]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.3
[pve-access-control.git] / debian / changelog
CommitLineData
8a856968
TL		 1libpve-access-control (8.0.3) bookworm; urgency=medium
2
3 * pveum: list tfa: recovery keys have no descriptions
4
5 * pveum: list tfa: sort by user ID
6
7 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
8 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
9 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
10
11 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
12
1852a929
TL		 13libpve-access-control (8.0.2) bookworm; urgency=medium
14
15 * api: users: sort groups to avoid "flapping" text
16
17 * api: tfa: don't block tokens from viewing and list TFA entries, both are
18 safe to do for anybody with enough permissions to view a user.
19
20 * api: tfa: add missing links for child-routes
21
22 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
23
ebf82c77
TL		 24libpve-access-control (8.0.1) bookworm; urgency=medium
25
26 * tfa: cope with native versions in cluster version check
27
28 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
29
6004f25e
TL		 30libpve-access-control (8.0.0) bookworm; urgency=medium
31
32 * api: roles: forbid creating new roles starting with "PVE" namespace
33
34 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
35
8e8023b1
TL		 36libpve-access-control (8.0.0~3) bookworm; urgency=medium
37
38 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
39
40 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
41
42 * add helper for checking bridge access
43
44 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
45 which user are allowed to use a bridge (or vnet, if SDN is installed)
46
47 * add privileges and paths for cluster resource mapping
48
49 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
50
3ef602fe
TL		 51libpve-access-control (8.0.0~2) bookworm; urgency=medium
52
53 * api: user index: only include existing tfa lock flags
54
55 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
56
57 * roles: only include Permissions.Modify in Administrator built-in role.
58 As, depending on the ACL object path, this privilege might allow one to
59 change their own permissions, which was making the distinction between
60 Admin and PVEAdmin irrelevant.
61
62 * acls: restrict less-privileged ACL modifications. Through allocate
63 permissions in pools, storages and virtual guests one can do some ACL
64 modifications without having the Permissions.Modify privilege, lock those
65 better down to ensure that one can only hand out only the subset of their
66 own privileges, never more. Note that this is mostly future proofing, as
67 the ACL object paths one could give out more permissions where already
68 limiting the scope.
69
70 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
71
f63364a7
WB		 72libpve-access-control (8.0.0~1) bookworm; urgency=medium
73
74 * bump pve-rs dependency to 0.8.3
75
76 * drop old verify_tfa api call (POST /access/tfa)
77
78 * drop support for old login API:
79 - 'new-format' is now considured to be 1 and ignored by the API
80
81 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
82 address
83
84 * cli: add 'pveum tfa list'
85
86 * cli: add 'pveum tfa unlock'
87
88 * enable lockout of TFA:
89 - too many TOTP attempts will lock out of TOTP
90 - using a recovery key will unlock TOTP
91 - too many TFA attempts will lock a user's TFA auth for an hour
92
93 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
94 authentication if it was locked by too many wrong 2nd factor login attempts
95
96 * api: /access/tfa and /access/users now include the tfa lockout status
97
98 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
99
a3dc6ff4
TL		 100libpve-access-control (7.99.0) bookworm; urgency=medium
101
102 * initial re-build for Proxmox VE 8.x series
103
104 * switch to native versioning
105
106 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
107
f2762a03
WB		 108libpve-access-control (7.4-3) bullseye; urgency=medium
109
110 * use new 2nd factor verification from pve-rs
111
112 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
113
f0595d15
TL		 114libpve-access-control (7.4-2) bullseye; urgency=medium
115
116 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
117 wasn't accepted anymore
118
119 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
120
a23eaa1a
TL		 121libpve-access-control (7.4-1) bullseye; urgency=medium
122
123 * realm sync: refactor scope/remove-vanished into a standard option
124
125 * ldap: Allow quoted values for DN attribute values
126
127 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
128
df33b3b9
TL		 129libpve-access-control (7.3-2) bullseye; urgency=medium
130
131 * fix #4518: dramatically improve ACL computation performance
132
133 * userid format: clarify that this is the full name@realm in description
134
135 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
136
2da8c203
TL		 137libpve-access-control (7.3-1) bullseye; urgency=medium
138
139 * realm: sync: allow explicit 'none' for 'remove-vanished' option
140
141 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
142
b84bf623
TL		 143libpve-access-control (7.2-5) bullseye; urgency=medium
144
145 * api: realm sync: avoid separate log line for "remove-vanished" opt
146
147 * auth ldap/ad: compare group member dn case-insensitively
148
149 * two factor auth: only lock tfa config for recovery keys
150
151 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
152 migrations and storage migrations
153
154 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
155
f4e68e49
TL		 156libpve-access-control (7.2-4) bullseye; urgency=medium
157
158 * fix #4074: increase API OpenID code size limit to 2048
159
160 * auth key: protect against rare chance of a double rotation in clusters,
161 leaving the potential that some set of nodes have the earlier key cached,
162 that then got rotated out due to the race, resulting in a possible other
163 set of nodes having the newer key cached. This is a split view of the auth
164 key and may resulting in spurious failures if API requests are made to a
165 different node than the ticket was generated on.
