]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.7
[pve-access-control.git] / debian / changelog
CommitLineData
ffc4e503
WB		 1libpve-access-control (8.0.7) bookworm; urgency=medium
2
3 * fix #1148: allow up to three levels of pool nesting
4
5 * pools: record parent/subpool information
6
7 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100
8
401e3205
TL		 9libpve-access-control (8.0.6) bookworm; urgency=medium
10
11 * perms: fix wrong /pools entry in default set of ACL paths
12
13 * acl: add missing SDN ACL paths to allowed list
14
15 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
16
b8a52eac
WB		 17libpve-access-control (8.0.5) bookworm; urgency=medium
18
19 * fix an issue where setting ldap passwords would refuse to work unless
20 at least one additional property was changed as well
21
22 * add 'check-connection' parameter to create and update endpoints for ldap
23 based realms
24
25 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
26
33e4480a
WB		 27libpve-access-control (8.0.4) bookworm; urgency=medium
28
29 * Lookup of second factors is no longer tied to the 'keys' field in the
30 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
31 could disable user-configured 2nd factors.
32
33 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
34 TFA.
35
36 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
37
8a856968
TL		 38libpve-access-control (8.0.3) bookworm; urgency=medium
39
40 * pveum: list tfa: recovery keys have no descriptions
41
42 * pveum: list tfa: sort by user ID
43
44 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
45 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
46 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
47
48 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
49
1852a929
TL		 50libpve-access-control (8.0.2) bookworm; urgency=medium
51
52 * api: users: sort groups to avoid "flapping" text
53
54 * api: tfa: don't block tokens from viewing and list TFA entries, both are
55 safe to do for anybody with enough permissions to view a user.
56
57 * api: tfa: add missing links for child-routes
58
59 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
60
ebf82c77
TL		 61libpve-access-control (8.0.1) bookworm; urgency=medium
62
63 * tfa: cope with native versions in cluster version check
64
65 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
66
6004f25e
TL		 67libpve-access-control (8.0.0) bookworm; urgency=medium
68
69 * api: roles: forbid creating new roles starting with "PVE" namespace
70
71 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
72
8e8023b1
TL		 73libpve-access-control (8.0.0~3) bookworm; urgency=medium
74
75 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
76
77 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
78
79 * add helper for checking bridge access
80
81 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
82 which user are allowed to use a bridge (or vnet, if SDN is installed)
83
84 * add privileges and paths for cluster resource mapping
85
86 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
87
3ef602fe
TL		 88libpve-access-control (8.0.0~2) bookworm; urgency=medium
89
90 * api: user index: only include existing tfa lock flags
91
92 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
93
94 * roles: only include Permissions.Modify in Administrator built-in role.
95 As, depending on the ACL object path, this privilege might allow one to
96 change their own permissions, which was making the distinction between
97 Admin and PVEAdmin irrelevant.
98
99 * acls: restrict less-privileged ACL modifications. Through allocate
100 permissions in pools, storages and virtual guests one can do some ACL
101 modifications without having the Permissions.Modify privilege, lock those
102 better down to ensure that one can only hand out only the subset of their
103 own privileges, never more. Note that this is mostly future proofing, as
104 the ACL object paths one could give out more permissions where already
105 limiting the scope.
