]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.0~3
[pve-access-control.git] / debian / changelog
CommitLineData
8e8023b1
TL		 1libpve-access-control (8.0.0~3) bookworm; urgency=medium
2
3 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
4
5 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
6
7 * add helper for checking bridge access
8
9 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
10 which user are allowed to use a bridge (or vnet, if SDN is installed)
11
12 * add privileges and paths for cluster resource mapping
13
14 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
15
3ef602fe
TL		 16libpve-access-control (8.0.0~2) bookworm; urgency=medium
17
18 * api: user index: only include existing tfa lock flags
19
20 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
21
22 * roles: only include Permissions.Modify in Administrator built-in role.
23 As, depending on the ACL object path, this privilege might allow one to
24 change their own permissions, which was making the distinction between
25 Admin and PVEAdmin irrelevant.
26
27 * acls: restrict less-privileged ACL modifications. Through allocate
28 permissions in pools, storages and virtual guests one can do some ACL
29 modifications without having the Permissions.Modify privilege, lock those
30 better down to ensure that one can only hand out only the subset of their
31 own privileges, never more. Note that this is mostly future proofing, as
32 the ACL object paths one could give out more permissions where already
33 limiting the scope.
34
35 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
36
f63364a7
WB		 37libpve-access-control (8.0.0~1) bookworm; urgency=medium
38
39 * bump pve-rs dependency to 0.8.3
40
41 * drop old verify_tfa api call (POST /access/tfa)
42
43 * drop support for old login API:
44 - 'new-format' is now considured to be 1 and ignored by the API
45
46 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
47 address
48
49 * cli: add 'pveum tfa list'
50
51 * cli: add 'pveum tfa unlock'
52
53 * enable lockout of TFA:
54 - too many TOTP attempts will lock out of TOTP
55 - using a recovery key will unlock TOTP
56 - too many TFA attempts will lock a user's TFA auth for an hour
57
58 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
59 authentication if it was locked by too many wrong 2nd factor login attempts
60
61 * api: /access/tfa and /access/users now include the tfa lockout status
62
63 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
64
a3dc6ff4
TL		 65libpve-access-control (7.99.0) bookworm; urgency=medium
66
67 * initial re-build for Proxmox VE 8.x series
68
69 * switch to native versioning
70
71 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
72
f2762a03
WB		 73libpve-access-control (7.4-3) bullseye; urgency=medium
74
75 * use new 2nd factor verification from pve-rs
76
77 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
78
f0595d15
TL		 79libpve-access-control (7.4-2) bullseye; urgency=medium
80
81 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
82 wasn't accepted anymore
83
84 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
85
a23eaa1a
TL		 86libpve-access-control (7.4-1) bullseye; urgency=medium
87
88 * realm sync: refactor scope/remove-vanished into a standard option
89
90 * ldap: Allow quoted values for DN attribute values
91
92 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
93
df33b3b9
TL		 94libpve-access-control (7.3-2) bullseye; urgency=medium
95
96 * fix #4518: dramatically improve ACL computation performance
97
98 * userid format: clarify that this is the full name@realm in description
99
100 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
101
2da8c203
TL		 102libpve-access-control (7.3-1) bullseye; urgency=medium
103
104 * realm: sync: allow explicit 'none' for 'remove-vanished' option
105
106 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
107
b84bf623
TL		 108libpve-access-control (7.2-5) bullseye; urgency=medium
109
110 * api: realm sync: avoid separate log line for "remove-vanished" opt
111
112 * auth ldap/ad: compare group member dn case-insensitively
113
114 * two factor auth: only lock tfa config for recovery keys
115
116 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
117 migrations and storage migrations
118
119 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
120
f4e68e49
TL		 121libpve-access-control (7.2-4) bullseye; urgency=medium
122
123 * fix #4074: increase API OpenID code size limit to 2048
124
125 * auth key: protect against rare chance of a double rotation in clusters,
126 leaving the potential that some set of nodes have the earlier key cached,
127 that then got rotated out due to the race, resulting in a possible other
128 set of nodes having the newer key cached. This is a split view of the auth
129 key and may resulting in spurious failures if API requests are made to a
130 different node than the ticket was generated on.
