]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.5
[pve-access-control.git] / debian / changelog
CommitLineData
b8a52eac
WB		 1libpve-access-control (8.0.5) bookworm; urgency=medium
2
3 * fix an issue where setting ldap passwords would refuse to work unless
4 at least one additional property was changed as well
5
6 * add 'check-connection' parameter to create and update endpoints for ldap
7 based realms
8
9 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
10
33e4480a
WB		 11libpve-access-control (8.0.4) bookworm; urgency=medium
12
13 * Lookup of second factors is no longer tied to the 'keys' field in the
14 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
15 could disable user-configured 2nd factors.
16
17 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
18 TFA.
19
20 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
21
8a856968
TL		 22libpve-access-control (8.0.3) bookworm; urgency=medium
23
24 * pveum: list tfa: recovery keys have no descriptions
25
26 * pveum: list tfa: sort by user ID
27
28 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
29 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
30 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
31
32 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
33
1852a929
TL		 34libpve-access-control (8.0.2) bookworm; urgency=medium
35
36 * api: users: sort groups to avoid "flapping" text
37
38 * api: tfa: don't block tokens from viewing and list TFA entries, both are
39 safe to do for anybody with enough permissions to view a user.
40
41 * api: tfa: add missing links for child-routes
42
43 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
44
ebf82c77
TL		 45libpve-access-control (8.0.1) bookworm; urgency=medium
46
47 * tfa: cope with native versions in cluster version check
48
49 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
50
6004f25e
TL		 51libpve-access-control (8.0.0) bookworm; urgency=medium
52
53 * api: roles: forbid creating new roles starting with "PVE" namespace
54
55 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
56
8e8023b1
TL		 57libpve-access-control (8.0.0~3) bookworm; urgency=medium
58
59 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
60
61 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
62
63 * add helper for checking bridge access
64
65 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
66 which user are allowed to use a bridge (or vnet, if SDN is installed)
67
68 * add privileges and paths for cluster resource mapping
69
70 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
71
3ef602fe
TL		 72libpve-access-control (8.0.0~2) bookworm; urgency=medium
73
74 * api: user index: only include existing tfa lock flags
75
76 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
77
78 * roles: only include Permissions.Modify in Administrator built-in role.
79 As, depending on the ACL object path, this privilege might allow one to
80 change their own permissions, which was making the distinction between
81 Admin and PVEAdmin irrelevant.
82
83 * acls: restrict less-privileged ACL modifications. Through allocate
84 permissions in pools, storages and virtual guests one can do some ACL
85 modifications without having the Permissions.Modify privilege, lock those
86 better down to ensure that one can only hand out only the subset of their
87 own privileges, never more. Note that this is mostly future proofing, as
88 the ACL object paths one could give out more permissions where already
89 limiting the scope.
90
91 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
92
f63364a7
WB		 93libpve-access-control (8.0.0~1) bookworm; urgency=medium
94
95 * bump pve-rs dependency to 0.8.3
96
97 * drop old verify_tfa api call (POST /access/tfa)
98
99 * drop support for old login API:
100 - 'new-format' is now considured to be 1 and ignored by the API
101
102 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
103 address
104
105 * cli: add 'pveum tfa list'
106
107 * cli: add 'pveum tfa unlock'
108
109 * enable lockout of TFA:
110 - too many TOTP attempts will lock out of TOTP
111 - using a recovery key will unlock TOTP
112 - too many TFA attempts will lock a user's TFA auth for an hour
113
114 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
115 authentication if it was locked by too many wrong 2nd factor login attempts
116
117 * api: /access/tfa and /access/users now include the tfa lockout status
118
119 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
120
a3dc6ff4
TL		 121libpve-access-control (7.99.0) bookworm; urgency=medium
122
123 * initial re-build for Proxmox VE 8.x series
124
125 * switch to native versioning
126
127 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
128
f2762a03
WB		 129libpve-access-control (7.4-3) bullseye; urgency=medium
130
131 * use new 2nd factor verification from pve-rs
132
133 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
134
f0595d15
TL		 135libpve-access-control (7.4-2) bullseye; urgency=medium
136
137 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
138 wasn't accepted anymore
139
