]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.1.4
[pve-access-control.git] / debian / changelog
CommitLineData
2c74a9ab
TL		 1libpve-access-control (8.1.4) bookworm; urgency=medium
2
3 * fix #5335: sort ACL entries in user.cfg to make it easier to track changes
4
5 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Apr 2024 13:45:22 +0200
6
787e4c06
TL		 7libpve-access-control (8.1.3) bookworm; urgency=medium
8
9 * user: password change: require confirmation-password parameter so that
10 anybody gaining local or physical access to a device where a user is
11 logged in on a Proxmox VE web-interface cannot give them more permanent
12 access or deny the actual user accessing their account by changing the
13 password. Note that such an attack scenario means that the attacker
14 already has high privileges and can already control the resource
15 completely through another attack.
16 Such initial attacks (like stealing an unlocked device) are almost always
17 are outside of the control of our projects. Still, hardening the API a bit
18 by requiring a confirmation of the original password is to cheap to
19 implement to not do so.
20
21 * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes,
22 like comments, correctly
23
24 -- Proxmox Support Team <support@proxmox.com> Fri, 22 Mar 2024 14:14:36 +0100
25
85f61297
TL		 26libpve-access-control (8.1.2) bookworm; urgency=medium
27
28 * add Sys.AccessNetwork privilege
29
30 -- Proxmox Support Team <support@proxmox.com> Wed, 28 Feb 2024 15:42:12 +0100
31
588927f1
TL		 32libpve-access-control (8.1.1) bookworm; urgency=medium
33
34 * LDAP sync: fix-up assembling valid attribute set
35
36 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 19:03:26 +0100
37
6324cbb3
TL		 38libpve-access-control (8.1.0) bookworm; urgency=medium
39
40 * api: user: limit the legacy user-keys option to the depreacated values
41 that could be set in the first limited TFA system, like e.g., 'x!yubico'
42 or base32 encoded secrets.
43
44 * oidc: enforce generic URI regex for the ACR value to align with OIDC
45 specifications and with Proxmox Backup Server, which was recently changed
46 to actually be less strict.
47
48 * LDAP sync: improve validation of synced attributes, closely limit the
49 mapped attributes names and their values to avoid glitches through odd
50 LDIF entries.
51
52 * api: user: limit maximum length for first & last name to 1024 characters,
53 email to 254 characters (the maximum actually useable in practice) and
54 comment properties to 2048 characters. This avoid that a few single users
55 bloat the user.cfg to much by mistake, reducing the total amount of users
56 and ACLs that can be set up. Note that only users with User.Modify and
57 realm syncs (setup by admins) can change these in the first place, so this
58 is mostly to avoid mishaps and just to be sure.
59
60 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 17:50:59 +0100
61
ffc4e503
WB		 62libpve-access-control (8.0.7) bookworm; urgency=medium
63
64 * fix #1148: allow up to three levels of pool nesting
65
66 * pools: record parent/subpool information
67
68 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100
69
401e3205
TL		 70libpve-access-control (8.0.6) bookworm; urgency=medium
71
72 * perms: fix wrong /pools entry in default set of ACL paths
73
74 * acl: add missing SDN ACL paths to allowed list
75
76 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
77
b8a52eac
WB		 78libpve-access-control (8.0.5) bookworm; urgency=medium
79
80 * fix an issue where setting ldap passwords would refuse to work unless
81 at least one additional property was changed as well
82
83 * add 'check-connection' parameter to create and update endpoints for ldap
84 based realms
85
86 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
87
33e4480a
WB		 88libpve-access-control (8.0.4) bookworm; urgency=medium
89
90 * Lookup of second factors is no longer tied to the 'keys' field in the
91 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
92 could disable user-configured 2nd factors.
93
94 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
95 TFA.
96
97 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
98
8a856968
TL		 99libpve-access-control (8.0.3) bookworm; urgency=medium
100
101 * pveum: list tfa: recovery keys have no descriptions
102
103 * pveum: list tfa: sort by user ID
104
105 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
106 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
107 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
108
109 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
110
1852a929
TL		 111libpve-access-control (8.0.2) bookworm; urgency=medium
112
113 * api: users: sort groups to avoid "flapping" text
114
115 * api: tfa: don't block tokens from viewing and list TFA entries, both are
116 safe to do for anybody with enough permissions to view a user.