131 In addition to that, the "keep validity of old tickets if signed in the
132 last two hours before rotation" logic was disabled too in such a case,
133 making such tickets invalid too early.
134 Note that both are cases where Proxmox VE was too strict, so while this
135 had no security implications it can be a nuisance, especially for
136 environments that use the API through an automated or scripted way
137
138 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
139
26dde491
TL		 140libpve-access-control (7.2-3) bullseye; urgency=medium
141
142 * api: token: use userid-group as API perm check to avoid being overly
143 strict through a misguided use of user id for non-root users.
144
145 * perm check: forbid undefined/empty ACL path for future proofing of against
146 above issue
147
148 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
149
1cf4389b
TL		 150libpve-access-control (7.2-2) bullseye; urgency=medium
151
152 * permissions: merge propagation flag for multiple roles on a path that
153 share privilege in a deterministic way, to avoid that it gets lost
154 depending on perl's random sort, which would result in returing less
155 privileges than an auth-id actually had.
156
157 * permissions: avoid that token and user privilege intersection is to strict
158 for user permissions that have propagation disabled.
159
160 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
161
e3604d48
TL		 162libpve-access-control (7.2-1) bullseye; urgency=medium
163
164 * user check: fix expiration/enable order
165
166 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
167
79ae250f
TL		 168libpve-access-control (7.1-8) bullseye; urgency=medium
169
170 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
171 vanished'
172
173 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
174
eed46286
TL		 175libpve-access-control (7.1-7) bullseye; urgency=medium
176
177 * userid-group check: distinguish create and update
178
179 * api: get user: declare token schema
180
181 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
182
cd78b295
FG		 183libpve-access-control (7.1-6) bullseye; urgency=medium
184
185 * fix #3768: warn on bad u2f or webauthn settings
186
187 * tfa: when modifying others, verify the current user's password
188
189 * tfa list: account for admin permissions
190
191 * fix realm sync permissions
192
193 * fix token permission display bug
194
195 * include SDN permissions in permission tree
196
197 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
198
118088d8
TL		 199libpve-access-control (7.1-5) bullseye; urgency=medium
200
201 * openid: fix username-claim fallback
202
203 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
204
ebb14277
WB		 205libpve-access-control (7.1-4) bullseye; urgency=medium
206
207 * set current origin in the webauthn config if no fixed origin was
208 configured, to support webauthn via subdomains
209
210 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
211
44a55ff7
TL		 212libpve-access-control (7.1-3) bullseye; urgency=medium
213
214 * openid: allow arbitrary username-claims
215
216 * openid: support configuring the prompt, scopes and ACR values
217
218 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
219
6f643e79
TL		 220libpve-access-control (7.1-2) bullseye; urgency=medium
221
222 * catch incompatible tfa entries with a nice error
223
224 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
225
92bca71e
TL		 226libpve-access-control (7.1-1) bullseye; urgency=medium
227
228 * tfa: map HTTP 404 error in get_tfa_entry correctly
229
230 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
231
1c9b6501
TL		 232libpve-access-control (7.0-7) bullseye; urgency=medium
233
234 * fix #3513: pass configured proxy to OpenID
235
236 * use rust based parser for TFA config
237
238 * use PBS-like auth api call flow,
239
240 * merge old user.cfg keys to tfa config when adding entries
241
242 * implement version checks for new tfa config writer to ensure all
243 cluster nodes are ready to avoid login issues
244
245 * tickets: add tunnel ticket
246
247 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
248
cd46b379
TL		 249libpve-access-control (7.0-6) bullseye; urgency=medium
250
251 * fix regression in user deletion when realm does not enforce TFA
252
253 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
254
52da88a8
TL		 255libpve-access-control (7.0-5) bullseye; urgency=medium
256
257 * acl: check path: add /sdn/vnets/* path
258
259 * fix #2302: allow deletion of users when realm enforces TFA
260
261 * api: delete user: disable user first to avoid surprise on error during the
262 various cleanup action required for user deletion (e.g., TFA, ACL, group)