140 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
141
a23eaa1a
TL		 142libpve-access-control (7.4-1) bullseye; urgency=medium
143
144 * realm sync: refactor scope/remove-vanished into a standard option
145
146 * ldap: Allow quoted values for DN attribute values
147
148 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
149
df33b3b9
TL		 150libpve-access-control (7.3-2) bullseye; urgency=medium
151
152 * fix #4518: dramatically improve ACL computation performance
153
154 * userid format: clarify that this is the full name@realm in description
155
156 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
157
2da8c203
TL		 158libpve-access-control (7.3-1) bullseye; urgency=medium
159
160 * realm: sync: allow explicit 'none' for 'remove-vanished' option
161
162 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
163
b84bf623
TL		 164libpve-access-control (7.2-5) bullseye; urgency=medium
165
166 * api: realm sync: avoid separate log line for "remove-vanished" opt
167
168 * auth ldap/ad: compare group member dn case-insensitively
169
170 * two factor auth: only lock tfa config for recovery keys
171
172 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
173 migrations and storage migrations
174
175 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
176
f4e68e49
TL		 177libpve-access-control (7.2-4) bullseye; urgency=medium
178
179 * fix #4074: increase API OpenID code size limit to 2048
180
181 * auth key: protect against rare chance of a double rotation in clusters,
182 leaving the potential that some set of nodes have the earlier key cached,
183 that then got rotated out due to the race, resulting in a possible other
184 set of nodes having the newer key cached. This is a split view of the auth
185 key and may resulting in spurious failures if API requests are made to a
186 different node than the ticket was generated on.
187 In addition to that, the "keep validity of old tickets if signed in the
188 last two hours before rotation" logic was disabled too in such a case,
189 making such tickets invalid too early.
190 Note that both are cases where Proxmox VE was too strict, so while this
191 had no security implications it can be a nuisance, especially for
192 environments that use the API through an automated or scripted way
193
194 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
195
26dde491
TL		 196libpve-access-control (7.2-3) bullseye; urgency=medium
197
198 * api: token: use userid-group as API perm check to avoid being overly
199 strict through a misguided use of user id for non-root users.
200
201 * perm check: forbid undefined/empty ACL path for future proofing of against
202 above issue
203
204 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
205
1cf4389b
TL		 206libpve-access-control (7.2-2) bullseye; urgency=medium
207
208 * permissions: merge propagation flag for multiple roles on a path that
209 share privilege in a deterministic way, to avoid that it gets lost
210 depending on perl's random sort, which would result in returing less
211 privileges than an auth-id actually had.
212
213 * permissions: avoid that token and user privilege intersection is to strict
214 for user permissions that have propagation disabled.
215
216 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
217
e3604d48
TL		 218libpve-access-control (7.2-1) bullseye; urgency=medium
219
220 * user check: fix expiration/enable order
221
222 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
223
79ae250f
TL		 224libpve-access-control (7.1-8) bullseye; urgency=medium
225
226 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
227 vanished'
228
229 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
230
eed46286
TL		 231libpve-access-control (7.1-7) bullseye; urgency=medium
232
233 * userid-group check: distinguish create and update
234
235 * api: get user: declare token schema
236
237 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
238
cd78b295
FG		 239libpve-access-control (7.1-6) bullseye; urgency=medium
240
241 * fix #3768: warn on bad u2f or webauthn settings
242
243 * tfa: when modifying others, verify the current user's password
244
245 * tfa list: account for admin permissions
246
247 * fix realm sync permissions
248
249 * fix token permission display bug
250
251 * include SDN permissions in permission tree
252
253 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
254
118088d8
TL		 255libpve-access-control (7.1-5) bullseye; urgency=medium
256
257 * openid: fix username-claim fallback
258
259 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
260
ebb14277
WB		 261libpve-access-control (7.1-4) bullseye; urgency=medium
262
263 * set current origin in the webauthn config if no fixed origin was
264 configured, to support webauthn via subdomains
265
266 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
267
44a55ff7
TL		 268libpve-access-control (7.1-3) bullseye; urgency=medium
269
270 * openid: allow arbitrary username-claims
271
272 * openid: support configuring the prompt, scopes and ACR values
273
274 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