106
107 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
108
f63364a7
WB		 109libpve-access-control (8.0.0~1) bookworm; urgency=medium
110
111 * bump pve-rs dependency to 0.8.3
112
113 * drop old verify_tfa api call (POST /access/tfa)
114
115 * drop support for old login API:
116 - 'new-format' is now considured to be 1 and ignored by the API
117
118 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
119 address
120
121 * cli: add 'pveum tfa list'
122
123 * cli: add 'pveum tfa unlock'
124
125 * enable lockout of TFA:
126 - too many TOTP attempts will lock out of TOTP
127 - using a recovery key will unlock TOTP
128 - too many TFA attempts will lock a user's TFA auth for an hour
129
130 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
131 authentication if it was locked by too many wrong 2nd factor login attempts
132
133 * api: /access/tfa and /access/users now include the tfa lockout status
134
135 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
136
a3dc6ff4
TL		 137libpve-access-control (7.99.0) bookworm; urgency=medium
138
139 * initial re-build for Proxmox VE 8.x series
140
141 * switch to native versioning
142
143 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
144
f2762a03
WB		 145libpve-access-control (7.4-3) bullseye; urgency=medium
146
147 * use new 2nd factor verification from pve-rs
148
149 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
150
f0595d15
TL		 151libpve-access-control (7.4-2) bullseye; urgency=medium
152
153 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
154 wasn't accepted anymore
155
156 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
157
a23eaa1a
TL		 158libpve-access-control (7.4-1) bullseye; urgency=medium
159
160 * realm sync: refactor scope/remove-vanished into a standard option
161
162 * ldap: Allow quoted values for DN attribute values
163
164 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
165
df33b3b9
TL		 166libpve-access-control (7.3-2) bullseye; urgency=medium
167
168 * fix #4518: dramatically improve ACL computation performance
169
170 * userid format: clarify that this is the full name@realm in description
171
172 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
173
2da8c203
TL		 174libpve-access-control (7.3-1) bullseye; urgency=medium
175
176 * realm: sync: allow explicit 'none' for 'remove-vanished' option
177
178 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
179
b84bf623
TL		 180libpve-access-control (7.2-5) bullseye; urgency=medium
181
182 * api: realm sync: avoid separate log line for "remove-vanished" opt
183
184 * auth ldap/ad: compare group member dn case-insensitively
185
186 * two factor auth: only lock tfa config for recovery keys
187
188 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
189 migrations and storage migrations
190
191 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
192
f4e68e49
TL		 193libpve-access-control (7.2-4) bullseye; urgency=medium
194
195 * fix #4074: increase API OpenID code size limit to 2048
196
197 * auth key: protect against rare chance of a double rotation in clusters,
198 leaving the potential that some set of nodes have the earlier key cached,
199 that then got rotated out due to the race, resulting in a possible other
200 set of nodes having the newer key cached. This is a split view of the auth
201 key and may resulting in spurious failures if API requests are made to a
202 different node than the ticket was generated on.
203 In addition to that, the "keep validity of old tickets if signed in the
204 last two hours before rotation" logic was disabled too in such a case,
205 making such tickets invalid too early.
206 Note that both are cases where Proxmox VE was too strict, so while this
207 had no security implications it can be a nuisance, especially for
208 environments that use the API through an automated or scripted way
209
210 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
211
26dde491
TL		 212libpve-access-control (7.2-3) bullseye; urgency=medium
213
214 * api: token: use userid-group as API perm check to avoid being overly
215 strict through a misguided use of user id for non-root users.
216
217 * perm check: forbid undefined/empty ACL path for future proofing of against
218 above issue
219
220 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
221
1cf4389b
TL		 222libpve-access-control (7.2-2) bullseye; urgency=medium
223
224 * permissions: merge propagation flag for multiple roles on a path that
225 share privilege in a deterministic way, to avoid that it gets lost
226 depending on perl's random sort, which would result in returing less
227 privileges than an auth-id actually had.
228
229 * permissions: avoid that token and user privilege intersection is to strict
230 for user permissions that have propagation disabled.
231
232 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
233
e3604d48
TL		 234libpve-access-control (7.2-1) bullseye; urgency=medium
235
236 * user check: fix expiration/enable order
237
238 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
239
79ae250f
TL		 240libpve-access-control (7.1-8) bullseye; urgency=medium
241
242 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
243 vanished'
244
245 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
246
eed46286
TL		 247libpve-access-control (7.1-7) bullseye; urgency=medium
248
249 * userid-group check: distinguish create and update
250
251 * api: get user: declare token schema
252
253 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
254
cd78b295
FG		 255libpve-access-control (7.1-6) bullseye; urgency=medium
256
