Repository: guacamole-website Updated Branches: refs/heads/master a4ac5af9e -> 81703a3c5
Add draft release notes for first RC of 0.9.14. Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/226a0e54 Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/226a0e54 Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/226a0e54 Branch: refs/heads/master Commit: 226a0e5436ebc7efacb07abac9e9fc3ec7eb658d Parents: a4ac5af Author: Michael Jumper <[email protected]> Authored: Mon Jan 8 17:10:49 2018 -0800 Committer: Michael Jumper <[email protected]> Committed: Fri Jan 12 13:16:22 2018 -0800 ---------------------------------------------------------------------- _releases/0.9.14.md | 391 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 391 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/226a0e54/_releases/0.9.14.md ---------------------------------------------------------------------- diff --git a/_releases/0.9.14.md b/_releases/0.9.14.md new file mode 100644 index 0000000..87b0fd9 --- /dev/null +++ b/_releases/0.9.14.md @@ -0,0 +1,391 @@ +--- + +released: false +title: 0.9.14 +date: 2018-01-12 11:51:00 -0800 +summary: > + OpenID Connect single sign-on, SQL Server support, CAS "ClearPass", user + login/logout history, fixes and improvements for RDP, clipboard, file + transfer, and terminal emulation. + +artifact-root: "https://dist.apache.org/repos/dist/dev/"; +checksum-root: "https://dist.apache.org/repos/dist/dev/"; +download-path: "guacamole/0.9.14-RC1/" + +source-dist: + - "source/guacamole-client-0.9.14.tar.gz" + - "source/guacamole-server-0.9.14.tar.gz" + +binary-dist: + - "binary/guacamole-0.9.14.war" + - "binary/guacamole-auth-cas-0.9.14.tar.gz" + - "binary/guacamole-auth-duo-0.9.14.tar.gz" + - "binary/guacamole-auth-jdbc-0.9.14.tar.gz" + - "binary/guacamole-auth-header-0.9.14.tar.gz" + - "binary/guacamole-auth-ldap-0.9.14.tar.gz" + - "binary/guacamole-auth-noauth-0.9.14.tar.gz" + - "binary/guacamole-auth-openid-0.9.14.tar.gz" + +documentation: + "Manual" : "/doc/0.9.14/gug" + "guacamole-common" : "/doc/0.9.14/guacamole-common" + "guacamole-common-js" : "/doc/0.9.14/guacamole-common-js" + "guacamole-ext" : "/doc/0.9.14/guacamole-ext" + "libguac" : "/doc/0.9.14/libguac" + +--- + + +The 0.9.14 release features new support for OpenID Connect, SQL Server +databases, pass-through of user credentials for CAS, and tracking of user +login/logout history. Various fixes and improvements for RDP, clipboard, file +transfer, and terminal emulation have also been implemented. + +**This release contains changes which break compatibility with past releases.** +Please see the [deprecation / compatibility +notes](#deprecation--compatibility-notes) section for more information. + + +Support for OpenID Connect +-------------------------- + +OpenID Connect, a single sign-on (SSO) solution built atop the OAuth 2.0 +framework, is now supported by Guacamole as a source of user identity. Similar +to the [support for CAS added in +0.9.13-incubating](/releases/0.9.13-incubating/#support-for-cas-single-sign-on), +this new extension allows Guacamole to delegate authentication to the identity +provider implementing OpenID Connect. + +Note that this new extension only deals with determining the identity of users +that have authenticated through OpenID, and redirecting unauthenticated users +to the configured OpenID identity provider to authenticate. The details of the +connections available to each user must be provided via another extension, such +as the [database authentication](/doc/0.9.14/gug/jdbc-auth.html). + + * [GUACAMOLE-210](https://issues.apache.org/jira/browse/GUACAMOLE-210) - Add support for SSO via OpenID Connect + + +Support for SQL Server +---------------------- + +In addition to MySQL and PostgreSQL, Guacamole now supports using SQL Server as +a database backend. This support is built off the same core that drives the +MySQL and PostgreSQL support, and thus includes the same screen sharing, +administration, connection tracking, etc. features. + + * [GUACAMOLE-363](https://issues.apache.org/jira/browse/GUACAMOLE-363) - Support Microsoft SQL Server Authentication + + +CAS credential pass-through with "ClearPass" +-------------------------------------------- + +The [support for CAS added in +0.9.13-incubating](/releases/0.9.13-incubating/#support-for-cas-single-sign-on) +now supports credential pass-through using CAS' "ClearPass" feature. If the CAS +system in use has "ClearPass" enabled, and Guacamole has been provided with the +key necessary to decrypt received credentials, Guacamole will automatically +make user credentials available for inclusion within connection parameters via +the `${GUAC_USERNAME}` and `${GUAC_PASSWORD}` [parameter +tokens](/doc/0.9.14/gug/configuring-guacamole.html#parameter-tokens). + + * [GUACAMOLE-362](https://issues.apache.org/jira/browse/GUACAMOLE-362) - CAS authentication and ClearPass + + +Tracking of user login/logout history +------------------------------------- + +While Guacamole has always logged user login/logout events, overall user access +history has only been tracked at the database level on a per-connection basis. +Guacamole now provides support for tracking the times that each user logs into +or out of Guacamole, recording this information within a dedicated database +table. The last time that each user was active is also exposed within the +user administration interface, allowing inactive/stale user accounts to be +more easily identified. + + * [GUACAMOLE-394](https://issues.apache.org/jira/browse/GUACAMOLE-394) - Record user login / logout history + + +Export connection history to CSV +-------------------------------- + +For the sake of using connection history data within external tools, Guacamole +now supports exporting the connection history data shown within the +admininstration interface to a CSV file. The exported data takes the current +sort order and filter into account. + + * [GUACAMOLE-334](https://issues.apache.org/jira/browse/GUACAMOLE-334) - Provide connection history export from admin UI + + +`/etc/guacamole` as default `GUACAMOLE_HOME` +-------------------------------------------- + +Historically, `GUACAMOLE_HOME` has been a consistent source of confusion for +users, with many unnecessarily setting the `GUACAMOLE_HOME` environment +variable or going to extreme lengths to try to force the location to +`/etc/guacamole`, rather than simply using the default location. This confusion +was compounded by documentation which described `GUACAMOLE_HOME` from the +perspective of the system, rather than from the perspective of the user. + +In an effort to make things less confusing, Guacamole now includes +`/etc/guacamole` as one of the default locations of `GUACAMOLE_HOME`, and the +wording of [the documentation covering +`GUACAMOLE_HOME`](/doc/0.9.14/gug/configuring-guacamole.html#guacamole-home) +has been clarified to avoid further confusion. + + * [GUACAMOLE-335](https://issues.apache.org/jira/browse/GUACAMOLE-335) - Add /etc/guacamole to default search paths for GUACAMOLE_HOME + + +Clipboard behavior fixes +------------------------ + +Recent changes adding support for direct integration of the local clipboard +resulted in a pair of regressions which stripped newline characters from +clipboard contents and caused performance issues under Internet Explorer. These +issues have now been fixed. + + * [GUACAMOLE-128](https://issues.apache.org/jira/browse/GUACAMOLE-128) - Clipboard sharing can crash IE + * [GUACAMOLE-310](https://issues.apache.org/jira/browse/GUACAMOLE-310) - Direct clipboard integration strips newlines + + +Restoration of support for event listeners +------------------------------------------ + +In order to provide a simpler mechanism for extensions to monitor and react to +user actions, the event listener API previously provided by Guacamole has been +restored. This API had been removed as part of the the migration to a new, +self-contained format for Guacamole extensions, however the new extension +format has been augmented to allow event listeners to once again be defined. + + * [GUACAMOLE-364](https://issues.apache.org/jira/browse/GUACAMOLE-364) - Add support for authentication and tunnel event listeners + + +Connection load balancing and dynamic failover +---------------------------------------------- + +Guacamole's extension API defines the concept of "balancing groups" to cover +cases where what appears to be a single connection to a user must actually be +dynamically routed to one of several underlying ocnnections based on overall +load. Within the