275
6f643e79
TL		 276libpve-access-control (7.1-2) bullseye; urgency=medium
277
278 * catch incompatible tfa entries with a nice error
279
280 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
281
92bca71e
TL		 282libpve-access-control (7.1-1) bullseye; urgency=medium
283
284 * tfa: map HTTP 404 error in get_tfa_entry correctly
285
286 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
287
1c9b6501
TL		 288libpve-access-control (7.0-7) bullseye; urgency=medium
289
290 * fix #3513: pass configured proxy to OpenID
291
292 * use rust based parser for TFA config
293
294 * use PBS-like auth api call flow,
295
296 * merge old user.cfg keys to tfa config when adding entries
297
298 * implement version checks for new tfa config writer to ensure all
299 cluster nodes are ready to avoid login issues
300
301 * tickets: add tunnel ticket
302
303 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
304
cd46b379
TL		 305libpve-access-control (7.0-6) bullseye; urgency=medium
306
307 * fix regression in user deletion when realm does not enforce TFA
308
309 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
310
52da88a8
TL		 311libpve-access-control (7.0-5) bullseye; urgency=medium
312
313 * acl: check path: add /sdn/vnets/* path
314
315 * fix #2302: allow deletion of users when realm enforces TFA
316
317 * api: delete user: disable user first to avoid surprise on error during the
318 various cleanup action required for user deletion (e.g., TFA, ACL, group)
319
320 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
321
543d646c
TL		 322libpve-access-control (7.0-4) bullseye; urgency=medium
323
324 * realm: add OpenID configuration
325
326 * api: implement OpenID related endpoints
327
328 * implement opt-in OpenID autocreate user feature
329
330 * api: user: add 'realm-type' to user list response
331
332 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
333
7a4c4fd8
TL		 334libpve-access-control (7.0-3) bullseye; urgency=medium
335
336 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
337 `/sdn/zones/<zone>` to allowed ACL paths
338
339 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
340
0902a936
FG		 341libpve-access-control (7.0-2) bullseye; urgency=medium
342
343 * fix #3402: add Pool.Audit privilege - custom roles containing
344 Pool.Allocate must be updated to include the new privilege.
345
346 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
347
67febb69
TL		 348libpve-access-control (7.0-1) bullseye; urgency=medium
349
350 * re-build for Debian 11 Bullseye based releases
351
352 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
353
2942ba41
TL		 354libpve-access-control (6.4-1) pve; urgency=medium
355
356 * fix #1670: change PAM service name to project specific name
357
358 * fix #1500: permission path syntax check for access control
359
360 * pveum: add resource pool CLI commands
361
362 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
363
54d312f3
TL		 364libpve-access-control (6.1-3) pve; urgency=medium
365
366 * partially fix #2825: authkey: rotate if it was generated in the
367 future
368
369 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
370 insensitive
371
372 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
373
6a9be12f
TL		 374libpve-access-control (6.1-2) pve; urgency=medium
375
376 * also check SDN permission path when computing coarse permissions heuristic
377 for UIs
378
379 * add SDN Permissions.Modify
380
381 * add VM.Config.Cloudinit
382
383 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
384
e6624f50
TL		 385libpve-access-control (6.1-1) pve; urgency=medium
386
387 * pveum: add tfa delete subcommand for deleting user-TFA
388
389 * LDAP: don't complain about missing credentials on realm removal
390
391 * LDAP: skip anonymous bind when client certificate and key is configured
392
393 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
394
8f4a522f
TL		 395libpve-access-control (6.0-7) pve; urgency=medium
396
397 * fix #2575: die when trying to edit built-in roles
398
399 * add realm sub commands to pveum CLI tool
400
7d23b7ca 401 * api: domains: add user group sync API endpoint
8f4a522f
TL		 402
403 * allow one to sync and import users and groups from LDAP/AD based realms
404
405 * realm: add default-sync-options to config for more convenient sync configuration
406
407 * api: token create: return also full token id for convenience
408
409 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
410
23059f35
TL		 411libpve-access-control (6.0-6) pve; urgency=medium
412
413 * API: add group members to group index
414
415 * implement API token support and management
416
417 * pveum: add 'pveum user token add/update/remove/list'
418
419 * pveum: add permissions sub-commands
420
421 * API: add 'permissions' API endpoint
422
423 * user.cfg: skip inexisting roles when parsing ACLs
424
425 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
426
3dd692e9
TL		 427libpve-access-control (6.0-5) pve; urgency=medium
428
429 * pveum: add list command for users, groups, ACLs and roles
430
