conjur v1.20 releases: secures secrets used by privileged users and machine identities

Conjur

Conjur provides secrets management and machine identity for modern infrastructure:

• Machine Authorization Markup Language (“MAML”), a role-based access policy language to define system components & their roles, privileges, and metadata
• A REST web service to:
  • manage identity life cycles for humans and machines
  • organize and search roles and data in your secrets infrastructure
  • authorize access to resources using a sophisticated permission model
  • store secrets and make them available securely
• Integrations throughout the cloud toolchain:
  • infrastructure as a service (IaaS)
  • configuration management
  • continuous integration and deployment (CI/CD)
  • container management and cloud orchestration

How Conjur Works

To use Conjur, you write policy files to enumerate and categorize the things in your infrastructure: hosts, images, containers, web services, databases, secrets, users, groups, etc. You also use the policy files to define role relationships, such as the members of each group, and permissions rules, such as which groups and machines can fetch each secret. The Conjur server runs on top of the policies and provides HTTP services such as authentication, permission checks, secrets, and public keys. You can also perform dynamic updates, such as changing secret values and enrolling new hosts.

Changelog v1.20

Fixed

• Allow Factories with optional variables to save without error
  cyberark/conjur#2956
• OIDC authenticators support https_proxy and HTTPS_PROXY environment variables
  cyberark/conjur#2902
• Support plural syntax for revoke and deny
  cyberark/conjur#2901

Added

• Support an optionalca-cert variable for providing custom certs/chains to verify
  OIDC providers or proxies when using the OIDC authenticator
  cyberark/conjur#2933
• New flag to conjurctl server command called --no-migrate which allows for skipping
  the database migration step when starting the server.
  cyberark/conjur#2895
• Telemetry support
  cyberark/conjur#2854
• Introduces support for Policy Factory, which enables resource creation
  through a new factories API.
  cyberark/conjur#2855
• Use base images with newer Ubuntu and UBI.
  Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
  cyberark/conjur#2874

Changed

• The database thread pool max connection size is now based on the number of
  web worker threads per process, rather than an arbitrary fixed number. This
  mitigates the possibility of a web worker becoming starved while waiting for
  a connection to become available.
  cyberark/conjur#2875
• Changed base-image tagging strategy
  cyberark/conjur#2926

Fixed

• Support Authn-IAM regional requests when host value is missing from signed headers.
  cyberark/conjur#2827

Security

• Support plural syntax for revoke and deny
  cyberark/conjur#2901
• Previously, attempting to add and remove a privilege in the same policy load
  resulted in only the positive privilege (grant, permit) taking effect. Now we
  fail safe and the negative privilege statement (revoke, deny) is the final
  outcome
  cyberark/conjur#2907
• Update puma to 6.3.1 to address CVE-2023-40175.
  cyberark/conjur#2925

Download && Use

Copyright (C) 2018 CyberArk