We are proud to announce the 18.0 release of Topicus KeyHub. This release brings a completely new way of authorizing clients to act on their own, allowing further automation with KeyHub without compromising your security. We've also worked hard to further improve the stability of our high availability solution. This release also brings many small usability improvements. As usual, a number of smaller improvements have been made and several issues have been fixed.
Client permissions
TKH-1650
TKH-1677
Traditionally, OAuth2 clients using the client credentials grant only had a limited set of fixed permissions in Topicus KeyHub. It was possible to grant access to vaults and to some details about groups. With 18.0, this has become a lot more flexible. It is now possible to grant clients permissions ranging from queries on accounts or groups to deleting accounts or creating groups. Naturally, it is still possible to grant access to vaults. All previously granted permissions are automatically converted to the new model.
In the future we expect to add many more permissions to this model. If you have specific needs for permissions, please contact us.
Webhooks for group managers
TKH-752
Webhooks for groups no longer fall under the domain of KeyHub administrators. These webhooks are now managed by the groups themselves. A group manager can easily create a webhook to deliver all audit records relevant for that group to a certain endpoint.
Add claims to the id_token
TKH-1689
The OpenID Connect protocol by default only puts a very limited number of claims in the id_token. Some applications incorrectly assume that claims that reside in the userinfo endpoint are automatically also placed in the id_token. It is now possible to configure KeyHub to add these claims to the id_token, even when the application does not explicitly request them. This makes it possible to use OIDC with some applications that do not strictly comply with the standard.
Improvements to the appliance
We've received a lot of feedback on our appliance and the configuration of high availability. In 18.0, we've made many smaller and bigger improvements to enhance the stability of a cluster and to prevent accidental data loss. The following issues were resolved for our appliance:
TKH-1630
The docker containers now run with read-only filesystems making it much harder to exploit a potential vulnerability.TKH-1652
The appliance manager no longer reads the settings from Topicus KeyHub itself. This could cause the appliance manager to become unresponsive in the event of a problem with the application itself.TKH-1659
When applying configuration changes in a cluster, the appliance manager will no longer stop on the first error but will continue to apply the configuration on other nodes. This makes it possible to repair a cluster when one node is unresponsive.TKH-1662
An action button was added to synchronize the configuration of a single node in the cluster.TKH-1663
When adding a new node to the cluster, the new node is now always configured last. Previously, existing nodes in the cluster could refuse the connection of the new node, because they did not yet get the new keys.TKH-1664
Let's Encrypt certificates are now correctly renewed when synchronizing the configuration.TKH-1665
Synchronizing the configuration on new nodes in a cluster no longer results in an error when some required information was not yet gathered on that node.TKH-1679
It is no longer required to specify ports in the firewall configuration for the monitoring zone. If no ports are specified, only TCP port 9443 is exposed.TKH-1680
Specifying TCP port 9443 for the monitoring zone no longer gives a error.TKH-1684
An error was fixed when upgrading an older version of KeyHub to 17.2 or later.TKH-1691
When restoring a database on a node in the cluster, the appliance manager now warns when it detects potential data loss, such as when trying to restore an empty database over a non-empty one.TKH-1693
The appliance will no longer automatically restore snapshots that are over 4 hours old. This prevents data loss when a snapshot was not properly removed on a previous update. It is still possible to manually restore such a snapshot.TKH-1694
Trying to restore a backup that lacks certain configuraton files should no longer result in an error.TKH-1698
Pgpool was updated to the latest version, 4.2.2.TKH-1706
Rewinding on failover is now more reliable, reducing the chance on the need for a full base backup.
Small improvements
The following smaller improvements and bug fixes were made:
TKH-1578
When using multiple directories, Topicus KeyHub will now automatically ensure usernames are unique by adding a number suffix when usernames would otherwise conflict.TKH-1584
It is now possible to navigate between the source and target vault of a shared vault record if you have the permissions to view both.TKH-1623
When copying or moving a vault record to a vault where you don't have the permission to remove it, you are now asked for confirmation first.TKH-1635
The documentation on expired vault records was updated with more screenshots.TKH-1640
Several improvements were made throughout Topicus KeyHub to make the application easier to use with a screen reader for visually impaired users.TKH-1641
The button to share, copy or move a vault record is made much more prominent to make it easier to find.TKH-1644
The installation guide for Topicus KeyHub on Azure was revised.TKH-1645
Many improvements were made to our testing infrastructure to greatly reduce the duration of the build while at the same time improve the reliability.TKH-1656
The feedback on badly formulated queries via the CLI has been improved.TKH-1658
Some styling improvements were made to the launchpad.TKH-1666
An error was fixed that prevented KeyHub administrators from accessing the list of accounts for private groups.TKH-1667
The vaults page will now correctly always load all appropriate entries when changing the filtering.TKH-1674
It is now possible to create multiple provisioning groups in one call when creating a group on system via the API.TKH-1678
An error was fixed that prevented the dashboard from loading when a private group requested authorization.TKH-1682
The Feature-Policy/Permission-Policy header was updated to prevent warnings in some browsers.TKH-1683
Several irrelevant options are no longer displayed when configuring the first directory during installation.TKH-1686
The documentation for importing vault records via the CLI was fixed.TKH-1688
Passwords are now copied directly to the clipboard using the new async clipboard API. This works in all major browsers, with the exception of Safari.TKH-1690
A textual error was fixed when displaying audit records about expired vault records.TKH-1695
The manual about restoring backups was revised.TKH-1697
The application server was upgraded to WildFly 23.0.1.TKH-1703
It is now possible to store files up to 2MB in the vault.TKH-1708
Thevault write
command with the--file
parameter now correctly uploads the contents of the file, instead of the file name.