Update CHANGELOG.md and add BREAKING.md.
parent
7d639df0b6
commit
9e90662a89
|
@ -0,0 +1,42 @@
|
|||
Breaking changes
|
||||
================
|
||||
|
||||
Since Authelia is still under active development, it is subject to breaking changes. We then recommend you don't blindly use the latest
|
||||
Docker image but pick a version instead and check this file before upgrading. This is where you will get information about breaking changes and about what you should do to overcome those changes.
|
||||
|
||||
## Breaking in v3.14.0
|
||||
|
||||
### Headers in nginx configuration
|
||||
|
||||
In order to support Traefik as a third party proxy interacting with Authelia some changes had to be made
|
||||
to Authelia and the nginx proxy configuration.
|
||||
|
||||
The `Host` header is not used anymore by Authelia in any way. It was previously used to compute the url of the link that is
|
||||
sent by Authelia for confirming the identity of the user. In the new version X-Forwarded-Proto, X-Forwarded-Host
|
||||
headers are used to build the URL.
|
||||
|
||||
Authelia endpoint /api/verify does not produce the `Redirect` header containing the target URL the user is trying to visit.
|
||||
This header was used in early versions to redirect the user to the login portal providing the target URL as a query parameter.
|
||||
However this target URL can be computed automatically with the following statement:
|
||||
|
||||
set $target_url $scheme://$http_host$request_uri;
|
||||
|
||||
|
||||
## Breaking in v3.11.0
|
||||
|
||||
### ACL configuration
|
||||
|
||||
ACL definition in the configuration file has been updated to allow more authorization use cases.
|
||||
The change basically removed the three categories "any", "groups" and "users" to introduce an
|
||||
iptables-like format where the authorization policy is just an ordered list of rules with a few
|
||||
attributes among which the attribute called `subject` used to map old categories.
|
||||
|
||||
So in order to upgrade from prior version, you simply need to flatten the rules you already have and
|
||||
use the `subject` attribute to map your rules from the previous categories into the list. For `any`
|
||||
rules, just don't specify the subject attribute, this rule will then apply to any user. For group-based
|
||||
rules you can use `subject: 'group:mygroup'` where `mygroup` is the group you set authorizations for.
|
||||
For user-based rules, use `subject: 'user:myuser'` where `myuser` is the user you set authorizations for.
|
||||
|
||||
Please note that in the new system, the first matching rule applies and the next ones are not taken into
|
||||
account. If no rule apply, the default policy still applies and if no default policy is provided, the `deny`
|
||||
policy applies.
|
|
@ -1,3 +1,9 @@
|
|||
Release Notes - Version 3.14.0
|
||||
------------------------------
|
||||
* [BREAKING] Add official support for Traefik with a dedicated suite.
|
||||
* Add support for network-based ACL rules allowing to apply different authorization strategies on different networks.
|
||||
* Several bug fixes (unusual error message when using U2F, X-Forwarded-User and X-Forwarded-Groups was not propagated on bypassed endpoints).
|
||||
|
||||
Release Notes - Version 3.13.0
|
||||
------------------------------
|
||||
* Rewrite Authelia portal in Typescript.
|
||||
|
|
Loading…
Reference in New Issue