117
118 * api: tfa: add missing links for child-routes
119
120 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
121
ebf82c77
TL		 122libpve-access-control (8.0.1) bookworm; urgency=medium
123
124 * tfa: cope with native versions in cluster version check
125
126 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
127
6004f25e
TL		 128libpve-access-control (8.0.0) bookworm; urgency=medium
129
130 * api: roles: forbid creating new roles starting with "PVE" namespace
131
132 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
133
8e8023b1
TL		 134libpve-access-control (8.0.0~3) bookworm; urgency=medium
135
136 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
137
138 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
139
140 * add helper for checking bridge access
141
142 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
143 which user are allowed to use a bridge (or vnet, if SDN is installed)
144
145 * add privileges and paths for cluster resource mapping
146
147 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
148
3ef602fe
TL		 149libpve-access-control (8.0.0~2) bookworm; urgency=medium
150
151 * api: user index: only include existing tfa lock flags
152
153 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
154
155 * roles: only include Permissions.Modify in Administrator built-in role.
156 As, depending on the ACL object path, this privilege might allow one to
157 change their own permissions, which was making the distinction between
158 Admin and PVEAdmin irrelevant.
159
160 * acls: restrict less-privileged ACL modifications. Through allocate
161 permissions in pools, storages and virtual guests one can do some ACL
162 modifications without having the Permissions.Modify privilege, lock those
163 better down to ensure that one can only hand out only the subset of their
164 own privileges, never more. Note that this is mostly future proofing, as
165 the ACL object paths one could give out more permissions where already
166 limiting the scope.
167
168 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
169
f63364a7
WB		 170libpve-access-control (8.0.0~1) bookworm; urgency=medium
171
172 * bump pve-rs dependency to 0.8.3
173
174 * drop old verify_tfa api call (POST /access/tfa)
175
176 * drop support for old login API:
177 - 'new-format' is now considured to be 1 and ignored by the API
178
179 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
180 address
181
182 * cli: add 'pveum tfa list'
183
184 * cli: add 'pveum tfa unlock'
185
186 * enable lockout of TFA:
187 - too many TOTP attempts will lock out of TOTP
188 - using a recovery key will unlock TOTP
189 - too many TFA attempts will lock a user's TFA auth for an hour
190
191 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
192 authentication if it was locked by too many wrong 2nd factor login attempts
193
194 * api: /access/tfa and /access/users now include the tfa lockout status
195
196 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
197
a3dc6ff4
TL		 198libpve-access-control (7.99.0) bookworm; urgency=medium
199
200 * initial re-build for Proxmox VE 8.x series
201
202 * switch to native versioning
203
204 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
205
f2762a03
WB		 206libpve-access-control (7.4-3) bullseye; urgency=medium
207
208 * use new 2nd factor verification from pve-rs
209
210 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
211
f0595d15
TL		 212libpve-access-control (7.4-2) bullseye; urgency=medium
213
214 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
215 wasn't accepted anymore
216
217 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
218
a23eaa1a
TL		 219libpve-access-control (7.4-1) bullseye; urgency=medium
220
221 * realm sync: refactor scope/remove-vanished into a standard option
222
223 * ldap: Allow quoted values for DN attribute values
224
225 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
226
df33b3b9
TL		 227libpve-access-control (7.3-2) bullseye; urgency=medium
228
229 * fix #4518: dramatically improve ACL computation performance
230
231 * userid format: clarify that this is the full name@realm in description
232
233 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
234
2da8c203
TL		 235libpve-access-control (7.3-1) bullseye; urgency=medium
236
237 * realm: sync: allow explicit 'none' for 'remove-vanished' option
238
239 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
240
b84bf623
TL		 241libpve-access-control (7.2-5) bullseye; urgency=medium
242
243 * api: realm sync: avoid separate log line for "remove-vanished" opt
244
245 * auth ldap/ad: compare group member dn case-insensitively
246
247 * two factor auth: only lock tfa config for recovery keys
248
249 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
250 migrations and storage migrations
251
252 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
253
f4e68e49
TL		 254libpve-access-control (7.2-4) bullseye; urgency=medium
255
256 * fix #4074: increase API OpenID code size limit to 2048
257
258 * auth key: protect against rare chance of a double rotation in clusters,
259 leaving the potential that some set of nodes have the earlier key cached,
260 that then got rotated out due to the race, resulting in a possible other
261 set of nodes having the newer key cached. This is a split view of the auth
262 key and may resulting in spurious failures if API requests are made to a
263 different node than the ticket was generated on.