257 * fix #3768: warn on bad u2f or webauthn settings
258
259 * tfa: when modifying others, verify the current user's password
260
261 * tfa list: account for admin permissions
262
263 * fix realm sync permissions
264
265 * fix token permission display bug
266
267 * include SDN permissions in permission tree
268
269 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
270
118088d8
TL		 271libpve-access-control (7.1-5) bullseye; urgency=medium
272
273 * openid: fix username-claim fallback
274
275 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
276
ebb14277
WB		 277libpve-access-control (7.1-4) bullseye; urgency=medium
278
279 * set current origin in the webauthn config if no fixed origin was
280 configured, to support webauthn via subdomains
281
282 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
283
44a55ff7
TL		 284libpve-access-control (7.1-3) bullseye; urgency=medium
285
286 * openid: allow arbitrary username-claims
287
288 * openid: support configuring the prompt, scopes and ACR values
289
290 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
291
6f643e79
TL		 292libpve-access-control (7.1-2) bullseye; urgency=medium
293
294 * catch incompatible tfa entries with a nice error
295
296 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
297
92bca71e
TL		 298libpve-access-control (7.1-1) bullseye; urgency=medium
299
300 * tfa: map HTTP 404 error in get_tfa_entry correctly
301
302 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
303
1c9b6501
TL		 304libpve-access-control (7.0-7) bullseye; urgency=medium
305
306 * fix #3513: pass configured proxy to OpenID
307
308 * use rust based parser for TFA config
309
310 * use PBS-like auth api call flow,
311
312 * merge old user.cfg keys to tfa config when adding entries
313
314 * implement version checks for new tfa config writer to ensure all
315 cluster nodes are ready to avoid login issues
316
317 * tickets: add tunnel ticket
318
319 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
320
cd46b379
TL		 321libpve-access-control (7.0-6) bullseye; urgency=medium
322
323 * fix regression in user deletion when realm does not enforce TFA
324
325 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
326
52da88a8
TL		 327libpve-access-control (7.0-5) bullseye; urgency=medium
328
329 * acl: check path: add /sdn/vnets/* path
330
331 * fix #2302: allow deletion of users when realm enforces TFA
332
333 * api: delete user: disable user first to avoid surprise on error during the
334 various cleanup action required for user deletion (e.g., TFA, ACL, group)
335
336 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
337
543d646c
TL		 338libpve-access-control (7.0-4) bullseye; urgency=medium
339
340 * realm: add OpenID configuration
341
342 * api: implement OpenID related endpoints
343
344 * implement opt-in OpenID autocreate user feature
345
346 * api: user: add 'realm-type' to user list response
347
348 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
349
7a4c4fd8
TL		 350libpve-access-control (7.0-3) bullseye; urgency=medium
351
352 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
353 `/sdn/zones/<zone>` to allowed ACL paths
354
355 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
356
0902a936
FG		 357libpve-access-control (7.0-2) bullseye; urgency=medium
358
359 * fix #3402: add Pool.Audit privilege - custom roles containing
360 Pool.Allocate must be updated to include the new privilege.
361
362 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
363
67febb69
TL		 364libpve-access-control (7.0-1) bullseye; urgency=medium
365
366 * re-build for Debian 11 Bullseye based releases
367
368 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
369
2942ba41
TL		 370libpve-access-control (6.4-1) pve; urgency=medium
371
372 * fix #1670: change PAM service name to project specific name
373
374 * fix #1500: permission path syntax check for access control
375
376 * pveum: add resource pool CLI commands
377
378 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
379
54d312f3
TL		 380libpve-access-control (6.1-3) pve; urgency=medium
381
382 * partially fix #2825: authkey: rotate if it was generated in the
383 future
384
385 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
386 insensitive
387
388 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
389
6a9be12f
TL		 390libpve-access-control (6.1-2) pve; urgency=medium
391
392 * also check SDN permission path when computing coarse permissions heuristic
393 for UIs
394
395 * add SDN Permissions.Modify
396
397 * add VM.Config.Cloudinit
398
399 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
400
e6624f50
TL		 401libpve-access-control (6.1-1) pve; urgency=medium
402
403 * pveum: add tfa delete subcommand for deleting user-TFA
404
405 * LDAP: don't complain about missing credentials on realm removal
406
407 * LDAP: skip anonymous bind when client certificate and key is configured
408
409 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
410
8f4a522f
TL		 411libpve-access-control (6.0-7) pve; urgency=medium
412
413 * fix #2575: die when trying to edit built-in roles
414
415 * add realm sub commands to pveum CLI tool
416
7d23b7ca 417 * api: domains: add user group sync API endpoint
8f4a522f
TL		 418
419 * allow one to sync and import users and groups from LDAP/AD based realms
420
421 * realm: add default-sync-options to config for more convenient sync configuration
422
423 * api: token create: return also full token id for convenience
424
425 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
426
23059f35
TL		 427libpve-access-control (6.0-6) pve; urgency=medium
428