263
264 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
265
543d646c
TL		 266libpve-access-control (7.0-4) bullseye; urgency=medium
267
268 * realm: add OpenID configuration
269
270 * api: implement OpenID related endpoints
271
272 * implement opt-in OpenID autocreate user feature
273
274 * api: user: add 'realm-type' to user list response
275
276 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
277
7a4c4fd8
TL		 278libpve-access-control (7.0-3) bullseye; urgency=medium
279
280 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
281 `/sdn/zones/<zone>` to allowed ACL paths
282
283 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
284
0902a936
FG		 285libpve-access-control (7.0-2) bullseye; urgency=medium
286
287 * fix #3402: add Pool.Audit privilege - custom roles containing
288 Pool.Allocate must be updated to include the new privilege.
289
290 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
291
67febb69
TL		 292libpve-access-control (7.0-1) bullseye; urgency=medium
293
294 * re-build for Debian 11 Bullseye based releases
295
296 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
297
2942ba41
TL		 298libpve-access-control (6.4-1) pve; urgency=medium
299
300 * fix #1670: change PAM service name to project specific name
301
302 * fix #1500: permission path syntax check for access control
303
304 * pveum: add resource pool CLI commands
305
306 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
307
54d312f3
TL		 308libpve-access-control (6.1-3) pve; urgency=medium
309
310 * partially fix #2825: authkey: rotate if it was generated in the
311 future
312
313 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
314 insensitive
315
316 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
317
6a9be12f
TL		 318libpve-access-control (6.1-2) pve; urgency=medium
319
320 * also check SDN permission path when computing coarse permissions heuristic
321 for UIs
322
323 * add SDN Permissions.Modify
324
325 * add VM.Config.Cloudinit
326
327 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
328
e6624f50
TL		 329libpve-access-control (6.1-1) pve; urgency=medium
330
331 * pveum: add tfa delete subcommand for deleting user-TFA
332
333 * LDAP: don't complain about missing credentials on realm removal
334
335 * LDAP: skip anonymous bind when client certificate and key is configured
336
337 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
338
8f4a522f
TL		 339libpve-access-control (6.0-7) pve; urgency=medium
340
341 * fix #2575: die when trying to edit built-in roles
342
343 * add realm sub commands to pveum CLI tool
344
7d23b7ca 345 * api: domains: add user group sync API endpoint
8f4a522f
TL		 346
347 * allow one to sync and import users and groups from LDAP/AD based realms
348
349 * realm: add default-sync-options to config for more convenient sync configuration
350
351 * api: token create: return also full token id for convenience
352
353 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
354
23059f35
TL		 355libpve-access-control (6.0-6) pve; urgency=medium
356
357 * API: add group members to group index
358
359 * implement API token support and management
360
361 * pveum: add 'pveum user token add/update/remove/list'
362
363 * pveum: add permissions sub-commands
364
365 * API: add 'permissions' API endpoint
366
367 * user.cfg: skip inexisting roles when parsing ACLs
368
369 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
370
3dd692e9
TL		 371libpve-access-control (6.0-5) pve; urgency=medium
372
373 * pveum: add list command for users, groups, ACLs and roles
374
375 * add initial permissions for experimental SDN integration
376
377 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
378
4ef92d0d
FG		 379libpve-access-control (6.0-4) pve; urgency=medium
380
381 * ticket: use clinfo to get cluster name
382
383 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
384 SSL version
385
386 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
387
6e5bbca4
TL		 388libpve-access-control (6.0-3) pve; urgency=medium
389
390 * fix #2433: increase possible TFA secret length
391
392 * parse user configuration: correctly parse group names in ACLs, for users
393 which begin their name with an @
394
395 * sort user.cfg entries alphabetically
396
397 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
398
e073493c
TL		 399libpve-access-control (6.0-2) pve; urgency=medium
400
401 * improve CSRF verification compatibility with newer PVE
402
403 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
404
a237dc2e
TL		 405libpve-access-control (6.0-1) pve; urgency=medium
406
407 * ticket: properly verify exactly 5 minute old tickets
408
409 * use hmac_sha256 instead of sha1 for CSRF token generation
410
411 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
412
f1531f22
TL		 413libpve-access-control (6.0-0+1) pve; urgency=medium
414
415 * bump for Debian buster
416
417 * fix #2079: add periodic auth key rotation
418
419 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
420
ef761f51
TL		 421libpve-access-control (5.1-10) unstable; urgency=medium
422
423 * add /access/user/{id}/tfa api call to get tfa types
424
425 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
426
860ddcba
TL		 427libpve-access-control (5.1-9) unstable; urgency=medium
428
429 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 430 to a higher privileged daemon.