264 In addition to that, the "keep validity of old tickets if signed in the
265 last two hours before rotation" logic was disabled too in such a case,
266 making such tickets invalid too early.
267 Note that both are cases where Proxmox VE was too strict, so while this
268 had no security implications it can be a nuisance, especially for
269 environments that use the API through an automated or scripted way
270
271 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
272
26dde491
TL		 273libpve-access-control (7.2-3) bullseye; urgency=medium
274
275 * api: token: use userid-group as API perm check to avoid being overly
276 strict through a misguided use of user id for non-root users.
277
278 * perm check: forbid undefined/empty ACL path for future proofing of against
279 above issue
280
281 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
282
1cf4389b
TL		 283libpve-access-control (7.2-2) bullseye; urgency=medium
284
285 * permissions: merge propagation flag for multiple roles on a path that
286 share privilege in a deterministic way, to avoid that it gets lost
287 depending on perl's random sort, which would result in returing less
288 privileges than an auth-id actually had.
289
290 * permissions: avoid that token and user privilege intersection is to strict
291 for user permissions that have propagation disabled.
292
293 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
294
e3604d48
TL		 295libpve-access-control (7.2-1) bullseye; urgency=medium
296
297 * user check: fix expiration/enable order
298
299 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
300
79ae250f
TL		 301libpve-access-control (7.1-8) bullseye; urgency=medium
302
303 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
304 vanished'
305
306 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
307
eed46286
TL		 308libpve-access-control (7.1-7) bullseye; urgency=medium
309
310 * userid-group check: distinguish create and update
311
312 * api: get user: declare token schema
313
314 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
315
cd78b295
FG		 316libpve-access-control (7.1-6) bullseye; urgency=medium
317
318 * fix #3768: warn on bad u2f or webauthn settings
319
320 * tfa: when modifying others, verify the current user's password
321
322 * tfa list: account for admin permissions
323
324 * fix realm sync permissions
325
326 * fix token permission display bug
327
328 * include SDN permissions in permission tree
329
330 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
331
118088d8
TL		 332libpve-access-control (7.1-5) bullseye; urgency=medium
333
334 * openid: fix username-claim fallback
335
336 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
337
ebb14277
WB		 338libpve-access-control (7.1-4) bullseye; urgency=medium
339
340 * set current origin in the webauthn config if no fixed origin was
341 configured, to support webauthn via subdomains
342
343 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
344
44a55ff7
TL		 345libpve-access-control (7.1-3) bullseye; urgency=medium
346
347 * openid: allow arbitrary username-claims
348
349 * openid: support configuring the prompt, scopes and ACR values
350
351 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
352
6f643e79
TL		 353libpve-access-control (7.1-2) bullseye; urgency=medium
354
355 * catch incompatible tfa entries with a nice error
356
357 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
358
92bca71e
TL		 359libpve-access-control (7.1-1) bullseye; urgency=medium
360
361 * tfa: map HTTP 404 error in get_tfa_entry correctly
362
363 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
364
1c9b6501
TL		 365libpve-access-control (7.0-7) bullseye; urgency=medium
366
367 * fix #3513: pass configured proxy to OpenID
368
369 * use rust based parser for TFA config
370
371 * use PBS-like auth api call flow,
372
373 * merge old user.cfg keys to tfa config when adding entries
374
375 * implement version checks for new tfa config writer to ensure all
376 cluster nodes are ready to avoid login issues
377
378 * tickets: add tunnel ticket
379
380 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
381
cd46b379
TL		 382libpve-access-control (7.0-6) bullseye; urgency=medium
383
384 * fix regression in user deletion when realm does not enforce TFA
385
386 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
387
52da88a8
TL		 388libpve-access-control (7.0-5) bullseye; urgency=medium
389
390 * acl: check path: add /sdn/vnets/* path
391
392 * fix #2302: allow deletion of users when realm enforces TFA
393
394 * api: delete user: disable user first to avoid surprise on error during the
395 various cleanup action required for user deletion (e.g., TFA, ACL, group)