429 * API: add group members to group index
430
431 * implement API token support and management
432
433 * pveum: add 'pveum user token add/update/remove/list'
434
435 * pveum: add permissions sub-commands
436
437 * API: add 'permissions' API endpoint
438
439 * user.cfg: skip inexisting roles when parsing ACLs
440
441 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
442
3dd692e9
TL		 443libpve-access-control (6.0-5) pve; urgency=medium
444
445 * pveum: add list command for users, groups, ACLs and roles
446
447 * add initial permissions for experimental SDN integration
448
449 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
450
4ef92d0d
FG		 451libpve-access-control (6.0-4) pve; urgency=medium
452
453 * ticket: use clinfo to get cluster name
454
455 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
456 SSL version
457
458 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
459
6e5bbca4
TL		 460libpve-access-control (6.0-3) pve; urgency=medium
461
462 * fix #2433: increase possible TFA secret length
463
464 * parse user configuration: correctly parse group names in ACLs, for users
465 which begin their name with an @
466
467 * sort user.cfg entries alphabetically
468
469 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
470
e073493c
TL		 471libpve-access-control (6.0-2) pve; urgency=medium
472
473 * improve CSRF verification compatibility with newer PVE
474
475 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
476
a237dc2e
TL		 477libpve-access-control (6.0-1) pve; urgency=medium
478
479 * ticket: properly verify exactly 5 minute old tickets
480
481 * use hmac_sha256 instead of sha1 for CSRF token generation
482
483 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
484
f1531f22
TL		 485libpve-access-control (6.0-0+1) pve; urgency=medium
486
487 * bump for Debian buster
488
489 * fix #2079: add periodic auth key rotation
490
491 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
492
ef761f51
TL		 493libpve-access-control (5.1-10) unstable; urgency=medium
494
495 * add /access/user/{id}/tfa api call to get tfa types
496
497 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
498
860ddcba
TL		 499libpve-access-control (5.1-9) unstable; urgency=medium
500
501 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 502 to a higher privileged daemon.
860ddcba
TL		 503
504 * tfa: realm required TFA should lock out users without TFA configured, as it
505 was done before Proxmox VE 5.4
506
507 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
508
9fbad012
TL		 509libpve-access-control (5.1-8) unstable; urgency=medium
510
511 * U2F: ensure we save correct public key on registration
512
513 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
514
4473c96c
TL		 515libpve-access-control (5.1-7) unstable; urgency=medium
516
517 * verify_ticket: allow general non-challenge tfa to be run as two step
518 call
519
520 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
521
a270d4e1
TL		 522libpve-access-control (5.1-6) unstable; urgency=medium
523
524 * more general 2FA configuration via priv/tfa.cfg
525
526 * add u2f api endpoints
527
528 * delete TFA entries when deleting a user
529
530 * allow users to change their TOTP settings
531
532 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
533
374647e8
TL		 534libpve-access-control (5.1-5) unstable; urgency=medium
535
536 * fix vnc ticket verification without authkey lifetime
537
538 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
539
7fb70c94
TL		 540libpve-access-control (5.1-4) unstable; urgency=medium
541
542 * fix #1891: Add zsh command completion for pveum
543
544 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
545 to avoid issues on upgrade, will be enabled with 6.0
546
547 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
548
6e010cde
TL		 549libpve-access-control (5.1-3) unstable; urgency=medium
550
551 * api/ticket: move getting cluster name into an eval
552
553 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
554
f5a9380a
TL		 555libpve-access-control (5.1-2) unstable; urgency=medium
556
557 * fix #1998: correct return properties for read_role
558
559 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
560
b54b7474
TL		 561libpve-access-control (5.1-1) unstable; urgency=medium
562
563 * pveum: introduce sub-commands
564
565 * register userid with completion
566
567 * fix #233: return cluster name on successful login
568
569 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
570
52192dd4
WB		 571libpve-access-control (5.0-8) unstable; urgency=medium
572
573 * fix #1612: ldap: make 2nd server work with bind domains again
574
575 * fix an error message where passing a bad pool id to an API function would
576 make it complain about a wrong group name instead
577
578 * fix the API-returned permission list so that the GUI knows to show the
579 'Permissions' tab for a storage to an administrator apart from root@pam
580
581 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
582
3dadf8cf
FG		 583libpve-access-control (5.0-7) unstable; urgency=medium
584
585 * VM.Snapshot.Rollback privilege added
586
587 * api: check for special roles before locking the usercfg
588
589 * fix #1501: pveum: die when deleting special role
590
591 * API/ticket: rework coarse grained permission computation
592
593 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
594
ec4141f4
WB		 595libpve-access-control (5.0-6) unstable; urgency=medium
596
597 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
598 'verify' option. For compatibility reasons this defaults to off for now,
599 but that might change with future updates.