860ddcba
TL		 431
432 * tfa: realm required TFA should lock out users without TFA configured, as it
433 was done before Proxmox VE 5.4
434
435 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
436
9fbad012
TL		 437libpve-access-control (5.1-8) unstable; urgency=medium
438
439 * U2F: ensure we save correct public key on registration
440
441 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
442
4473c96c
TL		 443libpve-access-control (5.1-7) unstable; urgency=medium
444
445 * verify_ticket: allow general non-challenge tfa to be run as two step
446 call
447
448 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
449
a270d4e1
TL		 450libpve-access-control (5.1-6) unstable; urgency=medium
451
452 * more general 2FA configuration via priv/tfa.cfg
453
454 * add u2f api endpoints
455
456 * delete TFA entries when deleting a user
457
458 * allow users to change their TOTP settings
459
460 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
461
374647e8
TL		 462libpve-access-control (5.1-5) unstable; urgency=medium
463
464 * fix vnc ticket verification without authkey lifetime
465
466 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
467
7fb70c94
TL		 468libpve-access-control (5.1-4) unstable; urgency=medium
469
470 * fix #1891: Add zsh command completion for pveum
471
472 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
473 to avoid issues on upgrade, will be enabled with 6.0
474
475 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
476
6e010cde
TL		 477libpve-access-control (5.1-3) unstable; urgency=medium
478
479 * api/ticket: move getting cluster name into an eval
480
481 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
482
f5a9380a
TL		 483libpve-access-control (5.1-2) unstable; urgency=medium
484
485 * fix #1998: correct return properties for read_role
486
487 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
488
b54b7474
TL		 489libpve-access-control (5.1-1) unstable; urgency=medium
490
491 * pveum: introduce sub-commands
492
493 * register userid with completion
494
495 * fix #233: return cluster name on successful login
496
497 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
498
52192dd4
WB		 499libpve-access-control (5.0-8) unstable; urgency=medium
500
501 * fix #1612: ldap: make 2nd server work with bind domains again
502
503 * fix an error message where passing a bad pool id to an API function would
504 make it complain about a wrong group name instead
505
506 * fix the API-returned permission list so that the GUI knows to show the
507 'Permissions' tab for a storage to an administrator apart from root@pam
508
509 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
510
3dadf8cf
FG		 511libpve-access-control (5.0-7) unstable; urgency=medium
512
513 * VM.Snapshot.Rollback privilege added
514
515 * api: check for special roles before locking the usercfg
516
517 * fix #1501: pveum: die when deleting special role
518
519 * API/ticket: rework coarse grained permission computation
520
521 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
522
ec4141f4
WB		 523libpve-access-control (5.0-6) unstable; urgency=medium
524
525 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
526 'verify' option. For compatibility reasons this defaults to off for now,
527 but that might change with future updates.
528
529 * AD, LDAP: Add ability to specify a CA path or file, and a client
530 certificate via the 'capath', 'cert' and 'certkey' options.