396
397 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
398
543d646c
TL		 399libpve-access-control (7.0-4) bullseye; urgency=medium
400
401 * realm: add OpenID configuration
402
403 * api: implement OpenID related endpoints
404
405 * implement opt-in OpenID autocreate user feature
406
407 * api: user: add 'realm-type' to user list response
408
409 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
410
7a4c4fd8
TL		 411libpve-access-control (7.0-3) bullseye; urgency=medium
412
413 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
414 `/sdn/zones/<zone>` to allowed ACL paths
415
416 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
417
0902a936
FG		 418libpve-access-control (7.0-2) bullseye; urgency=medium
419
420 * fix #3402: add Pool.Audit privilege - custom roles containing
421 Pool.Allocate must be updated to include the new privilege.
422
423 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
424
67febb69
TL		 425libpve-access-control (7.0-1) bullseye; urgency=medium
426
427 * re-build for Debian 11 Bullseye based releases
428
429 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
430
2942ba41
TL		 431libpve-access-control (6.4-1) pve; urgency=medium
432
433 * fix #1670: change PAM service name to project specific name
434
435 * fix #1500: permission path syntax check for access control
436
437 * pveum: add resource pool CLI commands
438
439 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
440
54d312f3
TL		 441libpve-access-control (6.1-3) pve; urgency=medium
442
443 * partially fix #2825: authkey: rotate if it was generated in the
444 future
445
446 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
447 insensitive
448
449 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
450
6a9be12f
TL		 451libpve-access-control (6.1-2) pve; urgency=medium
452
453 * also check SDN permission path when computing coarse permissions heuristic
454 for UIs
455
456 * add SDN Permissions.Modify
457
458 * add VM.Config.Cloudinit
459
460 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
461
e6624f50
TL		 462libpve-access-control (6.1-1) pve; urgency=medium
463
464 * pveum: add tfa delete subcommand for deleting user-TFA
465
466 * LDAP: don't complain about missing credentials on realm removal
467
468 * LDAP: skip anonymous bind when client certificate and key is configured
469
470 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
471
8f4a522f
TL		 472libpve-access-control (6.0-7) pve; urgency=medium
473
474 * fix #2575: die when trying to edit built-in roles
475
476 * add realm sub commands to pveum CLI tool
477
7d23b7ca 478 * api: domains: add user group sync API endpoint
8f4a522f
TL		 479
480 * allow one to sync and import users and groups from LDAP/AD based realms
481
482 * realm: add default-sync-options to config for more convenient sync configuration
483
484 * api: token create: return also full token id for convenience
485
486 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
487
23059f35
TL		 488libpve-access-control (6.0-6) pve; urgency=medium
489
490 * API: add group members to group index
491
492 * implement API token support and management
493
494 * pveum: add 'pveum user token add/update/remove/list'
495
496 * pveum: add permissions sub-commands
497
498 * API: add 'permissions' API endpoint
499
500 * user.cfg: skip inexisting roles when parsing ACLs
501
502 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
503
3dd692e9
TL		 504libpve-access-control (6.0-5) pve; urgency=medium
505
506 * pveum: add list command for users, groups, ACLs and roles
507
508 * add initial permissions for experimental SDN integration
509
510 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
511
4ef92d0d
FG		 512libpve-access-control (6.0-4) pve; urgency=medium
513
514 * ticket: use clinfo to get cluster name
515
516 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
517 SSL version
518
519 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
520
6e5bbca4
TL		 521libpve-access-control (6.0-3) pve; urgency=medium
522
523 * fix #2433: increase possible TFA secret length
524
525 * parse user configuration: correctly parse group names in ACLs, for users
526 which begin their name with an @
527
528 * sort user.cfg entries alphabetically
529
530 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
531
e073493c
TL		 532libpve-access-control (6.0-2) pve; urgency=medium
533
534 * improve CSRF verification compatibility with newer PVE
535
536 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
537
a237dc2e
TL		 538libpve-access-control (6.0-1) pve; urgency=medium
539
540 * ticket: properly verify exactly 5 minute old tickets
541
542 * use hmac_sha256 instead of sha1 for CSRF token generation
543
544 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
545
f1531f22
TL		 546libpve-access-control (6.0-0+1) pve; urgency=medium
547
548 * bump for Debian buster
549
550 * fix #2079: add periodic auth key rotation
551
552 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
553
ef761f51
TL		 554libpve-access-control (5.1-10) unstable; urgency=medium
555
556 * add /access/user/{id}/tfa api call to get tfa types
557
558 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
559
860ddcba
TL		 560libpve-access-control (5.1-9) unstable; urgency=medium
561
562 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 563 to a higher privileged daemon.