600
601 * AD, LDAP: Add ability to specify a CA path or file, and a client
602 certificate via the 'capath', 'cert' and 'certkey' options.
603
604 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
605
63134bd4
DM		 606libpve-access-control (5.0-5) unstable; urgency=medium
607
608 * change from dpkg-deb to dpkg-buildpackage
609
610 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
611
868fb1ea
DM		 612libpve-access-control (5.0-4) unstable; urgency=medium
613
614 * PVE/CLI/pveum.pm: call setup_default_cli_env()
615
616 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
617
618 * check_api2_permissions: avoid warning about uninitialized value
619
620 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
621
63358f40
DM		 622libpve-access-control (5.0-3) unstable; urgency=medium
623
624 * use new PVE::OTP class from pve-common
625
626 * use new PVE::Tools::encrypt_pw from pve-common
627
628 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
629
05fd50af
DM		 630libpve-access-control (5.0-2) unstable; urgency=medium
631
632 * encrypt_pw: avoid '+' for crypt salt
633
634 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
635
0835385b
FG		 636libpve-access-control (5.0-1) unstable; urgency=medium
637
638 * rebuild for PVE 5.0
639
640 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
641
730f8863
DM		 642libpve-access-control (4.0-23) unstable; urgency=medium
643
644 * use new PVE::Ticket class
645
646 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
647
1f1c4593
DM		 648libpve-access-control (4.0-22) unstable; urgency=medium
649
650 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
651 (moved to PVE::Storage)
652
653 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
654
655 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
656
f9105063
DM		 657libpve-access-control (4.0-21) unstable; urgency=medium
658
659 * setup_default_cli_env: expect $class as first parameter
660
661 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
662
9595066e
DM		 663libpve-access-control (4.0-20) unstable; urgency=medium
664
665 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
666
667 * PVE/API2/Domains.pm: fix property description
668
669 * use new repoman for upload target
670
671 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
672
2af5a793
DM		 673libpve-access-control (4.0-19) unstable; urgency=medium
674
675 * Close #833: ldap: non-anonymous bind support
676
677 * don't import 'RFC' from MIME::Base32
678
679 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
680
5d87bb77
WB		 681libpve-access-control (4.0-18) unstable; urgency=medium
682
683 * fix #1062: recognize base32 otp keys again
684
685 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
686
28ddf48b
WB		 687libpve-access-control (4.0-17) unstable; urgency=medium
688
689 * drop oathtool and libdigest-hmac-perl dependencies
690
691 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
692
15cebb28
DM		 693libpve-access-control (4.0-16) unstable; urgency=medium
694
695 * use pve-doc-generator to generate man pages
696
697 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
698
678df887
DM		 699libpve-access-control (4.0-15) unstable; urgency=medium
700
701 * Fix uninitialized warning when shadow.cfg does not exist
702
703 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
704
cca9761a
DM		 705libpve-access-control (4.0-14) unstable; urgency=medium
706
707 * Add is_worker to RPCEnvironment
708
709 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
710
8643c99d
DM		 711libpve-access-control (4.0-13) unstable; urgency=medium
712
713 * fix #916: allow HTTPS to access custom yubico url
714
715 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
716
ae2a6bf9
DM		 717libpve-access-control (4.0-12) unstable; urgency=medium
718
719 * Catch certificate errors instead of segfaulting
720
721 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
722
4836db5f
DM		 723libpve-access-control (4.0-11) unstable; urgency=medium
724
725 * Fix #861: use safer sprintf formatting
726
727 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
728
ccbe23dc
DM		 729libpve-access-control (4.0-10) unstable; urgency=medium
730
731 * Auth::LDAP, Auth::AD: ipv6 support
732
733 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
734
90399ca4
DM		 735libpve-access-control (4.0-9) unstable; urgency=medium
736
737 * pveum: implement bash completion
738
739 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
740
364ffc13
DM		 741libpve-access-control (4.0-8) unstable; urgency=medium
742
743 * remove_storage_access: cleanup of access permissions for removed storage
744
745 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
746
7c26cb4a
DM		 747libpve-access-control (4.0-7) unstable; urgency=medium
748
749 * new helper to remove access permissions for removed VMs
750
751 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
752
296afbd1
DM		 753libpve-access-control (4.0-6) unstable; urgency=medium
754
755 * improve parse_user_config, parse_shadow_config
756
757 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
758
7d2df2ef
DM		 759libpve-access-control (4.0-5) unstable; urgency=medium
760
761 * pveum: check for $cmd being defined
762
763 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
764
98a34e3f
DM		 765libpve-access-control (4.0-4) unstable; urgency=medium
766
767 * use activate-noawait triggers
768
769 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
770
15462727
DM		 771libpve-access-control (4.0-3) unstable; urgency=medium
772
773 * IPv6 fixes
774
775 * non-root buildfix
776
777 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
778
bbf4cc9a
DM		 779libpve-access-control (4.0-2) unstable; urgency=medium
780
781 * trigger pve-api-updates event
782
783 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
784
dfbcf6d3
DM		 785libpve-access-control (4.0-1) unstable; urgency=medium
786
787 * bump version for Debian Jessie
788
789 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
790
94971b3a
DM		 791libpve-access-control (3.0-16) unstable; urgency=low
792
793 * root@pam can now be disabled in GUI.
