * user.cfg: skip inexisting roles when parsing ACLs
380
381 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
382
3dd692e9
TL		 383libpve-access-control (6.0-5) pve; urgency=medium
384
385 * pveum: add list command for users, groups, ACLs and roles
386
387 * add initial permissions for experimental SDN integration
388
389 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
390
4ef92d0d
FG		 391libpve-access-control (6.0-4) pve; urgency=medium
392
393 * ticket: use clinfo to get cluster name
394
395 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
396 SSL version
397
398 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
399
6e5bbca4
TL		 400libpve-access-control (6.0-3) pve; urgency=medium
401
402 * fix #2433: increase possible TFA secret length
403
404 * parse user configuration: correctly parse group names in ACLs, for users
405 which begin their name with an @
406
407 * sort user.cfg entries alphabetically
408
409 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
410
e073493c
TL		 411libpve-access-control (6.0-2) pve; urgency=medium
412
413 * improve CSRF verification compatibility with newer PVE
414
415 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
416
a237dc2e
TL		 417libpve-access-control (6.0-1) pve; urgency=medium
418
419 * ticket: properly verify exactly 5 minute old tickets
420
421 * use hmac_sha256 instead of sha1 for CSRF token generation
422
423 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
424
f1531f22
TL		 425libpve-access-control (6.0-0+1) pve; urgency=medium
426
427 * bump for Debian buster
428
429 * fix #2079: add periodic auth key rotation
430
431 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
432
ef761f51
TL		 433libpve-access-control (5.1-10) unstable; urgency=medium
434
435 * add /access/user/{id}/tfa api call to get tfa types
436
437 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
438
860ddcba
TL		 439libpve-access-control (5.1-9) unstable; urgency=medium
440
441 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 442 to a higher privileged daemon.
860ddcba
TL		 443
444 * tfa: realm required TFA should lock out users without TFA configured, as it
445 was done before Proxmox VE 5.4
446
447 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
448
9fbad012
TL		 449libpve-access-control (5.1-8) unstable; urgency=medium
450
451 * U2F: ensure we save correct public key on registration
452
453 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
454
4473c96c
TL		 455libpve-access-control (5.1-7) unstable; urgency=medium
456
457 * verify_ticket: allow general non-challenge tfa to be run as two step
458 call
459
460 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
461
a270d4e1
TL		 462libpve-access-control (5.1-6) unstable; urgency=medium
463
464 * more general 2FA configuration via priv/tfa.cfg
465
466 * add u2f api endpoints
467
468 * delete TFA entries when deleting a user
469
470 * allow users to change their TOTP settings
471
472 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
473
374647e8
TL		 474libpve-access-control (5.1-5) unstable; urgency=medium
475
476 * fix vnc ticket verification without authkey lifetime
477
478 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
479
7fb70c94
TL		 480libpve-access-control (5.1-4) unstable; urgency=medium
481
482 * fix #1891: Add zsh command completion for pveum
483
484 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
485 to avoid issues on upgrade, will be enabled with 6.0
486
487 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
488
6e010cde
TL		 489libpve-access-control (5.1-3) unstable; urgency=medium
490
491 * api/ticket: move getting cluster name into an eval
492
493 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
494
f5a9380a
TL		 495libpve-access-control (5.1-2) unstable; urgency=medium
496
497 * fix #1998: correct return properties for read_role
498
499 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
500
b54b7474
TL		 501libpve-access-control (5.1-1) unstable; urgency=medium
502
503 * pveum: introduce sub-commands
504
505 * register userid with completion
506
507 * fix #233: return cluster name on successful login
508
509 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
510
52192dd4
WB		 511libpve-access-control (5.0-8) unstable; urgency=medium
512
513 * fix #1612: ldap: make 2nd server work with bind domains again
514
515 * fix an error message where passing a bad pool id to an API function would
516 make it complain about a wrong group name instead
517
518 * fix the API-returned permission list so that the GUI knows to show the
519 'Permissions' tab for a storage to an administrator apart from root@pam
520
521 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
522
3dadf8cf
FG		 523libpve-access-control (5.0-7) unstable; urgency=medium
524
525 * VM.Snapshot.Rollback privilege added
526
527 * api: check for special roles before locking the usercfg
528
529 * fix #1501: pveum: die when deleting special role
530
531 * API/ticket: rework coarse grained permission computation
532
533 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
534
ec4141f4
WB		 535libpve-access-control (5.0-6) unstable; urgency=medium
536
537 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
538 'verify' option. For compatibility reasons this defaults to off for now,
539 but that might change with future updates.