166 In addition to that, the "keep validity of old tickets if signed in the
167 last two hours before rotation" logic was disabled too in such a case,
168 making such tickets invalid too early.
169 Note that both are cases where Proxmox VE was too strict, so while this
170 had no security implications it can be a nuisance, especially for
171 environments that use the API through an automated or scripted way
172
173 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
174
26dde491
TL		 175libpve-access-control (7.2-3) bullseye; urgency=medium
176
177 * api: token: use userid-group as API perm check to avoid being overly
178 strict through a misguided use of user id for non-root users.
179
180 * perm check: forbid undefined/empty ACL path for future proofing of against
181 above issue
182
183 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
184
1cf4389b
TL		 185libpve-access-control (7.2-2) bullseye; urgency=medium
186
187 * permissions: merge propagation flag for multiple roles on a path that
188 share privilege in a deterministic way, to avoid that it gets lost
189 depending on perl's random sort, which would result in returing less
190 privileges than an auth-id actually had.
191
192 * permissions: avoid that token and user privilege intersection is to strict
193 for user permissions that have propagation disabled.
194
195 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
196
e3604d48
TL		 197libpve-access-control (7.2-1) bullseye; urgency=medium
198
199 * user check: fix expiration/enable order
200
201 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
202
79ae250f
TL		 203libpve-access-control (7.1-8) bullseye; urgency=medium
204
205 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
206 vanished'
207
208 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
209
eed46286
TL		 210libpve-access-control (7.1-7) bullseye; urgency=medium
211
212 * userid-group check: distinguish create and update
213
214 * api: get user: declare token schema
215
216 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
217
cd78b295
FG		 218libpve-access-control (7.1-6) bullseye; urgency=medium
219
220 * fix #3768: warn on bad u2f or webauthn settings
221
222 * tfa: when modifying others, verify the current user's password
223
224 * tfa list: account for admin permissions
225
226 * fix realm sync permissions
227
228 * fix token permission display bug
229
230 * include SDN permissions in permission tree
231
232 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
233
118088d8
TL		 234libpve-access-control (7.1-5) bullseye; urgency=medium
235
236 * openid: fix username-claim fallback
237
238 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
239
ebb14277
WB		 240libpve-access-control (7.1-4) bullseye; urgency=medium
241
242 * set current origin in the webauthn config if no fixed origin was
243 configured, to support webauthn via subdomains
244
245 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
246
44a55ff7
TL		 247libpve-access-control (7.1-3) bullseye; urgency=medium
248
249 * openid: allow arbitrary username-claims
250
251 * openid: support configuring the prompt, scopes and ACR values
252
253 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
254
6f643e79
TL		 255libpve-access-control (7.1-2) bullseye; urgency=medium
256
257 * catch incompatible tfa entries with a nice error
258
259 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
260
92bca71e
TL		 261libpve-access-control (7.1-1) bullseye; urgency=medium
262
263 * tfa: map HTTP 404 error in get_tfa_entry correctly
264
265 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
266
1c9b6501
TL		 267libpve-access-control (7.0-7) bullseye; urgency=medium
268
269 * fix #3513: pass configured proxy to OpenID
270
271 * use rust based parser for TFA config
272
273 * use PBS-like auth api call flow,
274
275 * merge old user.cfg keys to tfa config when adding entries
276
277 * implement version checks for new tfa config writer to ensure all
278 cluster nodes are ready to avoid login issues
279
280 * tickets: add tunnel ticket
281
282 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
283
cd46b379
TL		 284libpve-access-control (7.0-6) bullseye; urgency=medium
285
286 * fix regression in user deletion when realm does not enforce TFA
287
288 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
289
52da88a8
TL		 290libpve-access-control (7.0-5) bullseye; urgency=medium
291
292 * acl: check path: add /sdn/vnets/* path
293
294 * fix #2302: allow deletion of users when realm enforces TFA
295
296 * api: delete user: disable user first to avoid surprise on error during the
297 various cleanup action required for user deletion (e.g., TFA, ACL, group)
298
299 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
300
543d646c
TL		 301libpve-access-control (7.0-4) bullseye; urgency=medium
302
303 * realm: add OpenID configuration
304
305 * api: implement OpenID related endpoints
306
307 * implement opt-in OpenID autocreate user feature
308
309 * api: user: add 'realm-type' to user list response