531
532 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
533
63134bd4
DM		 534libpve-access-control (5.0-5) unstable; urgency=medium
535
536 * change from dpkg-deb to dpkg-buildpackage
537
538 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
539
868fb1ea
DM		 540libpve-access-control (5.0-4) unstable; urgency=medium
541
542 * PVE/CLI/pveum.pm: call setup_default_cli_env()
543
544 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
545
546 * check_api2_permissions: avoid warning about uninitialized value
547
548 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
549
63358f40
DM		 550libpve-access-control (5.0-3) unstable; urgency=medium
551
552 * use new PVE::OTP class from pve-common
553
554 * use new PVE::Tools::encrypt_pw from pve-common
555
556 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
557
05fd50af
DM		 558libpve-access-control (5.0-2) unstable; urgency=medium
559
560 * encrypt_pw: avoid '+' for crypt salt
561
562 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
563
0835385b
FG		 564libpve-access-control (5.0-1) unstable; urgency=medium
565
566 * rebuild for PVE 5.0
567
568 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
569
730f8863
DM		 570libpve-access-control (4.0-23) unstable; urgency=medium
571
572 * use new PVE::Ticket class
573
574 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
575
1f1c4593
DM		 576libpve-access-control (4.0-22) unstable; urgency=medium
577
578 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
579 (moved to PVE::Storage)
580
581 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
582
583 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
584
f9105063
DM		 585libpve-access-control (4.0-21) unstable; urgency=medium
586
587 * setup_default_cli_env: expect $class as first parameter
588
589 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
590
9595066e
DM		 591libpve-access-control (4.0-20) unstable; urgency=medium
592
593 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
594
595 * PVE/API2/Domains.pm: fix property description
596
597 * use new repoman for upload target
598
599 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
600
2af5a793
DM		 601libpve-access-control (4.0-19) unstable; urgency=medium
602
603 * Close #833: ldap: non-anonymous bind support
604
605 * don't import 'RFC' from MIME::Base32
606
607 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
608
5d87bb77
WB		 609libpve-access-control (4.0-18) unstable; urgency=medium
610
611 * fix #1062: recognize base32 otp keys again
612
613 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
614
28ddf48b
WB		 615libpve-access-control (4.0-17) unstable; urgency=medium
616
617 * drop oathtool and libdigest-hmac-perl dependencies
618
619 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
620
15cebb28
DM		 621libpve-access-control (4.0-16) unstable; urgency=medium
622
623 * use pve-doc-generator to generate man pages
624
625 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
626
678df887
DM		 627libpve-access-control (4.0-15) unstable; urgency=medium
628
629 * Fix uninitialized warning when shadow.cfg does not exist
630
631 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
632
cca9761a
DM		 633libpve-access-control (4.0-14) unstable; urgency=medium
634
635 * Add is_worker to RPCEnvironment
636
637 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
638
8643c99d
DM		 639libpve-access-control (4.0-13) unstable; urgency=medium
640
641 * fix #916: allow HTTPS to access custom yubico url
642
643 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
644
ae2a6bf9
DM		 645libpve-access-control (4.0-12) unstable; urgency=medium
646
647 * Catch certificate errors instead of segfaulting
648
649 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
650
4836db5f
DM		 651libpve-access-control (4.0-11) unstable; urgency=medium
652
653 * Fix #861: use safer sprintf formatting
654
655 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
656
ccbe23dc
DM		 657libpve-access-control (4.0-10) unstable; urgency=medium
658
659 * Auth::LDAP, Auth::AD: ipv6 support
660
661 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
662
90399ca4
DM		 663libpve-access-control (4.0-9) unstable; urgency=medium
664
665 * pveum: implement bash completion
666
667 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
668
364ffc13
DM		 669libpve-access-control (4.0-8) unstable; urgency=medium
670
671 * remove_storage_access: cleanup of access permissions for removed storage
672
673 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
674
7c26cb4a
DM		 675libpve-access-control (4.0-7) unstable; urgency=medium
676
677 * new helper to remove access permissions for removed VMs
678
679 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
680
296afbd1
DM		 681libpve-access-control (4.0-6) unstable; urgency=medium
682
683 * improve parse_user_config, parse_shadow_config
684
685 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
686
7d2df2ef
DM		 687libpve-access-control (4.0-5) unstable; urgency=medium
688
689 * pveum: check for $cmd being defined
690
691 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
692
98a34e3f
DM		 693libpve-access-control (4.0-4) unstable; urgency=medium
694
695 * use activate-noawait triggers
696
697 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
698
15462727
DM		 699libpve-access-control (4.0-3) unstable; urgency=medium
700
701 * IPv6 fixes
702
703 * non-root buildfix
704
705 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
706
bbf4cc9a
DM		 707libpve-access-control (4.0-2) unstable; urgency=medium
708
709 * trigger pve-api-updates event
710
711 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
712
dfbcf6d3
DM		 713libpve-access-control (4.0-1) unstable; urgency=medium
714
715 * bump version for Debian Jessie
716
717 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
718
94971b3a
DM		 719libpve-access-control (3.0-16) unstable; urgency=low
720
721 * root@pam can now be disabled in GUI.
