Boundary
Boundary 0.17.0 release notes
GA date: July 31, 2024
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
Change | Description |
---|---|
Role creation | In a future version Boundary will no longer automatically create roles when new scopes are created. This was implemented prior to multi-scope grants to ensure administrators and users had default permissions in new scopes. Since Boundary 0.15, initial roles created for new clusters provide these permissions by default to all scopes using multi-scope grants. |
Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary. The image now includes wget , which you can alternatively use to check the health endpoint for a worker. If your workflow depends on having curl in the image, you can dynamically install it using apk .Learn more: Known issues and breaking changes |
New features
Feature | Update | Description |
---|---|---|
Centralized tag management for workers | GA | Prior to this version, if you wanted to edit or update worker tags, you had to do it using the worker configuration file, the CLI, or the API. Now, you can edit worker tags directly in the Boundary UI. Learn more: Worker tags. |
Multi-scope roles and inheritance | GA | You can now assign a single role to multiple scopes, making it easier to grant permissions to users who must access resources across multiple scopes. You can also configure children scopes to inherit roles. Learn more: Permissions in Boundary. |
Improved worker failure handling | GA | When you attempt to connect to a target, Boundary randomly selects a worker that has the matching tags to proxy the connection. Before release 0.17.0, unhealthy workers that had issues related to the external storage provider were eligible to proxy connections. The connections would fail, and users had to restart the connection until Boundary selected a healthy worker. In this release, Boundary removes workers from the pool of available workers if they have issues with the external storage provider for improved worker failure handling. Learn more: Configure workers for session recording. |
S3-compliant storage options for session recording | GA | As of Boundary 0.16.0, the MinIO plugin made it possible to use MinIO storage as a storage option for session recording. Starting in this release, you can use the MinIO plugin to configure storage using other S3-compliant storage providers. Learn more: Configure S3-compliant storage for session recording. |
Known issues and breaking changes
Version | Issue | Description |
---|---|---|
0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
0.17.1+ | Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget . You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wget If your workflow depends on having curl in the image, you can dynamically install it using apk . Refer to the following commands for examples of using apk to install curl :<CONTAINER-ID> apk add curl or kubectl exec -ti <NAME> -- apk add curl |
0.17.0 (Fixed in 0.17.1) | Using an invalid alias results in a 401 message | If you tried to connect to an invalid alias, Boundary returned a message with the 401 status code. The 401 status code could cause users to believe that they did not properly authenticate, rather than realizing the alias resource was invalid. This issue is fixed in Boundary version 0.17.1. If you use an invalid alias, Boundary now properly returns a 404 status code, indicating that it could not find the alias resource. Learn more: Aliases Upgrade to the latest version of Boundary |
0.17.0 (Fixed in 0.17.1) | Session recording fails when you use Secure File Copy (SCP) | If you tried to use SCP during a recorded session, the session recording details may shown the recording state as Failed, and you may not have been able to play back the session. This issue occurs when a recorded session file is too large. It can happen when you use SCP to transfer large files during a recorded session, In Boundary version 0.17.1, we have increased the maximum size for recorded session files to 5 GB. This issue should happen less often now, but be careful when you use SCP during a recorded session, because it can result in large recorded session files. Learn more: Session recording storage considerations Upgrade to the latest version of Boundary |
0.8.0 - 0.17.2 (Fixed in Boundary Community Edition and Boundary Enterprise 0.17.3) | Boundary controller incorrectly handles HTTP requests and stops prematurely (HCSEC-2024-28) | Boundary Community Edition and Boundary Enterprise incorrectly handle HTTP requests while the Boundary controller is starting up, which may cause the controller to stop prematurely. Boundary is only vulnerable to this flaw during the controller's initialization, which usually occurs in milliseconds during Boundary's startup process. This vulnerability, HCSEC-2024-28, is fixed in Boundary Community Edition and Boundary Enterprise versions 0.16.4, 0.17.3, and 0.18.2. Learn more: HCSEC-2024-28: Boundary controller incorrectly handles http requests on initialization which may lead to a denial of service Upgrade to the latest version of Boundary |