310
311 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
312
7a4c4fd8
TL		 313libpve-access-control (7.0-3) bullseye; urgency=medium
314
315 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
316 `/sdn/zones/<zone>` to allowed ACL paths
317
318 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
319
0902a936
FG		 320libpve-access-control (7.0-2) bullseye; urgency=medium
321
322 * fix #3402: add Pool.Audit privilege - custom roles containing
323 Pool.Allocate must be updated to include the new privilege.
324
325 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
326
67febb69
TL		 327libpve-access-control (7.0-1) bullseye; urgency=medium
328
329 * re-build for Debian 11 Bullseye based releases
330
331 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
332
2942ba41
TL		 333libpve-access-control (6.4-1) pve; urgency=medium
334
335 * fix #1670: change PAM service name to project specific name
336
337 * fix #1500: permission path syntax check for access control
338
339 * pveum: add resource pool CLI commands
340
341 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
342
54d312f3
TL		 343libpve-access-control (6.1-3) pve; urgency=medium
344
345 * partially fix #2825: authkey: rotate if it was generated in the
346 future
347
348 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
349 insensitive
350
351 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
352
6a9be12f
TL		 353libpve-access-control (6.1-2) pve; urgency=medium
354
355 * also check SDN permission path when computing coarse permissions heuristic
356 for UIs
357
358 * add SDN Permissions.Modify
359
360 * add VM.Config.Cloudinit
361
362 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
363
e6624f50
TL		 364libpve-access-control (6.1-1) pve; urgency=medium
365
366 * pveum: add tfa delete subcommand for deleting user-TFA
367
368 * LDAP: don't complain about missing credentials on realm removal
369
370 * LDAP: skip anonymous bind when client certificate and key is configured
371
372 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
373
8f4a522f
TL		 374libpve-access-control (6.0-7) pve; urgency=medium
375
376 * fix #2575: die when trying to edit built-in roles
377
378 * add realm sub commands to pveum CLI tool
379
7d23b7ca 380 * api: domains: add user group sync API endpoint
8f4a522f
TL		 381
382 * allow one to sync and import users and groups from LDAP/AD based realms
383
384 * realm: add default-sync-options to config for more convenient sync configuration
385
386 * api: token create: return also full token id for convenience
387
388 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
389
23059f35
TL		 390libpve-access-control (6.0-6) pve; urgency=medium
391
392 * API: add group members to group index
393
394 * implement API token support and management
395
396 * pveum: add 'pveum user token add/update/remove/list'
397
398 * pveum: add permissions sub-commands
399
400 * API: add 'permissions' API endpoint
401
402 * user.cfg: skip inexisting roles when parsing ACLs
403
404 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
405
3dd692e9
TL		 406libpve-access-control (6.0-5) pve; urgency=medium
407
408 * pveum: add list command for users, groups, ACLs and roles
409
410 * add initial permissions for experimental SDN integration
411
412 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
413
4ef92d0d
FG		 414libpve-access-control (6.0-4) pve; urgency=medium
415
416 * ticket: use clinfo to get cluster name
417
418 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
419 SSL version
420
421 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
422
6e5bbca4
TL		 423libpve-access-control (6.0-3) pve; urgency=medium
424
425 * fix #2433: increase possible TFA secret length
426
427 * parse user configuration: correctly parse group names in ACLs, for users
428 which begin their name with an @
429
430 * sort user.cfg entries alphabetically
431
432 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
433
e073493c
TL		 434libpve-access-control (6.0-2) pve; urgency=medium
435
436 * improve CSRF verification compatibility with newer PVE
437
438 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
439
a237dc2e
TL		 440libpve-access-control (6.0-1) pve; urgency=medium
441
442 * ticket: properly verify exactly 5 minute old tickets
443
444 * use hmac_sha256 instead of sha1 for CSRF token generation
445
446 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
447
f1531f22
TL		 448libpve-access-control (6.0-0+1) pve; urgency=medium
449
450 * bump for Debian buster
451
452 * fix #2079: add periodic auth key rotation
453
454 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
455
ef761f51
TL		 456libpve-access-control (5.1-10) unstable; urgency=medium
457
458 * add /access/user/{id}/tfa api call to get tfa types
459
460 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
461
860ddcba
TL		 462libpve-access-control (5.1-9) unstable; urgency=medium
463
464 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 465 to a higher privileged daemon.