722
723 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
724
7b17c7cb
DM		 725libpve-access-control (3.0-15) unstable; urgency=low
726
727 * oath: add 'step' and 'digits' option
728
729 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
730
1abc2c0a
DM		 731libpve-access-control (3.0-14) unstable; urgency=low
732
733 * add oath two factor auth
734
735 * add oathkeygen binary to generate keys for oath
736
737 * add yubico two factor auth
738
739 * dedend on oathtool
740
741 * depend on libmime-base32-perl
30be0de9
DM		 742
743 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 744
745 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
746
298450ab
DM		 747libpve-access-control (3.0-13) unstable; urgency=low
748
749 * use correct connection string for AD auth
750
751 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
752
396034e4
DM		 753libpve-access-control (3.0-12) unstable; urgency=low
754
755 * add dummy API for GET /access/ticket (useful to generate login pages)
756
757 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
758
26361123
DM		 759libpve-access-control (3.0-11) unstable; urgency=low
760
761 * Sets common hot keys for spice client
762
763 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
764
3643383d
DM		 765libpve-access-control (3.0-10) unstable; urgency=low
766
767 * implement helper to generate SPICE remote-viewer configuration
768
769 * depend on libnet-ssleay-perl
770
771 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
772
0baedcf7
DM		 773libpve-access-control (3.0-9) unstable; urgency=low
774
775 * prevent user enumeration attacks
e4f8fc2e
DM		 776
777 * allow dots in access paths
0baedcf7
DM		 778
779 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
780
d4b63eae
DM		 781libpve-access-control (3.0-8) unstable; urgency=low
782
783 * spice: use lowercase hostname in ticktet signature
784
785 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
786
49594944
DM		 787libpve-access-control (3.0-7) unstable; urgency=low
788
789 * check_volume_access : use parse_volname instead of path, and remove
790 path related code.
7c410d63
DM		 791
792 * use warnings instead of global -w flag.
49594944
DM		 793
794 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
795
fe7de5d0
DM		 796libpve-access-control (3.0-6) unstable; urgency=low
797
798 * use shorter spiceproxy tickets
799
800 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
801
4cdd9507
DM		 802libpve-access-control (3.0-5) unstable; urgency=low
803
804 * add code to generate tickets for SPICE
805
806 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
807
677f9ab0
DM		 808libpve-access-control (3.0-4) unstable; urgency=low
809
810 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
811
812 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
813
139a8ecf
DM		 814libpve-access-control (3.0-3) unstable; urgency=low
815
7d23b7ca 816 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 817
818 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
819
b78ce7c2
DM		 820libpve-access-control (3.0-2) unstable; urgency=low
821
822 * remove CGI.pm related code (pveproxy does not need that)
823
824 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
825
786820f9
DM		 826libpve-access-control (3.0-1) unstable; urgency=low
827
828 * bump version for wheezy release
829
830 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
831
e5ae5487
DM		 832libpve-access-control (1.0-26) unstable; urgency=low
833
834 * check_volume_access: fix access permissions for backup files
835
836 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
837
e3e6510c
DM		 838libpve-access-control (1.0-25) unstable; urgency=low
839
840 * add VM.Snapshot permission
841
842 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
843
1e15ebe7
DM		 844libpve-access-control (1.0-24) unstable; urgency=low
845
846 * untaint path (allow root to restore arbitrary paths)
847
848 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
849
437be042
DM		 850libpve-access-control (1.0-23) unstable; urgency=low
851
852 * correctly compute GUI capabilities (consider pools)
853
854 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
855
5bb4e06a
DM		 856libpve-access-control (1.0-22) unstable; urgency=low
857
858 * new plugin architecture for Auth modules, minor API change for Auth
859 domains (new 'delete' parameter)
860
861 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
