meutel/oauth2_proxy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
80b5873a26
oauth2_proxy/CHANGELOG.md
Karl Skewes 80b5873a26 Potentially breaking change: docker user & group 
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00

77 lines
3.6 KiB
Markdown
Raw Blame History

# Vx.x.x (Pre-release)
## Changes since v3.1.0
- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Potentially breaking change: docker user & group (@kskewes)
- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
# v3.1.0
## Release highlights
- Introduction of ARM releases and and general improvements to Docker builds
- Improvements to OIDC provider allowing pass-through of ID Tokens
- Multiple redirect domains can now be whitelisted
- Streamed responses are now flushed periodically
## Important notes
- If you have been using [#bitly/621](https://github.com/bitly/oauth2_proxy/pull/621)
and have cookies larger than the 4kb limit,
the cookie splitting pattern has changed and now uses `_` in place of `-` when
indexing cookies.
This will force users to reauthenticate the first time they use `v3.1.0`.
- Streamed responses will now be flushed every 1 second by default.
Previously streamed responses were flushed only when the buffer was full.
To retain the old behaviour set `--flush-interval=0`.
See [#23](https://github.com/pusher/oauth2_proxy/pull/23) for further details.
## Changes since v3.0.0
- [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)
- Implement `pass-authorization-header` and `set-authorization-header` flags
- Implement token refreshing in OIDC provider
- Split cookies larger than 4k limit into multiple cookies
- Implement token validation in OIDC provider
- [#15](https://github.com/pusher/oauth2_proxy/pull/15) WhitelistDomains (@joelspeed)
- Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow
- [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi)
- Move Docker base image from debian to alpine
- Install ca-certificates in docker image
- [#23](https://github.com/pusher/oauth2_proxy/pull/23) Flushed streaming responses
- Long-running upstream responses will get flushed every <timeperiod> (1 second by default)
- [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo)
- After a successful login, you will be redirected to your original URL rather than /
- [#35](https://github.com/pusher/oauth2_proxy/pull/35) arm and arm64 binary releases (@kskewes)
- Add armv6 and arm64 to Makefile `release` target
- [#37](https://github.com/pusher/oauth2_proxy/pull/37) cross build arm and arm64 docker images (@kskewes)
# v3.0.0
Adoption of OAuth2_Proxy by Pusher.
Project was hard forked and tidied however no logical changes have occurred since
v2.2 as released by Bitly.
## Changes since v2.2:
- [#7](https://github.com/pusher/oauth2_proxy/pull/7) Migration to Pusher (@joelspeed)
- Move automated build to debian base image
- Add Makefile
- Update CI to run `make test`
- Update Dockerfile to use `make clean oauth2_proxy`
- Update `VERSION` parameter to be set by `ldflags` from Git Status
- Remove lint and test scripts
- Remove Go v1.8.x from Travis CI testing
- Add CODEOWNERS file
- Add CONTRIBUTING guide
- Add Issue and Pull Request templates
- Add Dockerfile
- Fix fsnotify import
- Update README to reflect new repository ownership
- Update CI scripts to separate linting and testing
- Now using `gometalinter` for linting
- Move Go import path from `github.com/bitly/oauth2_proxy` to `github.com/pusher/oauth2_proxy`
- Repository forked on 27/11/18
- README updated to include note that this repository is forked
- CHANGLOG created to track changes to repository from original fork
Reference in New Issue View Git Blame Copy Permalink