431 * add initial permissions for experimental SDN integration
432
433 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
434
4ef92d0d
FG		 435libpve-access-control (6.0-4) pve; urgency=medium
436
437 * ticket: use clinfo to get cluster name
438
439 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
440 SSL version
441
442 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
443
6e5bbca4
TL		 444libpve-access-control (6.0-3) pve; urgency=medium
445
446 * fix #2433: increase possible TFA secret length
447
448 * parse user configuration: correctly parse group names in ACLs, for users
449 which begin their name with an @
450
451 * sort user.cfg entries alphabetically
452
453 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
454
e073493c
TL		 455libpve-access-control (6.0-2) pve; urgency=medium
456
457 * improve CSRF verification compatibility with newer PVE
458
459 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
460
a237dc2e
TL		 461libpve-access-control (6.0-1) pve; urgency=medium
462
463 * ticket: properly verify exactly 5 minute old tickets
464
465 * use hmac_sha256 instead of sha1 for CSRF token generation
466
467 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
468
f1531f22
TL		 469libpve-access-control (6.0-0+1) pve; urgency=medium
470
471 * bump for Debian buster
472
473 * fix #2079: add periodic auth key rotation
474
475 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
476
ef761f51
TL		 477libpve-access-control (5.1-10) unstable; urgency=medium
478
479 * add /access/user/{id}/tfa api call to get tfa types
480
481 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
482
860ddcba
TL		 483libpve-access-control (5.1-9) unstable; urgency=medium
484
485 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 486 to a higher privileged daemon.
860ddcba
TL		 487
488 * tfa: realm required TFA should lock out users without TFA configured, as it
489 was done before Proxmox VE 5.4
490
491 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
492
9fbad012
TL		 493libpve-access-control (5.1-8) unstable; urgency=medium
494
495 * U2F: ensure we save correct public key on registration
496
497 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
498
4473c96c
TL		 499libpve-access-control (5.1-7) unstable; urgency=medium
500
501 * verify_ticket: allow general non-challenge tfa to be run as two step
502 call
503
504 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
505
a270d4e1
TL		 506libpve-access-control (5.1-6) unstable; urgency=medium
507
508 * more general 2FA configuration via priv/tfa.cfg
509
510 * add u2f api endpoints
511
512 * delete TFA entries when deleting a user
513
514 * allow users to change their TOTP settings
515
516 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
517
374647e8
TL		 518libpve-access-control (5.1-5) unstable; urgency=medium
519
520 * fix vnc ticket verification without authkey lifetime
521
522 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
523
7fb70c94
TL		 524libpve-access-control (5.1-4) unstable; urgency=medium
525
526 * fix #1891: Add zsh command completion for pveum
527
528 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
529 to avoid issues on upgrade, will be enabled with 6.0
530
531 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
532
6e010cde
TL		 533libpve-access-control (5.1-3) unstable; urgency=medium
534
535 * api/ticket: move getting cluster name into an eval
536
537 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
538
f5a9380a
TL		 539libpve-access-control (5.1-2) unstable; urgency=medium
540
541 * fix #1998: correct return properties for read_role
542
543 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
544
b54b7474
TL		 545libpve-access-control (5.1-1) unstable; urgency=medium
546
547 * pveum: introduce sub-commands
548
549 * register userid with completion
550
551 * fix #233: return cluster name on successful login
552
553 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
554
52192dd4
WB		 555libpve-access-control (5.0-8) unstable; urgency=medium
556
557 * fix #1612: ldap: make 2nd server work with bind domains again
558
559 * fix an error message where passing a bad pool id to an API function would
560 make it complain about a wrong group name instead
561
562 * fix the API-returned permission list so that the GUI knows to show the
563 'Permissions' tab for a storage to an administrator apart from root@pam
564
565 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
566
3dadf8cf
FG		 567libpve-access-control (5.0-7) unstable; urgency=medium
568
569 * VM.Snapshot.Rollback privilege added
570
571 * api: check for special roles before locking the usercfg
572
573 * fix #1501: pveum: die when deleting special role
574
575 * API/ticket: rework coarse grained permission computation
576
577 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
578
ec4141f4
WB		 579libpve-access-control (5.0-6) unstable; urgency=medium
580
581 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
582 'verify' option. For compatibility reasons this defaults to off for now,
583 but that might change with future updates.
