Skip to content

Fix authentication and security CVEs on deps
Compare
Choose a tag to compare
@Chaffelson Chaffelson released this 10 Feb 17:42
· 38 commits to main since this release
v0.16.2
This tag was signed with the committer’s verified signature. The key has expired.
Chaffelson Dan Chaffelson
GPG key ID: 9CDE145E23DDBA48
Expired
Verified
Learn about vigilant mode.
292aa1e
This commit was signed with the committer’s verified signature. The key has expired.
Chaffelson Dan Chaffelson
GPG key ID: 9CDE145E23DDBA48
Expired
Verified
Learn about vigilant mode.

NOTE: If you are using secured Registry, this release will enforce access controls for the swagger interface which is used to determine which version of Registry is connected in order to correctly provide features - you may have to update your authorizations

  • Update requirements.txt to unpin future and lxml
  • Update lxml to 4.6.2 or newer to resolve vulnerability
  • Pin watchdog to <1.0.0 per their docs to maintain Python2.7 compatibility
  • Revert 0.14.3 changes to Authentication handling which introduced basicAuth support but resulted in some NiFi connections appearing incorrectly as Anonymous
  • Added simpler basicAuth control to force it via a config switch without changing tokenAuth and other Authorization header behavior during normal usage
  • nipyapi.config.global_force_basic_auth is now available for use for this purpose
  • Secured Registry users will now require the authorization policy to retrieve the swagger so we may use it to validate which version of
    Registry is in use for feature enablement
  • Moved all Security controls in config.py to a common area at the foot of the file
  • Removed auth_type from security.service_login as it is now redundant
  • Added controls to handle certificate checking behavior which has become more strict in recently versions of Python3, ssl_verify and check_hostname are now handled
  • security.set_service_auth_token now has an explicit flag for ssl host checking as well
  • Fix oversight where improved model serialisation logic was not correctly applied to Registry
  • Removed unusused parameter refresh from parameters.update_parameter_context
  • Reduced unecessary complexity in utils.dump with no change in functionality
  • Updated client gen mustache templates to reflect refactored security and api client code
  • Minor linting and docstring and codestyle improvements
  • Set pyUp to ignore Watchdog as it must stay between versions to statisfy py2 and py3 compatibility
  • If Client is not instantiated, optimistically instantiate for version checking
  • add socks proxy support
Assets 3
Loading