860ddcba
TL		 466
467 * tfa: realm required TFA should lock out users without TFA configured, as it
468 was done before Proxmox VE 5.4
469
470 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
471
9fbad012
TL		 472libpve-access-control (5.1-8) unstable; urgency=medium
473
474 * U2F: ensure we save correct public key on registration
475
476 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
477
4473c96c
TL		 478libpve-access-control (5.1-7) unstable; urgency=medium
479
480 * verify_ticket: allow general non-challenge tfa to be run as two step
481 call
482
483 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
484
a270d4e1
TL		 485libpve-access-control (5.1-6) unstable; urgency=medium
486
487 * more general 2FA configuration via priv/tfa.cfg
488
489 * add u2f api endpoints
490
491 * delete TFA entries when deleting a user
492
493 * allow users to change their TOTP settings
494
495 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
496
374647e8
TL		 497libpve-access-control (5.1-5) unstable; urgency=medium
498
499 * fix vnc ticket verification without authkey lifetime
500
501 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
502
7fb70c94
TL		 503libpve-access-control (5.1-4) unstable; urgency=medium
504
505 * fix #1891: Add zsh command completion for pveum
506
507 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
508 to avoid issues on upgrade, will be enabled with 6.0
509
510 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
511
6e010cde
TL		 512libpve-access-control (5.1-3) unstable; urgency=medium
513
514 * api/ticket: move getting cluster name into an eval
515
516 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
517
f5a9380a
TL		 518libpve-access-control (5.1-2) unstable; urgency=medium
519
520 * fix #1998: correct return properties for read_role
521
522 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
523
b54b7474
TL		 524libpve-access-control (5.1-1) unstable; urgency=medium
525
526 * pveum: introduce sub-commands
527
528 * register userid with completion
529
530 * fix #233: return cluster name on successful login
531
532 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
533
52192dd4
WB		 534libpve-access-control (5.0-8) unstable; urgency=medium
535
536 * fix #1612: ldap: make 2nd server work with bind domains again
537
538 * fix an error message where passing a bad pool id to an API function would
539 make it complain about a wrong group name instead
540
541 * fix the API-returned permission list so that the GUI knows to show the
542 'Permissions' tab for a storage to an administrator apart from root@pam
543
544 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
545
3dadf8cf
FG		 546libpve-access-control (5.0-7) unstable; urgency=medium
547
548 * VM.Snapshot.Rollback privilege added
549
550 * api: check for special roles before locking the usercfg
551
552 * fix #1501: pveum: die when deleting special role
553
554 * API/ticket: rework coarse grained permission computation
555
556 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
557
ec4141f4
WB		 558libpve-access-control (5.0-6) unstable; urgency=medium
559
560 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
561 'verify' option. For compatibility reasons this defaults to off for now,
562 but that might change with future updates.
563
564 * AD, LDAP: Add ability to specify a CA path or file, and a client
565 certificate via the 'capath', 'cert' and 'certkey' options.