860ddcba
TL		 564
565 * tfa: realm required TFA should lock out users without TFA configured, as it
566 was done before Proxmox VE 5.4
567
568 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
569
9fbad012
TL		 570libpve-access-control (5.1-8) unstable; urgency=medium
571
572 * U2F: ensure we save correct public key on registration
573
574 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
575
4473c96c
TL		 576libpve-access-control (5.1-7) unstable; urgency=medium
577
578 * verify_ticket: allow general non-challenge tfa to be run as two step
579 call
580
581 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
582
a270d4e1
TL		 583libpve-access-control (5.1-6) unstable; urgency=medium
584
585 * more general 2FA configuration via priv/tfa.cfg
586
587 * add u2f api endpoints
588
589 * delete TFA entries when deleting a user
590
591 * allow users to change their TOTP settings
592
593 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
594
374647e8
TL		 595libpve-access-control (5.1-5) unstable; urgency=medium
596
597 * fix vnc ticket verification without authkey lifetime
598
599 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
600
7fb70c94
TL		 601libpve-access-control (5.1-4) unstable; urgency=medium
602
603 * fix #1891: Add zsh command completion for pveum
604
605 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
606 to avoid issues on upgrade, will be enabled with 6.0
607
608 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
609
6e010cde
TL		 610libpve-access-control (5.1-3) unstable; urgency=medium
611
612 * api/ticket: move getting cluster name into an eval
613
614 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
615
f5a9380a
TL		 616libpve-access-control (5.1-2) unstable; urgency=medium
617
618 * fix #1998: correct return properties for read_role
619
620 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
621
b54b7474
TL		 622libpve-access-control (5.1-1) unstable; urgency=medium
623
624 * pveum: introduce sub-commands
625
626 * register userid with completion
627
628 * fix #233: return cluster name on successful login
629
630 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
631
52192dd4
WB		 632libpve-access-control (5.0-8) unstable; urgency=medium
633
634 * fix #1612: ldap: make 2nd server work with bind domains again
635
636 * fix an error message where passing a bad pool id to an API function would
637 make it complain about a wrong group name instead
638
639 * fix the API-returned permission list so that the GUI knows to show the
640 'Permissions' tab for a storage to an administrator apart from root@pam
641
642 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
643
3dadf8cf
FG		 644libpve-access-control (5.0-7) unstable; urgency=medium
645
646 * VM.Snapshot.Rollback privilege added
647
648 * api: check for special roles before locking the usercfg
649
650 * fix #1501: pveum: die when deleting special role
651
652 * API/ticket: rework coarse grained permission computation
653
654 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
655
ec4141f4
WB		 656libpve-access-control (5.0-6) unstable; urgency=medium
657
658 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
659 'verify' option. For compatibility reasons this defaults to off for now,
660 but that might change with future updates.
661
662 * AD, LDAP: Add ability to specify a CA path or file, and a client
663 certificate via the 'capath', 'cert' and 'certkey' options.