862
3030a176
DM		 863libpve-access-control (1.0-21) unstable; urgency=low
864
865 * do not allow user names including slash
866
867 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
868
869libpve-access-control (1.0-20) unstable; urgency=low
870
871 * add ability to fork cli workers in background
872
873 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
874
dd2cfee0
DM		 875libpve-access-control (1.0-19) unstable; urgency=low
876
877 * return set of privileges on login - can be used to adopt GUI
878
879 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
880
1cf154b7
DM		 881libpve-access-control (1.0-18) unstable; urgency=low
882
7d23b7ca 883 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 884
885 * fix bug #152: allow user to change his own password
1cf154b7
DM		 886
887 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
888
2de14407
DM		 889libpve-access-control (1.0-17) unstable; urgency=low
890
891 * set propagate flag by default
892
893 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
894
bdc61d7a
DM		 895libpve-access-control (1.0-16) unstable; urgency=low
896
897 * add 'pveum passwd' method
898
899 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
900
cc7bdf33
DM		 901libpve-access-control (1.0-15) unstable; urgency=low
902
903 * Add VM.Config.CDROM privilege to PVEVMUser rule
904
905 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
906
a69bbe2e
DM		 907libpve-access-control (1.0-14) unstable; urgency=low
908
909 * fix buf in userid-param permission check
910
911 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
912
d9483d94
DM		 913libpve-access-control (1.0-13) unstable; urgency=low
914
915 * allow more characters in ldap base_dn attribute
916
917 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
918
84619607
DM		 919libpve-access-control (1.0-12) unstable; urgency=low
920
921 * allow more characters with realm IDs
922
923 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
924
09d27058
DM		 925libpve-access-control (1.0-11) unstable; urgency=low
926
927 * fix bug in exec_api2_perm_check
928
929 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
930
7a4c849e
DM		 931libpve-access-control (1.0-10) unstable; urgency=low
932
933 * fix ACL group name parser
934
935 * changed 'pveum aclmod' command line arguments
936
937 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
938
3eac4e35
DM		 939libpve-access-control (1.0-9) unstable; urgency=low
940
941 * fix bug in check_volume_access (fixes vzrestore)
942
943 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
944
4384e19e
DM		 945libpve-access-control (1.0-8) unstable; urgency=low
946
947 * fix return value for empty ACL list.
948
949 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
950
d8a56966
DM		 951libpve-access-control (1.0-7) unstable; urgency=low
952
953 * fix bug #85: allow root@pam to generate tickets for other users
954
955 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
956
cb6f2f93
DM		 957libpve-access-control (1.0-6) unstable; urgency=low
958
959 * API change: allow to filter enabled/disabled users.
960
961 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
962
272fe9ff
DM		 963libpve-access-control (1.0-5) unstable; urgency=low
964
965 * add a way to return file changes (diffs): set_result_changes()
966
967 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
968
e42eedbc
DM		 969libpve-access-control (1.0-4) unstable; urgency=low
970
971 * new environment type for ha agents
972
973 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
974
1fba27e0
DM		 975libpve-access-control (1.0-3) unstable; urgency=low
976
977 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 978 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 979
980 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
981
5bf71a96
DM		 982libpve-access-control (1.0-2) unstable; urgency=low
983
984 * fix bug in fork_worker
985
986 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
987
2c3a6c0a
DM		 988libpve-access-control (1.0-1) unstable; urgency=low
989
990 * allow '-' in permission paths
991
992 * bump version to 1.0
993
994 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
995
996libpve-access-control (0.1) unstable; urgency=low
997
998 * first dummy package - no functionality
999
1000 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1001
Access control framework