566
567 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
568
63134bd4
DM		 569libpve-access-control (5.0-5) unstable; urgency=medium
570
571 * change from dpkg-deb to dpkg-buildpackage
572
573 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
574
868fb1ea
DM		 575libpve-access-control (5.0-4) unstable; urgency=medium
576
577 * PVE/CLI/pveum.pm: call setup_default_cli_env()
578
579 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
580
581 * check_api2_permissions: avoid warning about uninitialized value
582
583 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
584
63358f40
DM		 585libpve-access-control (5.0-3) unstable; urgency=medium
586
587 * use new PVE::OTP class from pve-common
588
589 * use new PVE::Tools::encrypt_pw from pve-common
590
591 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
592
05fd50af
DM		 593libpve-access-control (5.0-2) unstable; urgency=medium
594
595 * encrypt_pw: avoid '+' for crypt salt
596
597 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
598
0835385b
FG		 599libpve-access-control (5.0-1) unstable; urgency=medium
600
601 * rebuild for PVE 5.0
602
603 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
604
730f8863
DM		 605libpve-access-control (4.0-23) unstable; urgency=medium
606
607 * use new PVE::Ticket class
608
609 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
610
1f1c4593
DM		 611libpve-access-control (4.0-22) unstable; urgency=medium
612
613 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
614 (moved to PVE::Storage)
615
616 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
617
618 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
619
f9105063
DM		 620libpve-access-control (4.0-21) unstable; urgency=medium
621
622 * setup_default_cli_env: expect $class as first parameter
623
624 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
625
9595066e
DM		 626libpve-access-control (4.0-20) unstable; urgency=medium
627
628 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
629
630 * PVE/API2/Domains.pm: fix property description
631
632 * use new repoman for upload target
633
634 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
635
2af5a793
DM		 636libpve-access-control (4.0-19) unstable; urgency=medium
637
638 * Close #833: ldap: non-anonymous bind support
639
640 * don't import 'RFC' from MIME::Base32
641
642 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
643
5d87bb77
WB		 644libpve-access-control (4.0-18) unstable; urgency=medium
645
646 * fix #1062: recognize base32 otp keys again
647
648 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
649
28ddf48b
WB		 650libpve-access-control (4.0-17) unstable; urgency=medium
651
652 * drop oathtool and libdigest-hmac-perl dependencies
653
654 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
655
15cebb28
DM		 656libpve-access-control (4.0-16) unstable; urgency=medium
657
658 * use pve-doc-generator to generate man pages
659
660 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
661
678df887
DM		 662libpve-access-control (4.0-15) unstable; urgency=medium
663
664 * Fix uninitialized warning when shadow.cfg does not exist
665
666 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
667
cca9761a
DM		 668libpve-access-control (4.0-14) unstable; urgency=medium
669
670 * Add is_worker to RPCEnvironment
671
672 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
673
8643c99d
DM		 674libpve-access-control (4.0-13) unstable; urgency=medium
675
676 * fix #916: allow HTTPS to access custom yubico url
677
678 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
679
ae2a6bf9
DM		 680libpve-access-control (4.0-12) unstable; urgency=medium
681
682 * Catch certificate errors instead of segfaulting
683
684 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
685
4836db5f
DM		 686libpve-access-control (4.0-11) unstable; urgency=medium
687
688 * Fix #861: use safer sprintf formatting
689
690 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
691
ccbe23dc
DM		 692libpve-access-control (4.0-10) unstable; urgency=medium
693
694 * Auth::LDAP, Auth::AD: ipv6 support
695
696 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
697
90399ca4
DM		 698libpve-access-control (4.0-9) unstable; urgency=medium
699
700 * pveum: implement bash completion
701
702 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
703
364ffc13
DM		 704libpve-access-control (4.0-8) unstable; urgency=medium
705
706 * remove_storage_access: cleanup of access permissions for removed storage
707
708 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
709
7c26cb4a
DM		 710libpve-access-control (4.0-7) unstable; urgency=medium
711
712 * new helper to remove access permissions for removed VMs
713
714 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
715
296afbd1
DM		 716libpve-access-control (4.0-6) unstable; urgency=medium
717
718 * improve parse_user_config, parse_shadow_config
719
720 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
721
7d2df2ef
DM		 722libpve-access-control (4.0-5) unstable; urgency=medium
723
724 * pveum: check for $cmd being defined
725
726 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
727
98a34e3f
DM		 728libpve-access-control (4.0-4) unstable; urgency=medium
729
730 * use activate-noawait triggers
731
732 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
733
15462727
DM		 734libpve-access-control (4.0-3) unstable; urgency=medium
735
736 * IPv6 fixes
737
738 * non-root buildfix
739
740 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
741
bbf4cc9a
DM		 742libpve-access-control (4.0-2) unstable; urgency=medium
743
744 * trigger pve-api-updates event
745
746 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
747
dfbcf6d3
DM		 748libpve-access-control (4.0-1) unstable; urgency=medium
749
750 * bump version for Debian Jessie
751
752 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
753
94971b3a
DM		 754libpve-access-control (3.0-16) unstable; urgency=low
755
756 * root@pam can now be disabled in GUI.