664
665 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
666
63134bd4
DM		 667libpve-access-control (5.0-5) unstable; urgency=medium
668
669 * change from dpkg-deb to dpkg-buildpackage
670
671 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
672
868fb1ea
DM		 673libpve-access-control (5.0-4) unstable; urgency=medium
674
675 * PVE/CLI/pveum.pm: call setup_default_cli_env()
676
677 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
678
679 * check_api2_permissions: avoid warning about uninitialized value
680
681 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
682
63358f40
DM		 683libpve-access-control (5.0-3) unstable; urgency=medium
684
685 * use new PVE::OTP class from pve-common
686
687 * use new PVE::Tools::encrypt_pw from pve-common
688
689 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
690
05fd50af
DM		 691libpve-access-control (5.0-2) unstable; urgency=medium
692
693 * encrypt_pw: avoid '+' for crypt salt
694
695 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
696
0835385b
FG		 697libpve-access-control (5.0-1) unstable; urgency=medium
698
699 * rebuild for PVE 5.0
700
701 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
702
730f8863
DM		 703libpve-access-control (4.0-23) unstable; urgency=medium
704
705 * use new PVE::Ticket class
706
707 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
708
1f1c4593
DM		 709libpve-access-control (4.0-22) unstable; urgency=medium
710
711 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
712 (moved to PVE::Storage)
713
714 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
715
716 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
717
f9105063
DM		 718libpve-access-control (4.0-21) unstable; urgency=medium
719
720 * setup_default_cli_env: expect $class as first parameter
721
722 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
723
9595066e
DM		 724libpve-access-control (4.0-20) unstable; urgency=medium
725
726 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
727
728 * PVE/API2/Domains.pm: fix property description
729
730 * use new repoman for upload target
731
732 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
733
2af5a793
DM		 734libpve-access-control (4.0-19) unstable; urgency=medium
735
736 * Close #833: ldap: non-anonymous bind support
737
738 * don't import 'RFC' from MIME::Base32
739
740 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
741
5d87bb77
WB		 742libpve-access-control (4.0-18) unstable; urgency=medium
743
744 * fix #1062: recognize base32 otp keys again
745
746 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
747
28ddf48b
WB		 748libpve-access-control (4.0-17) unstable; urgency=medium
749
750 * drop oathtool and libdigest-hmac-perl dependencies
751
752 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
753
15cebb28
DM		 754libpve-access-control (4.0-16) unstable; urgency=medium
755
756 * use pve-doc-generator to generate man pages
757
758 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
759
678df887
DM		 760libpve-access-control (4.0-15) unstable; urgency=medium
761
762 * Fix uninitialized warning when shadow.cfg does not exist
763
764 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
765
cca9761a
DM		 766libpve-access-control (4.0-14) unstable; urgency=medium
767
768 * Add is_worker to RPCEnvironment
769
770 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
771
8643c99d
DM		 772libpve-access-control (4.0-13) unstable; urgency=medium
773
774 * fix #916: allow HTTPS to access custom yubico url
775
776 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
777
ae2a6bf9
DM		 778libpve-access-control (4.0-12) unstable; urgency=medium
779
780 * Catch certificate errors instead of segfaulting
781
782 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
783
4836db5f
DM		 784libpve-access-control (4.0-11) unstable; urgency=medium
785
786 * Fix #861: use safer sprintf formatting
787
788 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
789
ccbe23dc
DM		 790libpve-access-control (4.0-10) unstable; urgency=medium
791
792 * Auth::LDAP, Auth::AD: ipv6 support
793
794 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
795
90399ca4
DM		 796libpve-access-control (4.0-9) unstable; urgency=medium
797
798 * pveum: implement bash completion
799
800 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
801
364ffc13
DM		 802libpve-access-control (4.0-8) unstable; urgency=medium
803
804 * remove_storage_access: cleanup of access permissions for removed storage
805
806 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
807
7c26cb4a
DM		 808libpve-access-control (4.0-7) unstable; urgency=medium
809
810 * new helper to remove access permissions for removed VMs
811
812 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
813
296afbd1
DM		 814libpve-access-control (4.0-6) unstable; urgency=medium
815
816 * improve parse_user_config, parse_shadow_config
817
818 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
819
7d2df2ef
DM		 820libpve-access-control (4.0-5) unstable; urgency=medium
821
822 * pveum: check for $cmd being defined
823
824 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
825
98a34e3f
DM		 826libpve-access-control (4.0-4) unstable; urgency=medium
827
828 * use activate-noawait triggers
829
830 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
831
15462727
DM		 832libpve-access-control (4.0-3) unstable; urgency=medium
833
834 * IPv6 fixes
835
836 * non-root buildfix
837
838 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
839
bbf4cc9a
DM		 840libpve-access-control (4.0-2) unstable; urgency=medium
841
842 * trigger pve-api-updates event
843
844 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
845
dfbcf6d3
DM		 846libpve-access-control (4.0-1) unstable; urgency=medium
847
848 * bump version for Debian Jessie
849
850 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
851
94971b3a
DM		 852libpve-access-control (3.0-16) unstable; urgency=low
853
854 * root@pam can now be disabled in GUI.