540
541 * AD, LDAP: Add ability to specify a CA path or file, and a client
542 certificate via the 'capath', 'cert' and 'certkey' options.
543
544 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
545
63134bd4
DM		 546libpve-access-control (5.0-5) unstable; urgency=medium
547
548 * change from dpkg-deb to dpkg-buildpackage
549
550 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
551
868fb1ea
DM		 552libpve-access-control (5.0-4) unstable; urgency=medium
553
554 * PVE/CLI/pveum.pm: call setup_default_cli_env()
555
556 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
557
558 * check_api2_permissions: avoid warning about uninitialized value
559
560 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
561
63358f40
DM		 562libpve-access-control (5.0-3) unstable; urgency=medium
563
564 * use new PVE::OTP class from pve-common
565
566 * use new PVE::Tools::encrypt_pw from pve-common
567
568 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
569
05fd50af
DM		 570libpve-access-control (5.0-2) unstable; urgency=medium
571
572 * encrypt_pw: avoid '+' for crypt salt
573
574 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
575
0835385b
FG		 576libpve-access-control (5.0-1) unstable; urgency=medium
577
578 * rebuild for PVE 5.0
579
580 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
581
730f8863
DM		 582libpve-access-control (4.0-23) unstable; urgency=medium
583
584 * use new PVE::Ticket class
585
586 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
587
1f1c4593
DM		 588libpve-access-control (4.0-22) unstable; urgency=medium
589
590 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
591 (moved to PVE::Storage)
592
593 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
594
595 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
596
f9105063
DM		 597libpve-access-control (4.0-21) unstable; urgency=medium
598
599 * setup_default_cli_env: expect $class as first parameter
600
601 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
602
9595066e
DM		 603libpve-access-control (4.0-20) unstable; urgency=medium
604
605 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
606
607 * PVE/API2/Domains.pm: fix property description
608
609 * use new repoman for upload target
610
611 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
612
2af5a793
DM		 613libpve-access-control (4.0-19) unstable; urgency=medium
614
615 * Close #833: ldap: non-anonymous bind support
616
617 * don't import 'RFC' from MIME::Base32
618
619 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
620
5d87bb77
WB		 621libpve-access-control (4.0-18) unstable; urgency=medium
622
623 * fix #1062: recognize base32 otp keys again
624
625 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
626
28ddf48b
WB		 627libpve-access-control (4.0-17) unstable; urgency=medium
628
629 * drop oathtool and libdigest-hmac-perl dependencies
630
631 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
632
15cebb28
DM		 633libpve-access-control (4.0-16) unstable; urgency=medium
634
635 * use pve-doc-generator to generate man pages
636
637 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
638
678df887
DM		 639libpve-access-control (4.0-15) unstable; urgency=medium
640
641 * Fix uninitialized warning when shadow.cfg does not exist
642
643 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
644
cca9761a
DM		 645libpve-access-control (4.0-14) unstable; urgency=medium
646
647 * Add is_worker to RPCEnvironment
648
649 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
650
8643c99d
DM		 651libpve-access-control (4.0-13) unstable; urgency=medium
652
653 * fix #916: allow HTTPS to access custom yubico url
654
655 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
656
ae2a6bf9
DM		 657libpve-access-control (4.0-12) unstable; urgency=medium
658
659 * Catch certificate errors instead of segfaulting
660
661 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
662
4836db5f
DM		 663libpve-access-control (4.0-11) unstable; urgency=medium
664
665 * Fix #861: use safer sprintf formatting
666
667 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
668
ccbe23dc
DM		 669libpve-access-control (4.0-10) unstable; urgency=medium
670
671 * Auth::LDAP, Auth::AD: ipv6 support
672
673 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
674
90399ca4
DM		 675libpve-access-control (4.0-9) unstable; urgency=medium
676
677 * pveum: implement bash completion
678
679 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
680
364ffc13
DM		 681libpve-access-control (4.0-8) unstable; urgency=medium
682
683 * remove_storage_access: cleanup of access permissions for removed storage
684
685 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
686
7c26cb4a
DM		 687libpve-access-control (4.0-7) unstable; urgency=medium
688
689 * new helper to remove access permissions for removed VMs
690
691 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
692
296afbd1
DM		 693libpve-access-control (4.0-6) unstable; urgency=medium
694
695 * improve parse_user_config, parse_shadow_config
696
697 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
698
7d2df2ef
DM		 699libpve-access-control (4.0-5) unstable; urgency=medium
700
701 * pveum: check for $cmd being defined
702
703 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
704
98a34e3f
DM		 705libpve-access-control (4.0-4) unstable; urgency=medium
706
707 * use activate-noawait triggers
708
709 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
710
15462727
DM		 711libpve-access-control (4.0-3) unstable; urgency=medium
712
713 * IPv6 fixes
714
715 * non-root buildfix
716
717 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
718
bbf4cc9a
DM		 719libpve-access-control (4.0-2) unstable; urgency=medium
720
721 * trigger pve-api-updates event
722
723 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
724
dfbcf6d3
DM		 725libpve-access-control (4.0-1) unstable; urgency=medium
726
727 * bump version for Debian Jessie
728
729 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
730
94971b3a
DM		 731libpve-access-control (3.0-16) unstable; urgency=low
732
733 * root@pam can now be disabled in GUI.
