Boundary
Boundary 0.15.0 release notes
GA date: January 30, 2024
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
New features
Feature | Description |
---|---|
Session recording storage policies | Storage policies codify how long session recordings must be kept, and when they should be deleted. You can configure retention periods based on your compliance needs. Learn more: Storage policies and Configure storage bucket policies |
Search and filter | A new command was added, boundary search . It allows you to search a local cache for information about session and target resources. The local cache helps prevent your system resources from being overwhelmed.Learn more: boundary search and Boundary list vs. search . |
Boundary daemon | The Boundary client daemon now runs on end users' computers and locally caches session and target resource information from Boundary instances. The cache helps expedite searches. Learn more: boundary daemon and Client cache |
List endpoint pagination | All list endpoints now support pagination, except for worker resources. You can request a list of updated and deleted resources relative to the last result you received via the API. There are new controller flags page_size and max_page_size to set the default and max size of pages.Learn more: API list pagination |
Generic commands | In this release, new generic commands were added for read , update , and delete . You can use these generic commands to operate directly on a resource by specifying the resource ID as the next parameter. You do not need to specify a sub-type. For example, the command boundary update ttcp_1234567890 automatically updates a target with that ID.Learn more: delete , read , and update |
Multiple grant scopes in roles | Roles now support multiple grant scopes, along with the special values this , children (global/org scopes only) to apply to all direct children of a scope, and descendants (global only) to apply to all descendants of a scope. You can apply the new values by using the commands add-grant-scopes , set-grant-scopes , and remove-grant-scopes on roles. You can continue to use the existing grant_scope_id field for now, but it has been deprecated.Learn more: add-grant-scopes , remove-grant-scopes , and set-grant-scopes |
Known issues and breaking changes
Version | Issue | Description |
---|---|---|
0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
0.14.0+ (Fixed in 0.15.3) | Cannot delete IAM access key resource | When you delete an AWS S3 storage bucket that had credential rotation enabled, Boundary cannot delete the associated IAM access key resource. This issue is fixed in version 0.15.3. Upgrade to the latest version of Boundary Learn more: Create a storage bucket |
0.15.0 | Permission grant string change | The ability to add new grants via the id parameter has been removed. Grants now accept more than one ID per grant string or JSON entry using the ids parameter. This change was noted in the v0.13.1 Changelog, and goes into effect with this release. You must update any code or Terraform configuration that uses the id parameter.Learn more: Add grants |
0.15.0 | List result pagination | All list endpoints now return the first 1,000 items instead of all items, if no parameters are provided. You can configure the number of items returned using the new controller configuration parameter max_page_size . The Admin UI, CLI, and API package automatically paginate results.Learn more: API list pagination |
0.15.0 | Storage bucket policy updates | If you have session recording configured, you must update your IAM policy in AWS before you upgrade your worker to version 0.15.0 to ensure your session recordings continue to get uploaded to S3. The IAM policy now requires the DeleteObjects and ListBucket permissions.Learn more: Create storage buckets |
0.15.0 (Fixed in 0.15.1) | Maximum number of connections allowed is incorrect | A known issue causes Boundary to permit one less than the allowed number of connections that you configured for a given target. For example, if you configured the session connection limit for a target at 2, Boundary only permits 1 connection to the target. If the value is 1, Boundary does not allow any connections to the target. A value of -1 still means that connections to the target are unlimited. This issue is fixed in version 0.15.1. Upgrade to the latest version of Boundary Learn more: Refer to the CLI docs for information about using targets create or targets update to configure a maximum number of connections.Refer to the API docs for information about using Target service to configure a maximum number of connections. |
0.15.0 (Fixed in 0.15.2) | Go CVE-2024-24783, Go CVE-2024-24784, Go CVE-2024-24785, Go CVE-2024-24786, Go CVE-2023-45289, Go CVE-2023-45290 | The version of Go that was used in Boundary release 0.15.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.8. Boundary was updated to use the new Go version in release 0.15.2, and the issue is resolved. Learn more: CVE-2024-24783: Verify panics on certificates with an unknown public key algorithm in crypto/x509 CVE-2024-24784: Comments in display names are incorrectly handled in net/mail CVE-2024-24785: Errors returned from JSON marshaling may break template escaping in html/template CVE-2024-24786: Infinite loop in JSON unmarshaling in google.golang.org/protobuf CVE-2023-45289: Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http CVE-2023-45290: Memory exhaustion in multipart form parsing in net/textproto and net/http Upgrade to the latest version of Boundary |
0.15.0 (Fixed in 0.15.3 and 2.0.2 Desktop) | Boundary Desktop does not update | The macOS Boundary Desktop client displays a prompt to update automatically, but it never actually updates. This issue is fixed in Boundary version 0.15.3 and version 2.0.2 of the Desktop client. Upgrade to the latest version of Boundary |
0.15.0 (Fixed in 0.15.4) | Go CVE-2023-45288 | The version of Go that was used in Boundary release 0.15.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.9. Boundary was updated to use the new Go version in release 0.15.4, and the issue is resolved. Learn more: CVE-2023-45288: HTTP/2 CONTINUATION flood in net/http Upgrade to the latest version of Boundary |
Feature deprecations and EOL
EOL | Description |
---|---|
kms worker method | As noted in the v0.13.0 release notes, the kms worker method has been removed. Since version 0.13.0, you have had to opt in to use the deprecated method. Now it is no longer available and Boundary uses the new kms mechanism.Learn more: KMS worker configuration |
Default port value | As noted in the v0.14.0 and v0.12.0 release notes, targets now require a default port value. Previously, any ports that you defined as part of a host address were ignored, but allowed as part of the target definition. Now, if you define a port on a host address it results in an error. As of this release, the restriction also affects existing addresses. Any existing addresses that contain a port cannot be used as part of a target's session authorization call. Learn more: Targets |
id field for grants | As noted in the v0.13.1 Changelog, the ability to add new grants via the id parameter has been removed. Grants now accept more than one ID per grant string or JSON entry using the ids parameter.Learn more: Add grants |
grant-scope-id field for roles | The grant-scope-id field is now deprecated in favor of multiple grant scope support.Learn more: add-grant-scopes , remove-grant-scopes , and set-grant-scopes |