855
856 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
857
7b17c7cb
DM		 858libpve-access-control (3.0-15) unstable; urgency=low
859
860 * oath: add 'step' and 'digits' option
861
862 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
863
1abc2c0a
DM		 864libpve-access-control (3.0-14) unstable; urgency=low
865
866 * add oath two factor auth
867
868 * add oathkeygen binary to generate keys for oath
869
870 * add yubico two factor auth
871
872 * dedend on oathtool
873
874 * depend on libmime-base32-perl
30be0de9
DM		 875
876 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 877
878 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
879
298450ab
DM		 880libpve-access-control (3.0-13) unstable; urgency=low
881
882 * use correct connection string for AD auth
883
884 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
885
396034e4
DM		 886libpve-access-control (3.0-12) unstable; urgency=low
887
888 * add dummy API for GET /access/ticket (useful to generate login pages)
889
890 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
891
26361123
DM		 892libpve-access-control (3.0-11) unstable; urgency=low
893
894 * Sets common hot keys for spice client
895
896 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
897
3643383d
DM		 898libpve-access-control (3.0-10) unstable; urgency=low
899
900 * implement helper to generate SPICE remote-viewer configuration
901
902 * depend on libnet-ssleay-perl
903
904 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
905
0baedcf7
DM		 906libpve-access-control (3.0-9) unstable; urgency=low
907
908 * prevent user enumeration attacks
e4f8fc2e
DM		 909
910 * allow dots in access paths
0baedcf7
DM		 911
912 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
913
d4b63eae
DM		 914libpve-access-control (3.0-8) unstable; urgency=low
915
916 * spice: use lowercase hostname in ticktet signature
917
918 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
919
49594944
DM		 920libpve-access-control (3.0-7) unstable; urgency=low
921
922 * check_volume_access : use parse_volname instead of path, and remove
923 path related code.
7c410d63
DM		 924
925 * use warnings instead of global -w flag.
49594944
DM		 926
927 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
928
fe7de5d0
DM		 929libpve-access-control (3.0-6) unstable; urgency=low
930
931 * use shorter spiceproxy tickets
932
933 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
934
4cdd9507
DM		 935libpve-access-control (3.0-5) unstable; urgency=low
936
937 * add code to generate tickets for SPICE
938
939 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
940
677f9ab0
DM		 941libpve-access-control (3.0-4) unstable; urgency=low
942
943 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
944
945 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
946
139a8ecf
DM		 947libpve-access-control (3.0-3) unstable; urgency=low
948
7d23b7ca 949 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 950
951 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
952
b78ce7c2
DM		 953libpve-access-control (3.0-2) unstable; urgency=low
954
955 * remove CGI.pm related code (pveproxy does not need that)
956
957 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
958
786820f9
DM		 959libpve-access-control (3.0-1) unstable; urgency=low
960
961 * bump version for wheezy release
962
963 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
964
e5ae5487
DM		 965libpve-access-control (1.0-26) unstable; urgency=low
966
967 * check_volume_access: fix access permissions for backup files
968
969 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
970
e3e6510c
DM		 971libpve-access-control (1.0-25) unstable; urgency=low
972
973 * add VM.Snapshot permission
974
975 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
976
1e15ebe7
DM		 977libpve-access-control (1.0-24) unstable; urgency=low
978
979 * untaint path (allow root to restore arbitrary paths)
980
981 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
982
437be042
DM		 983libpve-access-control (1.0-23) unstable; urgency=low
984
985 * correctly compute GUI capabilities (consider pools)
986
987 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
988
5bb4e06a
DM		 989libpve-access-control (1.0-22) unstable; urgency=low
990
991 * new plugin architecture for Auth modules, minor API change for Auth
992 domains (new 'delete' parameter)
993
994 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
995
3030a176
