Sven Haster 20/11/2024 9 min read

Topicus KeyHub 37

We are proud to announce Topicus KeyHub 37. With this release we again move closer to a full IGA suite. We're also delivering one of the last domains to be scoped to organisational units, optimize the way service accounts are provisioned and we make it easier to downscale in license features. As always, we also include many smaller improvements and fixes.

 

Organisational units

TKH-2803 In this release we modify SSO-applications to also be scoped to organisational units. The rules regarding SSO-applications are similar to how group-on-systems work:
an SSO-application's organisational unit is determined by its owning group, and it is visible to all KeyHub groups whose organisational unit is in the subtree with the SSO-application's OU at its root.

TKH-2934 If a group fulfils certain special roles for an organisational unit, such as being the auditor group or the group who approves requests to delete another group linked to the OU, these roles will now be visible on the group's details page.

IGA suite improvements

In this release, we took further steps toward implementing our full IGA suite.

TKH-2989 Source directory provisioning can now also create or modify accounts, if required. This can be enabled by checking the 'Accounts writable' attribute of the corresponding provisioned system. This enables KeyHub to manage the accounts in the source directory, which is required for full IGA automation.

TKH-3062 TKH-3064 Access profiles can now be used to determine a users source directory. This is meant to enable moving a user created by automation into the correct directory, in tandem with the above improvement to make source directories optionally writable for accounts. Additionally, access profiles can be configured to generate certain attributes for users, such as their email address, to ensure the user is correctly created on the source directory.

Service account deactivation

TKH-3059 Service accounts can now only be deleted if they've first been deactivated. Additionally, deactivating a service account now leaves it in a state where it can be re-enabled with the same credentials, rather than completely removing it from the system. This enables a two-step removal or 'cooldown' procedure to guard against inadvertent deletions with high impact.
This works analogously to how user accounts are deactivated on the system.

Disabling license features

TKH-2966 When uploading a new license that contains fewer features, KeyHub will now enable you to turn off all usage of said feature in bulk. The flow will show the administrator uploading the new license an overview of all changes that would be made so they can review them and optionally decide to not apply the new license for now.

updatelicense_en-GB_cropped
If the set of changes includes destructive changes, such as removing nesting links between groups, another KeyHub admin has to approve these changes before the new license can be applied.

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

  • TKH-2467 When deleting an account, any vault records shared from that account's personal vault will now leave a copy behind, unless the share was limited in time.

  • TKH-3031 It is no longer possible to share a vaultrecord with a vault it is already being shared with.

  • TKH-3043 Using SSO to log in to the appliance manager should no longer result in an error page directly after the successful login.

  • TKH-3049 TKH-3050 TKH-3051 TKH-3098 Most objects can now be renamed when accepting a 'create' request for that object. Examples include Groups, Groups on system, Serviceaccounts and Namespaces.

  • TKH-3065 The accounts' public SSH-keys used for provisioning will now be included in the accounts export, if present.

  • TKH-3069 We increased the timeout for database updates that are known to take significantly longer, to avoid timeout-related logspam.

  • TKH-3070 Errors during attribute script execution will no longer result in a default value of 'null', so as to avoid unwanted clearing of attributes.

  • TKH-3071 TKH-3072 We improved the reliability of determining the primary node for scheduled tasks in a cluster setup, to guarantee there's always exactly one primary. KeyHub might decide to reboot certain nodes if it detects problems with selecting such a primary.

  • TKH-3073 Handling a notification for an expired webhook certificate should now send the user to the correct page.

  • TKH-3074 We documented the query parameters used for certain export and bulk endpoints in our OpenAPI spec.

  • TKH-3075 TKH-3089 KeyHub should no longer erroneously attempt to show certain audit records the user should only be able to see with 2FA activated, if they are in the process of disabling their registered 2FA. This avoids errors on the dashboard in those situations.

  • TKH-3077 We refactored the code used to generate exports to include permission checks by default, instead of having to explicitly include them.

  • TKH-3078 Attempting to use the WebAuthn PRF extension to unlock your vaults should once again work in Chrome 129+.

  • TKH-3079 We optimized the code around a vault's metadata generation to better avoid locking errors during concurrent updates.

  • TKH-3081 Auditors should no longer get unnecessary permissions for organisational units they are auditor for via inheritance, but are not a member of themselves.

  • TKH-3082 Locks around long-running salt tasks should no longer interfere too much with short read-only salt calls, meaning less spam in the admin logs.

  • TKH-3083 We improved checks around missing or empty client secrets to avoid errors in the logs that should really just be an 'invalid credentials' error to the user.

  • TKH-3084 Invalid TOTP secrets in vault records should now be correctly handled as a validation error.

  • TKH-3087 We improved the logic surrounding rotating password being required for provisioning to be consistent in all scenarios.

  • TKH-3090 The permissions for audit records regarding access profile administration were brought inline with other similar permissions.

  • TKH-3091 The endpoints for managing the currently logged-in user's sessions (such as 'log out all other sessions') are now open to all clients, enabling session management from apps.

  • TKH-3094 We fixed a potential clickjacking problem in our browser extension. This fix is already rolled out across all platforms.

  • TKH-3095 It should now be possible to read and write specific secrets within one vaultrecord via the KeyHub CLI.

  • TKH-3097 Our handling of WebAuthn keys is now compatible with Bitwarden, so you can use Bitwarden to store a virtual key to use as 2FA for KeyHub.

  • TKH-3100 Rejecting a namespace creation request now correctly produces an audit record.

  • TKH-3101 The screenshot of 'your own requests' in the manual has been improved to better reflect real-world usecases.

  • TKH-3102 The interval for metric collection ('step-size') can now be configured in the appliance manager. The default is 60 seconds.

  • TKH-3103 We worked together with PGPool developers to create and apply a patch that fixes a potential race condition in database health checks, which could lead to an unstable database cluster.

  • TKH-3104 The versioning of our REST API should now correctly handle the conversion of newer subtypes to older versions, by leaving the entries empty instead of erroring.

  • TKH-3105 We documented the extra parameter for DELETE calls to the group on system endpoint in our OpenAPI spec.

avatar

Sven Haster

Developer