734
735 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
736
7b17c7cb
DM		 737libpve-access-control (3.0-15) unstable; urgency=low
738
739 * oath: add 'step' and 'digits' option
740
741 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
742
1abc2c0a
DM		 743libpve-access-control (3.0-14) unstable; urgency=low
744
745 * add oath two factor auth
746
747 * add oathkeygen binary to generate keys for oath
748
749 * add yubico two factor auth
750
751 * dedend on oathtool
752
753 * depend on libmime-base32-perl
30be0de9
DM		 754
755 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 756
757 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
758
298450ab
DM		 759libpve-access-control (3.0-13) unstable; urgency=low
760
761 * use correct connection string for AD auth
762
763 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
764
396034e4
DM		 765libpve-access-control (3.0-12) unstable; urgency=low
766
767 * add dummy API for GET /access/ticket (useful to generate login pages)
768
769 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
770
26361123
DM		 771libpve-access-control (3.0-11) unstable; urgency=low
772
773 * Sets common hot keys for spice client
774
775 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
776
3643383d
DM		 777libpve-access-control (3.0-10) unstable; urgency=low
778
779 * implement helper to generate SPICE remote-viewer configuration
780
781 * depend on libnet-ssleay-perl
782
783 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
784
0baedcf7
DM		 785libpve-access-control (3.0-9) unstable; urgency=low
786
787 * prevent user enumeration attacks
e4f8fc2e
DM		 788
789 * allow dots in access paths
0baedcf7
DM		 790
791 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
792
d4b63eae
DM		 793libpve-access-control (3.0-8) unstable; urgency=low
794
795 * spice: use lowercase hostname in ticktet signature
796
797 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
798
49594944
DM		 799libpve-access-control (3.0-7) unstable; urgency=low
800
801 * check_volume_access : use parse_volname instead of path, and remove
802 path related code.
7c410d63
DM		 803
804 * use warnings instead of global -w flag.