794
795 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
796
7b17c7cb
DM		 797libpve-access-control (3.0-15) unstable; urgency=low
798
799 * oath: add 'step' and 'digits' option
800
801 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
802
1abc2c0a
DM		 803libpve-access-control (3.0-14) unstable; urgency=low
804
805 * add oath two factor auth
806
807 * add oathkeygen binary to generate keys for oath
808
809 * add yubico two factor auth
810
811 * dedend on oathtool
812
813 * depend on libmime-base32-perl
30be0de9
DM		 814
815 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 816
817 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
818
298450ab
DM		 819libpve-access-control (3.0-13) unstable; urgency=low
820
821 * use correct connection string for AD auth
822
823 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
824
396034e4
DM		 825libpve-access-control (3.0-12) unstable; urgency=low
826
827 * add dummy API for GET /access/ticket (useful to generate login pages)
828
829 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
830
26361123
DM		 831libpve-access-control (3.0-11) unstable; urgency=low
832
833 * Sets common hot keys for spice client
834
835 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
836
3643383d
DM		 837libpve-access-control (3.0-10) unstable; urgency=low
838
839 * implement helper to generate SPICE remote-viewer configuration
840
841 * depend on libnet-ssleay-perl
842
843 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
844
0baedcf7
DM		 845libpve-access-control (3.0-9) unstable; urgency=low
846
847 * prevent user enumeration attacks
e4f8fc2e
DM		 848
849 * allow dots in access paths
0baedcf7
DM		 850
851 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
852
d4b63eae
DM		 853libpve-access-control (3.0-8) unstable; urgency=low
854
855 * spice: use lowercase hostname in ticktet signature
856
857 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
858
49594944
DM		 859libpve-access-control (3.0-7) unstable; urgency=low
860
861 * check_volume_access : use parse_volname instead of path, and remove
862 path related code.
7c410d63
DM		 863
864 * use warnings instead of global -w flag.