584
585 * AD, LDAP: Add ability to specify a CA path or file, and a client
586 certificate via the 'capath', 'cert' and 'certkey' options.
587
588 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
589
63134bd4
DM		 590libpve-access-control (5.0-5) unstable; urgency=medium
591
592 * change from dpkg-deb to dpkg-buildpackage
593
594 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
595
868fb1ea
DM		 596libpve-access-control (5.0-4) unstable; urgency=medium
597
598 * PVE/CLI/pveum.pm: call setup_default_cli_env()
599
600 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
601
602 * check_api2_permissions: avoid warning about uninitialized value
603
604 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
605
63358f40
DM		 606libpve-access-control (5.0-3) unstable; urgency=medium
607
608 * use new PVE::OTP class from pve-common
609
610 * use new PVE::Tools::encrypt_pw from pve-common
611
612 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
613
05fd50af
DM		 614libpve-access-control (5.0-2) unstable; urgency=medium
615
616 * encrypt_pw: avoid '+' for crypt salt
617
618 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
619
0835385b
FG		 620libpve-access-control (5.0-1) unstable; urgency=medium
621
622 * rebuild for PVE 5.0
623
624 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
625
730f8863
DM		 626libpve-access-control (4.0-23) unstable; urgency=medium
627
628 * use new PVE::Ticket class
629
630 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
631
1f1c4593
DM		 632libpve-access-control (4.0-22) unstable; urgency=medium
633
634 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
635 (moved to PVE::Storage)
636
637 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
638
639 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
640
f9105063
DM		 641libpve-access-control (4.0-21) unstable; urgency=medium
642
643 * setup_default_cli_env: expect $class as first parameter
644
645 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
646
9595066e
DM		 647libpve-access-control (4.0-20) unstable; urgency=medium
648
649 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
650
651 * PVE/API2/Domains.pm: fix property description
652
653 * use new repoman for upload target
654
655 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
656
2af5a793
DM		 657libpve-access-control (4.0-19) unstable; urgency=medium
658
659 * Close #833: ldap: non-anonymous bind support
660
661 * don't import 'RFC' from MIME::Base32
662
663 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
664
5d87bb77
WB		 665libpve-access-control (4.0-18) unstable; urgency=medium
666
667 * fix #1062: recognize base32 otp keys again
668
669 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
670
28ddf48b
WB		 671libpve-access-control (4.0-17) unstable; urgency=medium
672
673 * drop oathtool and libdigest-hmac-perl dependencies
674
675 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
676
15cebb28
DM		 677libpve-access-control (4.0-16) unstable; urgency=medium
678
679 * use pve-doc-generator to generate man pages
680
681 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
682
678df887
DM		 683libpve-access-control (4.0-15) unstable; urgency=medium
684
685 * Fix uninitialized warning when shadow.cfg does not exist
686
687 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
688
cca9761a
DM		 689libpve-access-control (4.0-14) unstable; urgency=medium
690
691 * Add is_worker to RPCEnvironment
692
693 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
694
8643c99d
DM		 695libpve-access-control (4.0-13) unstable; urgency=medium
696
697 * fix #916: allow HTTPS to access custom yubico url
698
699 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
700
ae2a6bf9
DM		 701libpve-access-control (4.0-12) unstable; urgency=medium
702
703 * Catch certificate errors instead of segfaulting
704
705 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
706
4836db5f
DM		 707libpve-access-control (4.0-11) unstable; urgency=medium
708
709 * Fix #861: use safer sprintf formatting
710
711 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
712
ccbe23dc
DM		 713libpve-access-control (4.0-10) unstable; urgency=medium
714
715 * Auth::LDAP, Auth::AD: ipv6 support
716
717 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
718
90399ca4
DM		 719libpve-access-control (4.0-9) unstable; urgency=medium
720
721 * pveum: implement bash completion
722
723 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
724
364ffc13
DM		 725libpve-access-control (4.0-8) unstable; urgency=medium
726
727 * remove_storage_access: cleanup of access permissions for removed storage
728
729 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
730
7c26cb4a
DM		 731libpve-access-control (4.0-7) unstable; urgency=medium
732
733 * new helper to remove access permissions for removed VMs
734
735 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
736
296afbd1
DM		 737libpve-access-control (4.0-6) unstable; urgency=medium
738
739 * improve parse_user_config, parse_shadow_config
740
741 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
742
7d2df2ef
DM		 743libpve-access-control (4.0-5) unstable; urgency=medium
744
745 * pveum: check for $cmd being defined
746
747 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
748
98a34e3f
DM		 749libpve-access-control (4.0-4) unstable; urgency=medium
750
751 * use activate-noawait triggers
752
753 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
754
15462727
DM		 755libpve-access-control (4.0-3) unstable; urgency=medium
756
757 * IPv6 fixes
758
759 * non-root buildfix
760
761 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
762
bbf4cc9a
DM		 763libpve-access-control (4.0-2) unstable; urgency=medium
764
765 * trigger pve-api-updates event
766
767 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
768
dfbcf6d3
DM		 769libpve-access-control (4.0-1) unstable; urgency=medium
770
771 * bump version for Debian Jessie
772
773 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
774
94971b3a
DM		 775libpve-access-control (3.0-16) unstable; urgency=low
776
777 * root@pam can now be disabled in GUI.
