Skip to content

9.1.0
Compare
Choose a tag to compare
@rra rra released this 17 Mar 19:41
· 947 commits to main since this release
9.1.0
This tag was signed with the committer’s verified signature. The key has expired.
rra Russ Allbery
GPG key ID: 7D80315C5736DE75
Expired
Learn about vigilant mode.
0a4f6b0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New features

  • Gafaelfawr now supports setting API and notebook quotas in its configuration, and calculates the quota for a given user based on their group membership. This quota information is returned by the /auth/api/v1/user-info route, but is not otherwise used by Gafaelfawr (yet).
  • Server-side failures during login, such as inability to reach the authentication provider or invalid responses from the authentication provider, are now reported to Slack if a Slack webhook is configured.
  • When using an OpenID Connect authentication provider, Gafaelfawr now supports looking up the GIDs of user groups in a ForgeRock Identity Management server (specifically, in the groups collection of the freeipa component).

Bug fixes

  • Explicitly disable caching of enrollment redirects. Some browsers appear to cache 307 redirects and redirected the user back to enrollment the next time they logged in.
  • Uniformly use Cache-Control: no-cache, no-store to disable caching of errors and redirects. Previously, Gafaelfawr also added must-revalidate (but not max-age). This appears to not be necessary or useful with modern browsers.
  • Correctly expand backtraces of uncaught exceptions in Uvicorn logs.
  • Diagnose and display a proper error if the OpenID Connect token from the authentication provider contains multiple usernames.
  • Return a status code of 500 instead of 403 for server-side errors during login.
  • Errors in querying an external source of user information, such as Firestore or LDAP, are now caught in the /auth route and only logged, not reported to Slack as uncaught exceptions. The /auth route may receive multiple requests per second and should not report every error due to a possible external outage to Slack.
  • Errors in querying an external source of user information in the /auth/api/v1/user-info route are now caught, reported to Slack, and result in an orderly error message instead of an uncaught exception.
  • Set a timeout on Kubernetes watches in the Kubernetes operator to work around a Kubernetes server bug where watches of unlimited duration will sometimes go silent and stop receiving events.
  • Mark Kubernetes object parsing failures as Kopf permanent failures so that the same version of the object will not be retried. Mark Kubernetes API failures as temporary failures so that the retry schedule is configurable.

Other changes

  • Gafaelfawr now supports camel-case in its configuration file to allow using the same names for most configuration settings and Helm chart values.
  • More log messages related to retrieving user metadata, particularly those during initial login, now include the username of the user.

What's Changed

  • [neophile] Update dependencies by @sqrbot in #669
  • Bump gatsby from 5.3.3 to 5.4.2 in /ui by @dependabot in #676
  • Bump eslint-plugin-react from 7.31.11 to 7.32.1 in /ui by @dependabot in #675
  • Bump eslint from 8.31.0 to 8.32.0 in /ui by @dependabot in #674
  • Bump prettier from 2.8.2 to 2.8.3 in /ui by @dependabot in #673
  • Bump eslint-config-wesbos from 3.2.0 to 3.2.3 in /ui by @dependabot in #670
  • [neophile] Update dependencies by @sqrbot in #677
  • Bump eslint-plugin-import from 2.26.0 to 2.27.5 in /ui by @dependabot in #679
  • Bump eslint-plugin-jsx-a11y from 6.6.1 to 6.7.1 in /ui by @dependabot in #678
  • [neophile] Update dependencies by @sqrbot in #680
  • Bump gatsby from 5.4.2 to 5.5.0 in /ui by @dependabot in #684
  • Bump eslint from 8.32.0 to 8.33.0 in /ui by @dependabot in #683
  • Bump eslint-plugin-react from 7.32.1 to 7.32.2 in /ui by @dependabot in #682
  • Bump react-datepicker from 4.8.0 to 4.9.0 in /ui by @dependabot in #681
  • DM-37833: Maintenance updates by @rra in #685
  • DM-37833: Support camel-case in configuration by @rra in #686
  • [neophile] Update dependencies by @sqrbot in #687
  • Bump docker/build-push-action from 3 to 4 by @dependabot in #688
  • [neophile] Update dependencies by @sqrbot in #689
  • Bump prettier from 2.8.3 to 2.8.4 in /ui by @dependabot in #693
  • Bump gatsby from 5.5.0 to 5.6.0 in /ui by @dependabot in #692
  • Bump eslint from 8.33.0 to 8.34.0 in /ui by @dependabot in #691
  • Bump gatsby from 5.6.0 to 5.6.1 in /ui by @dependabot in #697
  • Bump python from 3.11.1-slim-bullseye to 3.11.2-slim-bullseye by @dependabot in #690
  • Bump gatsby from 5.6.1 to 5.7.0 in /ui by @dependabot in #698
  • Bump eslint from 8.34.0 to 8.35.0 in /ui by @dependabot in #699
  • DM-37833: Add basic quota support by @rra in #695
  • DM-38170: Disable caching of enrollment redirects by @rra in #700
  • [neophile] Update dependencies by @sqrbot in #701
  • Bump react-icons from 4.7.1 to 4.8.0 in /ui by @dependabot in #704
  • Bump eslint-config-prettier from 8.6.0 to 8.7.0 in /ui by @dependabot in #703
  • Bump styled-components from 5.3.6 to 5.3.8 in /ui by @dependabot in #702
  • DM-38170: Update to latest Safir and catch multiple usernames by @rra in #705
  • DM-38170: Update changelog, use Self type by @rra in #706
  • DM-37833: Add documentation for rudimentary quota support by @rra in #708
  • [neophile] Update dependencies by @sqrbot in #709
  • Bump eslint from 8.35.0 to 8.36.0 in /ui by @dependabot in #710
  • DM-38272: Improve logging and error reporting by @rra in #707
  • DM-38376: Improve Kopf configuration and error handling by @rra in #713
  • DM-38058: Add support for ForgeRock Identity Management by @rra in #712

Full Changelog: 9.0.0...9.1.0

Contributors

rra, sqrbot, and dependabot
Assets 2
Loading