49594944
DM		 865
866 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
867
fe7de5d0
DM		 868libpve-access-control (3.0-6) unstable; urgency=low
869
870 * use shorter spiceproxy tickets
871
872 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
873
4cdd9507
DM		 874libpve-access-control (3.0-5) unstable; urgency=low
875
876 * add code to generate tickets for SPICE
877
878 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
879
677f9ab0
DM		 880libpve-access-control (3.0-4) unstable; urgency=low
881
882 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
883
884 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
885
139a8ecf
DM		 886libpve-access-control (3.0-3) unstable; urgency=low
887
7d23b7ca 888 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 889
890 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
891
b78ce7c2
DM		 892libpve-access-control (3.0-2) unstable; urgency=low
893
894 * remove CGI.pm related code (pveproxy does not need that)
895
896 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
897
786820f9
DM		 898libpve-access-control (3.0-1) unstable; urgency=low
899
900 * bump version for wheezy release
901
902 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
903
e5ae5487
DM		 904libpve-access-control (1.0-26) unstable; urgency=low
905
906 * check_volume_access: fix access permissions for backup files
907
908 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
909
e3e6510c
DM		 910libpve-access-control (1.0-25) unstable; urgency=low
911
912 * add VM.Snapshot permission
913
914 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
915
1e15ebe7
DM		 916libpve-access-control (1.0-24) unstable; urgency=low
917
918 * untaint path (allow root to restore arbitrary paths)
919
920 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
921
437be042
DM		 922libpve-access-control (1.0-23) unstable; urgency=low
923
924 * correctly compute GUI capabilities (consider pools)
925
926 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
927
5bb4e06a
DM		 928libpve-access-control (1.0-22) unstable; urgency=low
929
930 * new plugin architecture for Auth modules, minor API change for Auth
931 domains (new 'delete' parameter)
932
933 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
934
3030a176
DM		 935libpve-access-control (1.0-21) unstable; urgency=low
936
937 * do not allow user names including slash
938
939 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
940
941libpve-access-control (1.0-20) unstable; urgency=low
942
943 * add ability to fork cli workers in background
944
945 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
946
dd2cfee0
DM		 947libpve-access-control (1.0-19) unstable; urgency=low
948
949 * return set of privileges on login - can be used to adopt GUI
950
951 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
952
1cf154b7
DM		 953libpve-access-control (1.0-18) unstable; urgency=low
954
7d23b7ca 955 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 956
957 * fix bug #152: allow user to change his own password
1cf154b7
DM		 958
959 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
960
2de14407
DM		 961libpve-access-control (1.0-17) unstable; urgency=low
962
963 * set propagate flag by default
964
965 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
966
bdc61d7a
DM		 967libpve-access-control (1.0-16) unstable; urgency=low
968
969 * add 'pveum passwd' method
970
971 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
972
cc7bdf33
DM		 973libpve-access-control (1.0-15) unstable; urgency=low
974
975 * Add VM.Config.CDROM privilege to PVEVMUser rule
976
977 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
978
a69bbe2e
DM		 979libpve-access-control (1.0-14) unstable; urgency=low
980
981 * fix buf in userid-param permission check
982
983 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
984
d9483d94
DM		 985libpve-access-control (1.0-13) unstable; urgency=low
986
987 * allow more characters in ldap base_dn attribute
988
989 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
990
84619607
DM		 991libpve-access-control (1.0-12) unstable; urgency=low
992
993 * allow more characters with realm IDs
994
995 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
996
09d27058
DM		 997libpve-access-control (1.0-11) unstable; urgency=low
998
999 * fix bug in exec_api2_perm_check
1000
1001 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
1002
7a4c849e
DM		 1003libpve-access-control (1.0-10) unstable; urgency=low
1004
1005 * fix ACL group name parser
1006
1007 * changed 'pveum aclmod' command line arguments
1008
1009 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1010
3eac4e35
DM		 1011libpve-access-control (1.0-9) unstable; urgency=low
1012
1013 * fix bug in check_volume_access (fixes vzrestore)
1014
1015 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1016
4384e19e
DM		 1017libpve-access-control (1.0-8) unstable; urgency=low
1018
1019 * fix return value for empty ACL list.
1020
1021 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1022
d8a56966
DM		 1023libpve-access-control (1.0-7) unstable; urgency=low
1024
1025 * fix bug #85: allow root@pam to generate tickets for other users
1026
1027 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1028
cb6f2f93
DM		 1029libpve-access-control (1.0-6) unstable; urgency=low
1030
1031 * API change: allow to filter enabled/disabled users.
1032
1033 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1034
272fe9ff
DM		 1035libpve-access-control (1.0-5) unstable; urgency=low
1036
1037 * add a way to return file changes (diffs): set_result_changes()
1038
1039 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1040
e42eedbc
DM		 1041libpve-access-control (1.0-4) unstable; urgency=low
1042
1043 * new environment type for ha agents
1044
1045 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1046
1fba27e0
DM		 1047libpve-access-control (1.0-3) unstable; urgency=low
1048
1049 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 1050 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 1051
1052 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1053
5bf71a96
DM		 1054libpve-access-control (1.0-2) unstable; urgency=low
1055
1056 * fix bug in fork_worker
1057
1058 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1059
2c3a6c0a
DM		 1060libpve-access-control (1.0-1) unstable; urgency=low
1061
1062 * allow '-' in permission paths
1063
1064 * bump version to 1.0
1065
1066 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1067
1068libpve-access-control (0.1) unstable; urgency=low
1069
1070 * first dummy package - no functionality
1071
1072 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
1073
Access control framework