DM		 996libpve-access-control (1.0-21) unstable; urgency=low
997
998 * do not allow user names including slash
999
1000 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
1001
1002libpve-access-control (1.0-20) unstable; urgency=low
1003
1004 * add ability to fork cli workers in background
1005
1006 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
1007
dd2cfee0
DM		 1008libpve-access-control (1.0-19) unstable; urgency=low
1009
1010 * return set of privileges on login - can be used to adopt GUI
1011
1012 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
1013
1cf154b7
DM		 1014libpve-access-control (1.0-18) unstable; urgency=low
1015
7d23b7ca 1016 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 1017
1018 * fix bug #152: allow user to change his own password
1cf154b7
DM		 1019
1020 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
1021
2de14407
DM		 1022libpve-access-control (1.0-17) unstable; urgency=low
1023
1024 * set propagate flag by default
1025
1026 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
1027
bdc61d7a
DM		 1028libpve-access-control (1.0-16) unstable; urgency=low
1029
1030 * add 'pveum passwd' method
1031
1032 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
1033
cc7bdf33
DM		 1034libpve-access-control (1.0-15) unstable; urgency=low
1035
1036 * Add VM.Config.CDROM privilege to PVEVMUser rule
1037
1038 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
1039
a69bbe2e
DM		 1040libpve-access-control (1.0-14) unstable; urgency=low
1041
1042 * fix buf in userid-param permission check
1043
1044 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
1045
d9483d94
DM		 1046libpve-access-control (1.0-13) unstable; urgency=low
1047
1048 * allow more characters in ldap base_dn attribute
1049
1050 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
1051
84619607
DM		 1052libpve-access-control (1.0-12) unstable; urgency=low
1053
1054 * allow more characters with realm IDs
1055
1056 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
1057
09d27058
DM		 1058libpve-access-control (1.0-11) unstable; urgency=low
1059
1060 * fix bug in exec_api2_perm_check
1061
1062 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
1063
7a4c849e
DM		 1064libpve-access-control (1.0-10) unstable; urgency=low
1065
1066 * fix ACL group name parser
1067
1068 * changed 'pveum aclmod' command line arguments
1069
1070 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1071
3eac4e35
DM		 1072libpve-access-control (1.0-9) unstable; urgency=low
1073
1074 * fix bug in check_volume_access (fixes vzrestore)
1075
1076 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1077
4384e19e
DM		 1078libpve-access-control (1.0-8) unstable; urgency=low
1079
1080 * fix return value for empty ACL list.
1081
1082 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1083
d8a56966
DM		 1084libpve-access-control (1.0-7) unstable; urgency=low
1085
1086 * fix bug #85: allow root@pam to generate tickets for other users
1087
1088 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1089
cb6f2f93
DM		 1090libpve-access-control (1.0-6) unstable; urgency=low
1091
1092 * API change: allow to filter enabled/disabled users.
1093
1094 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1095
272fe9ff
DM		 1096libpve-access-control (1.0-5) unstable; urgency=low
1097
1098 * add a way to return file changes (diffs): set_result_changes()
1099
1100 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1101
e42eedbc
DM		 1102libpve-access-control (1.0-4) unstable; urgency=low
1103
1104 * new environment type for ha agents
1105
1106 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1107
1fba27e0
DM		 1108libpve-access-control (1.0-3) unstable; urgency=low
1109
1110 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 1111 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 1112
1113 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1114
5bf71a96
DM		 1115libpve-access-control (1.0-2) unstable; urgency=low
1116
1117 * fix bug in fork_worker
1118
1119 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1120
2c3a6c0a
DM		 1121libpve-access-control (1.0-1) unstable; urgency=low
1122
1123 * allow '-' in permission paths
1124
1125 * bump version to 1.0
1126
1127 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1128
1129libpve-access-control (0.1) unstable; urgency=low
1130
1131 * first dummy package - no functionality
1132
1133 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1134
Access control framework