757
758 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
759
7b17c7cb
DM		 760libpve-access-control (3.0-15) unstable; urgency=low
761
762 * oath: add 'step' and 'digits' option
763
764 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
765
1abc2c0a
DM		 766libpve-access-control (3.0-14) unstable; urgency=low
767
768 * add oath two factor auth
769
770 * add oathkeygen binary to generate keys for oath
771
772 * add yubico two factor auth
773
774 * dedend on oathtool
775
776 * depend on libmime-base32-perl
30be0de9
DM		 777
778 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 779
780 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
781
298450ab
DM		 782libpve-access-control (3.0-13) unstable; urgency=low
783
784 * use correct connection string for AD auth
785
786 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
787
396034e4
DM		 788libpve-access-control (3.0-12) unstable; urgency=low
789
790 * add dummy API for GET /access/ticket (useful to generate login pages)
791
792 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
793
26361123
DM		 794libpve-access-control (3.0-11) unstable; urgency=low
795
796 * Sets common hot keys for spice client
797
798 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
799
3643383d
DM		 800libpve-access-control (3.0-10) unstable; urgency=low
801
802 * implement helper to generate SPICE remote-viewer configuration
803
804 * depend on libnet-ssleay-perl
805
806 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
807
0baedcf7
DM		 808libpve-access-control (3.0-9) unstable; urgency=low
809
810 * prevent user enumeration attacks
e4f8fc2e
DM		 811
812 * allow dots in access paths
0baedcf7
DM		 813
814 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
815
d4b63eae
DM		 816libpve-access-control (3.0-8) unstable; urgency=low
817
818 * spice: use lowercase hostname in ticktet signature
819
820 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
821
49594944
DM		 822libpve-access-control (3.0-7) unstable; urgency=low
823
824 * check_volume_access : use parse_volname instead of path, and remove
825 path related code.
7c410d63
DM		 826
827 * use warnings instead of global -w flag.
49594944
DM		 828
829 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
830
fe7de5d0
DM		 831libpve-access-control (3.0-6) unstable; urgency=low
832
833 * use shorter spiceproxy tickets
834
835 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
836
4cdd9507
DM		 837libpve-access-control (3.0-5) unstable; urgency=low
838
839 * add code to generate tickets for SPICE
840
841 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
842
677f9ab0
DM		 843libpve-access-control (3.0-4) unstable; urgency=low
844
845 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
846
847 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
848
139a8ecf
DM		 849libpve-access-control (3.0-3) unstable; urgency=low
850
7d23b7ca 851 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 852
853 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
854
b78ce7c2
DM		 855libpve-access-control (3.0-2) unstable; urgency=low
856
857 * remove CGI.pm related code (pveproxy does not need that)
858
859 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
860
786820f9
DM		 861libpve-access-control (3.0-1) unstable; urgency=low
862
863 * bump version for wheezy release
864
865 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
866
e5ae5487
DM		 867libpve-access-control (1.0-26) unstable; urgency=low
868
869 * check_volume_access: fix access permissions for backup files
870
871 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
872
e3e6510c
DM		 873libpve-access-control (1.0-25) unstable; urgency=low
874
875 * add VM.Snapshot permission
876
877 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
878
1e15ebe7
DM		 879libpve-access-control (1.0-24) unstable; urgency=low
880
881 * untaint path (allow root to restore arbitrary paths)
882
883 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
884
437be042
DM		 885libpve-access-control (1.0-23) unstable; urgency=low
886
887 * correctly compute GUI capabilities (consider pools)
888
889 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
890
5bb4e06a
DM		 891libpve-access-control (1.0-22) unstable; urgency=low
892
893 * new plugin architecture for Auth modules, minor API change for Auth
894 domains (new 'delete' parameter)
895
896 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
