Releases: lsst-sqre/gafaelfawr
Releases · lsst-sqre/gafaelfawr
3.0.3
- Fix errors when returning existing internal or notebook tokens when two tokens were created for the same parent token due to a race between workers. In previous versions, Gafaelfawr would fail with an exception if there were more than one matching notebook or internal token for a given set of parameters.
- Update dependencies.
3.0.2
- Display expired tokens as expired in the UI instead of showing the delta of the expiration from the current time.
- Sort token lists in the UI in descending order by last used (not yet populated), then creation date, and only then by the token key.
- Add a timestamp to all log messages, since not all Kubernetes log viewers show the timestamp added by Kubernetes.
- Update dependencies.
3.0.1
- Display the token key and token type when showing token change history. Since the change history includes subtokens, not showing the type or key was confusing.
- Initialize the database if needed as part of Gafaelfawr container startup.
- Add additional startup logging at the DEBUG level.
- Improve error reporting if Gafaelfawr is unable to connect to its database.
- Update dependencies.
3.0.0
This release replaces the Kubernetes secret management approach released with 2.0.0 with a new approach based on a GafaelfawrServiceToken
custom resource definition. The old configuration-based approach is no longer supported.
- Add new
kubernetes-controller
invocation, which reconciles allGafaelfawrServiceToken
objects and then starts a watcher and processes new updates as they happen. - Change
update-service-tokens
to use the custom resource approach instead of configuration plus labeled KubernetesSecret
objects. - Use local Kubernetes configuration for Kubernetes operations if invoked outside of a Kubernetes cluster.
- Increase the timeout for outbound HTTP calls to authentication providers to 20 seconds. Some authentication providers and some Kubernetes cluster networking environments can be surprisingly slow.
- Update dependencies.
2.0.1
2.0.0
As of this release, Gafaelfawr now uses opaque tokens for all internal authentication and only issues JWTs as part of its OpenID Connect server support. All existing sessions and tokens will be invalidated by this upgrade and all users will have to reauthenticate.
Gafaelfawr now requires a SQL database. Its URL must be set as the config.databaseUrl
Helm chart parameter.
As of this release, Gafaelfawr now uses FastAPI instead of aiohttp. OpenAPI documentation is available via the /auth/docs
and /auth/redoc
routes.
- Eliminate internal JWTs, including the old session and session handle system, in favor of opaque tokens.
- Add a new token API under
/auth/api/v1
for creating, modifying, viewing, and deleting tokens. This is the basis of the new token management UI. API documentation is published under/auth/docs
and/auth/redoc
. - Add support for several classes of tokens for different purposes. Add additional token metadata to record the purpose of a token.
- Add caching of internal and notebook tokens. Issue new internal and notebook tokens when the previous token is half-expired.
- Add support for a bootstrap token that can be used to dynamically create other tokens or configure administrators.
- Add support for maintaining Kubernetes secrets containing Gafaelfawr service tokens for applications that need to make authenticated calls on their own behalf.
- Replace the
/auth/tokens
UI with a new UI using React and Gatsby. Currently, it supports viewing all the tokens for a user, creating and editing user tokens, revoking tokens, viewing token information with the token change history, and searching the token change history. - Protected applications no longer receive a copy of the user's authentication token. They must request a delegated token if they want one.
- The
/auth
route now supports requesting a notebook or internal delegated token for the application. - Use FastAPI instead of aiohttp, and use httpx to make internal requests.
- Add
/.well-known/openid-configuration
route to provide metadata about the internal OpenID Connect server. This follows the OpenID Connect Discovery 1.0 specification. - Enforce constraints on valid usernames matching GitHub's constraints, except without allowing capital letters.
- Be more careful in interpreting
isMemberOf
claims from the upstream OpenID Connect provider and discard more invalid data. - Only document and support installing Gafaelfawr via the Helm chart.
- Update all dependencies.