April 5, 2017
by Lindsay Hill
StackStorm 2.2.1 has been released, incorporating the usual array of improvements, bug fixes, and this time a BWC-specific security update. Read on for details.
Pack Management Fixes
- If the config schema specified default values, but you didn’t create a config in `/opt/stackstorm/configs/`, Python actions & sensors never got those default values. Whoops. Resolved. Workaround: Create a pack config file.
- The pack configs API endpoint was not working when RBAC was enabled. Fixed now.
- Config schema validation might not be performed upon registration, which could result in bad or empty config schemas. It is now working as expected.
BWC LDAP Security Fix
While working on some LDAP improvements, we found a potential security exposure in the BWC LDAP Authentication backend. If the requirements were that a user was a member of all three groups x, y, z, then BWC may have allowed access if a user was a member of only a subset of those groups – e.g. if the user was only a member of groups x and z. This has been resolved, and tests added to check for this condition in future. We encourage users to upgrade. This only affects BWC (StackStorm Enterprise) users who use LDAP, and have authentication policies that require users to be a member of multiple groups.
Miscellaneous Fixes & Improvements
- Updated `tooz` library (v1.15.0) means you can now use backends such as Consul and etcd for coordination.
- The `st2ctl reload` command now preserves the exit code from `st2-register-content`. So if your content registration fails, your scripts will properly detect it.
- Nginx has been updated to remove support for medium-strength ciphers in the default configuration. You can always add them back in, if you’re some sort of monster who only uses the StackStorm Web UI from IE 7 on Windows XP. The rest of us will happily use stronger encryption without noticing any difference.
- The `st2-run-pack-tests` tool now works directly out of box on servers where StackStorm was installed using packages. In addition to that, the tool no longer installs all the global pack dependencies when they’re already available.
As always, full details are in our Changelog.
Upcoming Releases
This will probably be the last 2.2.x version that gets shipped. We are working on 2.3 right now, which is going to include a new API (with docs!!), and LDAP group -> RBAC role synchronization. More upcoming features include the new packs view in st2web, and oauth2 support. Thanks Peter! Not sure if those last two will make it into 2.3 or the next version after, but they won’t be far away.