897
3030a176
DM		 898libpve-access-control (1.0-21) unstable; urgency=low
899
900 * do not allow user names including slash
901
902 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
903
904libpve-access-control (1.0-20) unstable; urgency=low
905
906 * add ability to fork cli workers in background
907
908 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
909
dd2cfee0
DM		 910libpve-access-control (1.0-19) unstable; urgency=low
911
912 * return set of privileges on login - can be used to adopt GUI
913
914 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
915
1cf154b7
DM		 916libpve-access-control (1.0-18) unstable; urgency=low
917
7d23b7ca 918 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 919
920 * fix bug #152: allow user to change his own password
1cf154b7
DM		 921
922 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
923
2de14407
DM		 924libpve-access-control (1.0-17) unstable; urgency=low
925
926 * set propagate flag by default
927
928 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
929
bdc61d7a
DM		 930libpve-access-control (1.0-16) unstable; urgency=low
931
932 * add 'pveum passwd' method
933
934 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
935
cc7bdf33
DM		 936libpve-access-control (1.0-15) unstable; urgency=low
937
938 * Add VM.Config.CDROM privilege to PVEVMUser rule
939
940 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
941
a69bbe2e
DM		 942libpve-access-control (1.0-14) unstable; urgency=low
943
944 * fix buf in userid-param permission check
945
946 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
947
d9483d94
DM		 948libpve-access-control (1.0-13) unstable; urgency=low
949
950 * allow more characters in ldap base_dn attribute
951
952 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
953
84619607
DM		 954libpve-access-control (1.0-12) unstable; urgency=low
955
956 * allow more characters with realm IDs
957
958 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
959
09d27058
DM		 960libpve-access-control (1.0-11) unstable; urgency=low
961
962 * fix bug in exec_api2_perm_check
963
964 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
965
7a4c849e
DM		 966libpve-access-control (1.0-10) unstable; urgency=low
967
968 * fix ACL group name parser
969
970 * changed 'pveum aclmod' command line arguments
971
972 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
973
3eac4e35
DM		 974libpve-access-control (1.0-9) unstable; urgency=low
975
976 * fix bug in check_volume_access (fixes vzrestore)
977
978 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
979
4384e19e
DM		 980libpve-access-control (1.0-8) unstable; urgency=low
981
982 * fix return value for empty ACL list.
983
984 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
985
d8a56966
DM		 986libpve-access-control (1.0-7) unstable; urgency=low
987
988 * fix bug #85: allow root@pam to generate tickets for other users
989
990 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
991
cb6f2f93
DM		 992libpve-access-control (1.0-6) unstable; urgency=low
993
994 * API change: allow to filter enabled/disabled users.
995
996 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
997
272fe9ff
DM		 998libpve-access-control (1.0-5) unstable; urgency=low
999
1000 * add a way to return file changes (diffs): set_result_changes()
1001
1002 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1003
e42eedbc
DM		 1004libpve-access-control (1.0-4) unstable; urgency=low
1005
1006 * new environment type for ha agents
1007
1008 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1009
1fba27e0
DM		 1010libpve-access-control (1.0-3) unstable; urgency=low
1011
1012 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 1013 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 1014
1015 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1016
5bf71a96
DM		 1017libpve-access-control (1.0-2) unstable; urgency=low
1018
1019 * fix bug in fork_worker
1020
1021 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1022
2c3a6c0a
DM		 1023libpve-access-control (1.0-1) unstable; urgency=low
1024
1025 * allow '-' in permission paths
1026
1027 * bump version to 1.0
1028
1029 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1030
1031libpve-access-control (0.1) unstable; urgency=low
1032
1033 * first dummy package - no functionality
1034
1035 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1036
Access control framework