778
779 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
780
7b17c7cb
DM		 781libpve-access-control (3.0-15) unstable; urgency=low
782
783 * oath: add 'step' and 'digits' option
784
785 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
786
1abc2c0a
DM		 787libpve-access-control (3.0-14) unstable; urgency=low
788
789 * add oath two factor auth
790
791 * add oathkeygen binary to generate keys for oath
792
793 * add yubico two factor auth
794
795 * dedend on oathtool
796
797 * depend on libmime-base32-perl
30be0de9
DM		 798
799 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 800
801 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
802
298450ab
DM		 803libpve-access-control (3.0-13) unstable; urgency=low
804
805 * use correct connection string for AD auth
806
807 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
808
396034e4
DM		 809libpve-access-control (3.0-12) unstable; urgency=low
810
811 * add dummy API for GET /access/ticket (useful to generate login pages)
812
813 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
814
26361123
DM		 815libpve-access-control (3.0-11) unstable; urgency=low
816
817 * Sets common hot keys for spice client
818
819 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
820
3643383d
DM		 821libpve-access-control (3.0-10) unstable; urgency=low
822
823 * implement helper to generate SPICE remote-viewer configuration
824
825 * depend on libnet-ssleay-perl
826
827 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
828
0baedcf7
DM		 829libpve-access-control (3.0-9) unstable; urgency=low
830
831 * prevent user enumeration attacks
e4f8fc2e
DM		 832
833 * allow dots in access paths
0baedcf7
DM		 834
835 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
836
d4b63eae
DM		 837libpve-access-control (3.0-8) unstable; urgency=low
838
839 * spice: use lowercase hostname in ticktet signature
840
841 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
842
49594944
DM		 843libpve-access-control (3.0-7) unstable; urgency=low
844
845 * check_volume_access : use parse_volname instead of path, and remove
846 path related code.
7c410d63
DM		 847
848 * use warnings instead of global -w flag.
