Bot releases are hidden (Show)
Published by desimone almost 5 years ago
Published by desimone almost 5 years ago
Published by desimone almost 5 years ago
Lots of great stuff in this release, but be sure to follow the upgrade guide at the end of this document as there are several breaking changes!
ID
for group membership.ID
field.ID
field./api/v1/token
) has been removed and is no longer supported.ID
instead of group name
to attest a user's group membership. Please update your policies to use group ID
instead of group name.ID
instead of group name.ID
instead of group name.Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.
Previous programmatic authentication endpoints (/api/v1/token
) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated programmatic documentation how to use the new programmatic access api.
Previously, routes were verified by taking the downstream applications hostname in the form of a path (e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example
) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string (e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example)
where the routed domain is the value of the uri
key.
Note that the verification URL is no longer nested under the .pomerium
endpoint.
For example, in nginx this would look like:
- nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true
- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request_uri
+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request_uri
Previously, routes were verified by taking the downstream applications hostname in the form of a path (e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example
) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string (e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example)
where the routed domain is the value of the uri
key.
Note that the verification URL is no longer nested under the .pomerium
endpoint.
For example, in nginx this would look like:
- nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true
- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request_uri
+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request_uri
Published by desimone about 5 years ago
The authenticate service no longer uses gRPC to do back channel communication. As a result, AUTHENTICATE_INTERNAL_URL
/authenticate_internal_url
is no longer required.
In previous versions, if no explicit certificate pair (in base64 or file form) was set, Pomerium would make a last ditch effort to check for certificate files (cert.key
/privkey.pem
) in the root directory. With the introduction of insecure server configuration, we've removed that functionality. If there settings for certificates and insecure server mode are unset, pomerium will give a appropriate error instead of a failed to find/open certificate error.
The Authorize service will no longer respond to HTTP
-based healthcheck queries when run as a distinct service (vs all-in-one). As an alternative, you can used on TCP based checks. For example, if using Kubernetes:
---
readinessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 15
periodSeconds: 20
If service mode (SERVICES
/services
) is set to all
, gRPC communication with the authorize service will by default occur over localhost, on port :5443
.
/ping
) now returns the http status 405
StatusMethodNotAllowed for non-GET
requests.X-Forwarded-For
, in addition to just the client IP.insecure_server
, or a valid certificate bundle is set. [GH-328]AUTHENTICATE_INTERNAL_URL
/authenticate_internal_url
which is no longer used.Published by desimone about 5 years ago
GRPC Improvements. [GH-261] / [GH-69]
Add ability to set client certificates for downstream connections. [GH-259]
amd64
based docker images.[GH-284]Cookie: ;;;
). [GH-285]Pomerium will now strip _csrf
cookies in addition to session cookies. [GG-285]
Disabled gRPC service config. [GH-280]
A policy's custom certificate authority can set as a file or a base64 encoded blob(tls_custom_ca
/tls_custom_ca_file
). [GH-259]
Remove references to service named ports and instead use their numeric equivalent. [GH-266]
Published by desimone about 5 years ago
Tracing [GH-230] aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.
Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.
Add informational metrics. [GH-227]
GRPC Metrics Implementation. [GH-218]
grpc_client_status
and grpc_server_status
HTTP Metrics Implementation. [GH-220]
http_method
, and HTTP status label is now http_status
select_account
to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.Published by desimone over 5 years ago
PLEASE REVIEW THE UPGRADE GUIDE BEFORE UPDATING!
to
and from
settings must be set to valid HTTP URLs including schemes and hostnames (e.g. http.corp.domain.example
should now be https://http.corp.domain.example
).{}/.pomerium/sign_out
now accepts an optional redirect_uri
parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. [GH-183]CookieDomain
lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. [GH-181]PLEASE REVIEW THE UPGRADE GUIDE BEFORE UPDATING!
REFRESH_COOLDOWN
) which defaults to five minutes. [GH-73]ADMINISTRATORS
). [GH-110]AUTHENTICATE_INTERNAL_URL
to be a URL containing both a valid hostname and schema. [GH-153]LifetimeDeadline
from sessions.SessionState
.HEADERS
configuration variable. [GH-108]nsswitch
[GH-97], includes ca-certificates
and limits the attack surface area of our images. [GH-101]HTTP_REDIRECT_ADDR
. [GH-103]Content-Security-Policy
hash updated to match new UI assets.golint
was not being found in our docker image. [GH-121]This page contains the list of deprecations and important or breaking changes for pomerium v0.0.4
compared to v0.0.5
. Please read it carefully.
Usage of the POLICY_FILE envvar is no longer supported. Support for file based policy configuration has been shifted into the new unified config file.
Pomerium now supports an optional -config flag. This flag specifies a file from which to read all configuration options. It supports yaml, json, toml and properties formats.
All options which can be specified via MY_SETTING style envvars can now be specified within your configuration file as key/value. The key is generally the same as the envvar name, but lower cased. See Reference Documentation for exact names.
Options precedence is environmental variables
> configuration file
> defaults
The options file supports a policy key, which contains policy in the same format as POLICY_FILE
. To convert an existing policy.yaml into a config.yaml, just move your policy under a policy key.
Old:
- from: httpbin.corp.beyondperimeter.com
to: http://httpbin
allowed_domains:
- pomerium.io
cors_allow_preflight: true
timeout: 30s
New:
policy:
- from: httpbin.corp.beyondperimeter.com
to: http://httpbin
allowed_domains:
- pomerium.io
cors_allow_preflight: true
timeout: 30s
The configuration variable Authenticate Internal Service URL must now be a valid URL type and contain both a hostname and valid https
schema.
Published by desimone over 5 years ago
AUTHORIZE_INTERNAL_URL
config option since authorization has no publica http handlers, only a gRPC service endpoint. [GH-93]PROXY_ROOT_DOMAIN
config option which is now inferred from AUTHENTICATE_SERVICE_URL
. Only callback requests originating from a URL on the same sub-domain are permitted. [GH-83]REDIRECT_URL
config option which is now inferred from AUTHENTICATE_SERVICE_URL
(e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback
). [GH-83]refresh_token
. Updated the google implementation to use the new prompt=consent
oauth2 parameters. Reported and fixed by @chemhack [GH-81]FEATURES:
Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users
, allowed_groups
, and allowed_domains
. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:
IDP_SERVICE_ACCOUNT
to be set to the base64 encoded value of the service account's key file.groups
claim to be added to both the id_token
and access_token
. No additional API calls are made.Directory.Read.All
.WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.
CHANGED:
LOG_LEVEL
config setting that allows for setting the desired minimum log level for an event to be logged. [GH-74]POMERIUM_DEBUG
config setting to just do console-pretty printing. No longer sets log level. [GH-74]generate_wildcard_cert.sh
to generate a elliptic curve 256 cert by default.env.example
to include a POLICY
setting example.IDP_SERVICE_ACCOUNT
to env.example
.PROXY_ROOT_DOMAIN
settings which has been replaced by POLICY
.ALLOWED_DOMAINS
settings which has been replaced by POLICY
. Authorization is now handled by the authorization service and is defined in the policy configuration files.ROUTES
settings which has been replaced by POLICY
.${url}/.pomerium/refresh
which forces a token refresh and responds with the json result.x-pomerium-authenticated-user-groups
) and (x-pomerium-jwt-assertion
).COOKIE_EXPIRE
) changed from 7 days to 14 hours ~ roughly one business day.authenticate/providers
) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.FIXED:
http.Server
and httputil.NewSingleHostReverseProxy
now uses pomerium's logging package instead of the standard library's built in one. [GH-58]