Emond Papegaaij 24/06/2024 8 min read

Topicus KeyHub 34

We are proud to announce Topicus KeyHub 34. This release brings more functionality to organisational units, several enhancements to metrics and OTLP and a great number of improvements to clustering. Furthermore, we've also added many smaller and larger improvements throughout the entire suite.


Organisational units

Up until now, the auditing dashboards have only been available to a single group for the entire organisation. With this release, a group can be configured per organisational unit, giving members of that group access to the auditor dashboards, scoped to the organisational unit, including its subtree. This makes it possible to assign security officers per organisational unit, while still maintaining a good global overview. In Topicus KeyHub 33 we already made several groups responsible for handling requests configurable. In version 34, this now also includes the recovery fallback group.

  • TKH-2779 The password recovery fallback group is now configurable per organisational unit.

  • TKH-2780 The auditor role can now be assigned per organisational unit. Giving that group access to the auditor dashboards scoped to the organisational unit.



Metrics and OTLP

With Topicus KeyHub 29 we introduced delivery of metrics via OTLP. In this release, we've put a lot of effort in making the metrics easier to use. Most notably, we now allow certificates to be configured for the connection, both client and server. Also, the discoverability of metrics has been improved substantially, by registering all metrics in advance. Finally, some small tweaks were made to some metrics and some additional metrics were added.

  • TKH-2879 A bug was fixed in the values reported by the provisioning_is_available metric.

  • TKH-2881 All available metrics are now published immediately. We no longer wait until the first data point is added.

  • TKH-2887 It is now possible to configure certificates for the OTLP endpoint to which metrics must be sent. Also, all metrics are tagged with the URL of the hostname of the machine, to make it easy to distinguish the streams.

  • TKH-2930 Metrics are no longer published for systems and directories that are not yet saved.



Clustering with high availability

We've continued our efforts into making our HA setup as reliable and easy to use as possible. Configuration of the certificates used by Topicus KeyHub has always been a difficult topic, especially in a clustered setup. We've substantially improved the user interface to give better feedback about configuration problems and prevent the user from trying to roll out incorrectly configured certificates. Also, a new action was added that allows rebooting all nodes in a cluster without any noticeable downtime to the user. In addition to these improvements, several other smaller improvements were made:

  • TKH-2838 An action was added to reboot all nodes in a cluster one by one, to prevent downtime.

  • TKH-2916 A filesystem snapshot is now created on all nodes during the first stages of an upgrade to allow a rollback if an error occurs during these stages.

  • TKH-2917 Error reporting in the certificate chain generation was improved.

  • TKH-2919 Certificates are now validated at multiple places to make sure all nodes in a cluster have valid certificates that match the chain.

  • TKH-2921 All nodes in a cluster now expose metrics about the state of the node and the cluster.

  • TKH-2923 Some minor errors were fixed in the scripts that control database failover.

  • TKH-2931 Pgpool now runs with Valgrind in our tests to analyze rare crashes. We'll continue to work with the developers of pgpool to get these issues fixed.

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

  • TKH-2795 Disabling a linked system or directory now requires explicit confirmation by the user.

  • TKH-2806 Our SCIM endpoint now supports creating accounts.

  • TKH-2833 A small styling error was fixed in the notification for accepting join group requests.

  • TKH-2845 TKH-2861 Some code was removed that became redundant after the previous release.

  • TKH-2848 TKH-2849 TKH-2855 Permissions for managing webhooks, client permissions, service accounts and ownership in relation to linked systems were verified.

  • TKH-2858 It is now possible to add accounts to access profiles.

  • TKH-2866 TKH-2867 TKH-2868 TKH-2869 TKH-2870 Our testing framework was improved substantially to make tests less reliant on eachother.

  • TKH-2874 Attributes were added to our OpenAPI specification to further facilitate the generation of the Terraform provider.

  • TKH-2875 TKH-2926 Two unused docker networks inside the appliance were removed.

  • TKH-2876 Some types in the REST API were changed to reduce the amount of data being transferred with organisational units.

  • TKH-2877 Creating a support dump when a hotfix is applied no longer gives an error.

  • TKH-2878 The REST API for enabling and disabling groups is now more lenient in the time ranges it accepts.

  • TKH-2883 TKH-2922 The WildFly application server was upgraded to 32.0.1, the Java Runtime to 21 and the image is now based on Alpine Linux.

  • TKH-2884 An error was fixed when navigating back and forth between the service accounts overview page and the service account details.

  • TKH-2888 A translation error was fixed on the group details.

  • TKH-2889 A minor textual error was fixed when trying to use SSO with an application that has no groups configured for access.

  • TKH-2894 A request for a new namespace on a linked system was not always visible to the requester.

  • TKH-2901 A concurrency issue could cause a rotated password for a service account to not be written to the vault.

  • TKH-2902 The first KeyHub administrator now always gets access to the vault of the group.

  • TKH-2908 Some properties were missing in the native CLI, causing incorrect errors when a CSV could not be parsed.

  • TKH-2913 Provisioning on Active Directory now also supports universal security groups.

  • TKH-2914 Requests for vault access are now cancelled when access is automatically restored.

  • TKH-2915 When 2FA is disabled, all functionality in KeyHub is now disabled, except for the profile, where 2FA can be re-enabled.

  • TKH-2947 Restoring a very large backup could lead to a database with missing indexes or foreign key constraints.

  • TKH-2950 An error was fixed when performing a password recovery on an account with registered WebAuthn keys.

  • TKH-2956 Some errors were fixed in the scripts that perform snapshot restores in the case of failed updates.

  • TKH-2957 An error was fixed in the script that upgrades Salt that would cause the upgrade to fail if python-36 was installed on the system.