49594944
DM		 849
850 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
851
fe7de5d0
DM		 852libpve-access-control (3.0-6) unstable; urgency=low
853
854 * use shorter spiceproxy tickets
855
856 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
857
4cdd9507
DM		 858libpve-access-control (3.0-5) unstable; urgency=low
859
860 * add code to generate tickets for SPICE
861
862 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
863
677f9ab0
DM		 864libpve-access-control (3.0-4) unstable; urgency=low
865
866 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
867
868 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
869
139a8ecf
DM		 870libpve-access-control (3.0-3) unstable; urgency=low
871
7d23b7ca 872 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 873
874 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
875
b78ce7c2
DM		 876libpve-access-control (3.0-2) unstable; urgency=low
877
878 * remove CGI.pm related code (pveproxy does not need that)
879
880 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
881
786820f9
DM		 882libpve-access-control (3.0-1) unstable; urgency=low
883
884 * bump version for wheezy release
885
886 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
887
e5ae5487
DM		 888libpve-access-control (1.0-26) unstable; urgency=low
889
890 * check_volume_access: fix access permissions for backup files
891
892 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
893
e3e6510c
DM		 894libpve-access-control (1.0-25) unstable; urgency=low
895
896 * add VM.Snapshot permission
897
898 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
899
1e15ebe7
DM		 900libpve-access-control (1.0-24) unstable; urgency=low
901
902 * untaint path (allow root to restore arbitrary paths)
903
904 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
905
437be042
DM		 906libpve-access-control (1.0-23) unstable; urgency=low
907
908 * correctly compute GUI capabilities (consider pools)
909
910 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
911
5bb4e06a
DM		 912libpve-access-control (1.0-22) unstable; urgency=low
913
914 * new plugin architecture for Auth modules, minor API change for Auth
915 domains (new 'delete' parameter)
916
917 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
918
3030a176
DM		 919libpve-access-control (1.0-21) unstable; urgency=low
920
921 * do not allow user names including slash
922
923 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
924
925libpve-access-control (1.0-20) unstable; urgency=low
926
927 * add ability to fork cli workers in background
928
929 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
930
dd2cfee0
DM		 931libpve-access-control (1.0-19) unstable; urgency=low
932
933 * return set of privileges on login - can be used to adopt GUI
934
935 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
936
1cf154b7
DM		 937libpve-access-control (1.0-18) unstable; urgency=low
938
7d23b7ca 939 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 940
941 * fix bug #152: allow user to change his own password
1cf154b7
DM		 942
943 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
944
2de14407
DM		 945libpve-access-control (1.0-17) unstable; urgency=low
946
947 * set propagate flag by default
948
949 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
950
bdc61d7a
DM		 951libpve-access-control (1.0-16) unstable; urgency=low
952
953 * add 'pveum passwd' method
954
955 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
956
cc7bdf33
DM		 957libpve-access-control (1.0-15) unstable; urgency=low
958
959 * Add VM.Config.CDROM privilege to PVEVMUser rule
960
961 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
962
a69bbe2e
DM		 963libpve-access-control (1.0-14) unstable; urgency=low
964
965 * fix buf in userid-param permission check
966
967 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
968
d9483d94
DM		 969libpve-access-control (1.0-13) unstable; urgency=low
970
971 * allow more characters in ldap base_dn attribute
972
973 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
974
84619607
DM		 975libpve-access-control (1.0-12) unstable; urgency=low
976
977 * allow more characters with realm IDs
978
979 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
980
09d27058
DM		 981libpve-access-control (1.0-11) unstable; urgency=low
982
983 * fix bug in exec_api2_perm_check
984
985 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
986
7a4c849e
DM		 987libpve-access-control (1.0-10) unstable; urgency=low
988
989 * fix ACL group name parser
990
991 * changed 'pveum aclmod' command line arguments
992
993 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
994
3eac4e35
DM		 995libpve-access-control (1.0-9) unstable; urgency=low
996
997 * fix bug in check_volume_access (fixes vzrestore)
998
999 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1000
4384e19e
DM		 1001libpve-access-control (1.0-8) unstable; urgency=low
1002
1003 * fix return value for empty ACL list.
1004
1005 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1006
d8a56966
DM		 1007libpve-access-control (1.0-7) unstable; urgency=low
1008
1009 * fix bug #85: allow root@pam to generate tickets for other users
1010
1011 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1012
cb6f2f93
DM		 1013libpve-access-control (1.0-6) unstable; urgency=low
1014
1015 * API change: allow to filter enabled/disabled users.
1016
1017 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1018
272fe9ff
DM		 1019libpve-access-control (1.0-5) unstable; urgency=low
1020
1021 * add a way to return file changes (diffs): set_result_changes()
1022
1023 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1024
e42eedbc
DM		 1025libpve-access-control (1.0-4) unstable; urgency=low
1026
1027 * new environment type for ha agents
1028
1029 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1030
1fba27e0
DM		 1031libpve-access-control (1.0-3) unstable; urgency=low
1032
1033 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 1034 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 1035
1036 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1037
5bf71a96
DM		 1038libpve-access-control (1.0-2) unstable; urgency=low
1039
1040 * fix bug in fork_worker
1041
1042 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1043
2c3a6c0a
DM		 1044libpve-access-control (1.0-1) unstable; urgency=low
1045
1046 * allow '-' in permission paths
1047
1048 * bump version to 1.0
1049
1050 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1051
1052libpve-access-control (0.1) unstable; urgency=low
1053
1054 * first dummy package - no functionality
1055
1056 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1057
Access control framework