49594944
DM		 805
806 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
807
fe7de5d0
DM		 808libpve-access-control (3.0-6) unstable; urgency=low
809
810 * use shorter spiceproxy tickets
811
812 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
813
4cdd9507
DM		 814libpve-access-control (3.0-5) unstable; urgency=low
815
816 * add code to generate tickets for SPICE
817
818 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
819
677f9ab0
DM		 820libpve-access-control (3.0-4) unstable; urgency=low
821
822 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
823
824 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
825
139a8ecf
DM		 826libpve-access-control (3.0-3) unstable; urgency=low
827
7d23b7ca 828 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 829
830 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
831
b78ce7c2
DM		 832libpve-access-control (3.0-2) unstable; urgency=low
833
834 * remove CGI.pm related code (pveproxy does not need that)
835
836 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
837
786820f9
DM		 838libpve-access-control (3.0-1) unstable; urgency=low
839
840 * bump version for wheezy release
841
842 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
843
e5ae5487
DM		 844libpve-access-control (1.0-26) unstable; urgency=low
845
846 * check_volume_access: fix access permissions for backup files
847
848 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
849
e3e6510c
DM		 850libpve-access-control (1.0-25) unstable; urgency=low
851
852 * add VM.Snapshot permission
853
854 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
855
1e15ebe7
DM		 856libpve-access-control (1.0-24) unstable; urgency=low
857
858 * untaint path (allow root to restore arbitrary paths)
859
860 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
861
437be042
DM		 862libpve-access-control (1.0-23) unstable; urgency=low
863
864 * correctly compute GUI capabilities (consider pools)
865
866 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
867
5bb4e06a
DM		 868libpve-access-control (1.0-22) unstable; urgency=low
869
870 * new plugin architecture for Auth modules, minor API change for Auth
871 domains (new 'delete' parameter)
872
873 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
874
3030a176
DM		 875libpve-access-control (1.0-21) unstable; urgency=low
876
877 * do not allow user names including slash
878
879 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
880
881libpve-access-control (1.0-20) unstable; urgency=low
882
883 * add ability to fork cli workers in background
884
885 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
886
dd2cfee0
DM		 887libpve-access-control (1.0-19) unstable; urgency=low
888
889 * return set of privileges on login - can be used to adopt GUI
890
891 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
892
1cf154b7
DM		 893libpve-access-control (1.0-18) unstable; urgency=low
894
7d23b7ca 895 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 896
897 * fix bug #152: allow user to change his own password
1cf154b7
DM		 898
899 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
900
2de14407
DM		 901libpve-access-control (1.0-17) unstable; urgency=low
902
903 * set propagate flag by default
904
905 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
906
bdc61d7a
DM		 907libpve-access-control (1.0-16) unstable; urgency=low
908
909 * add 'pveum passwd' method
910
911 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
912
cc7bdf33
DM		 913libpve-access-control (1.0-15) unstable; urgency=low
914
915 * Add VM.Config.CDROM privilege to PVEVMUser rule
916
917 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
918
a69bbe2e
DM		 919libpve-access-control (1.0-14) unstable; urgency=low
920
921 * fix buf in userid-param permission check
922
923 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
924
d9483d94
DM		 925libpve-access-control (1.0-13) unstable; urgency=low
926
927 * allow more characters in ldap base_dn attribute
928
929 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
930
84619607
DM		 931libpve-access-control (1.0-12) unstable; urgency=low
932
933 * allow more characters with realm IDs
934
935 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
936
09d27058
DM		 937libpve-access-control (1.0-11) unstable; urgency=low
938
939 * fix bug in exec_api2_perm_check
940
941 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
942
7a4c849e
DM		 943libpve-access-control (1.0-10) unstable; urgency=low
944
945 * fix ACL group name parser
946
947 * changed 'pveum aclmod' command line arguments
948
949 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
950
3eac4e35
DM		 951libpve-access-control (1.0-9) unstable; urgency=low
952
953 * fix bug in check_volume_access (fixes vzrestore)
954
955 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
956
4384e19e
DM		 957libpve-access-control (1.0-8) unstable; urgency=low
958
959 * fix return value for empty ACL list.
960
961 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
962
d8a56966
DM		 963libpve-access-control (1.0-7) unstable; urgency=low
964
965 * fix bug #85: allow root@pam to generate tickets for other users
966
967 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
968
cb6f2f93
DM		 969libpve-access-control (1.0-6) unstable; urgency=low
970
971 * API change: allow to filter enabled/disabled users.
972
973 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
974
272fe9ff
DM		 975libpve-access-control (1.0-5) unstable; urgency=low
976
977 * add a way to return file changes (diffs): set_result_changes()
978
979 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
980
e42eedbc
DM		 981libpve-access-control (1.0-4) unstable; urgency=low
982
983 * new environment type for ha agents
984
985 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
986
1fba27e0
DM		 987libpve-access-control (1.0-3) unstable; urgency=low
988
989 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 990 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 991
992 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
993
5bf71a96
DM		 994libpve-access-control (1.0-2) unstable; urgency=low
995
996 * fix bug in fork_worker
997
998 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
999
2c3a6c0a
DM		 1000libpve-access-control (1.0-1) unstable; urgency=low
1001
1002 * allow '-' in permission paths
1003
1004 * bump version to 1.0
1005
1006 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1007
1008libpve-access-control (0.1) unstable; urgency=low
1009
1010 * first dummy package - no functionality
1011
1012 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1013
Access control framework