database authentication extension, the determination of load +has been based purely on the number of active connections to each underlying +connection. The database authentication extension has now been updated to +implement a weighted balancing algorithm, allowing the relative performance of +each connection to be manually specified or dynamically updated. + +The behavior of balancing groups within the database extension has also been +updated to allow pecific connections may also be designated as failover-only, +reserving those connections for use only if no other connections are working. + + * [GUACAMOLE-102](https://issues.apache.org/jira/browse/GUACAMOLE-102) - Load balancing based on resource + * [GUACAMOLE-317](https://issues.apache.org/jira/browse/GUACAMOLE-317) - Allow for failover-only connections + + +Docker multi-stage builds +------------------------- + +Guacamole's Docker images have been updated to leverage multi-stage builds. For +users simply pulling the Docker images from Docker Hub, this has no real effect +other than slightly smaller images. For users building the Docker images +themselves, you will now need to use a recent version of Docker CE. Older +versions of Docker lack support for multi-stage builds, and will fail to build +the images. + + * [GUACAMOLE-408](https://issues.apache.org/jira/browse/GUACAMOLE-408) - Use Docker multi-stage build to create guacamole image + * [GUACAMOLE-409](https://issues.apache.org/jira/browse/GUACAMOLE-409) - Include a Dockerfile in guacamole-manual + + +SSH/SFTP improvements +--------------------- + +Guacamole's support for SSH has been updated to include support for keep-alive +packets, allowing the connection to be kept alive despite lack of user input +when the SSH server is set to otherwise terminate such connections. Problems +with connecting to SSH servers at IPv6 addresses and with proper handling of +incorrect private keys have also been addressed. + +If SFTP is being used for file transfer, whether for SSH, VNC, or RDP, the +directory used as the top-level (root) directory can now be configured, +isolating access to a particular directory and its subdirectories +rather than exposing the entire filesystem. + + * [GUACAMOLE-203](https://issues.apache.org/jira/browse/GUACAMOLE-203) - Implementing ServerAliveInterval to keep SSH session alive + * [GUACAMOLE-303](https://issues.apache.org/jira/browse/GUACAMOLE-303) - Allow SFTP root directory to be configured + * [GUACAMOLE-396](https://issues.apache.org/jira/browse/GUACAMOLE-396) - guacd cannot connect to ssh servers with IPv6 addresses + * [GUACAMOLE-400](https://issues.apache.org/jira/browse/GUACAMOLE-400) - Connection segfaults when SSH private key fails to load + + +LDAP improvements +----------------- + +Previously, if Guacamole was configured to use LDAP for authentication, and the +LDAP server required following referrals for queries involved in Guacamole's +authentication process, authentication against LDAP would fail. This issue has +been addressed, and Guacamole can now be configured to follow LDAP referrals. + +An issue with handling of database account restrictions when users are +authenticated through LDAP has also been addressed. As long as the database +authentication is configured to require database accounts for all users, +database-specific access restrictions will be enforced. + + * [GUACAMOLE-243](https://issues.apache.org/jira/browse/GUACAMOLE-243) - LDAP auth fails when search results include an LDAP referral + * [GUACAMOLE-284](https://issues.apache.org/jira/browse/GUACAMOLE-284) - Database "Account Restrictions" not applied when using LDAP + + +Fixes for CAS support +--------------------- + +With the recent addition of support for single sign-on using CAS, it was +discovered that the `${GUAC_USERNAME}` parameter token will not be populated in +cases where the user was authenticated against the CAS extension. This has now +been fixed, and the `${GUAC_USERNAME}` token will always be populated for all +users that have successfully authenticated through any mechanism. + +Issues with the behavior of the Guacamole settings/preferences screen when the +CAS extension is installed, and with overall error handling and logging with +respect to CAS, have also been addressed. The settings/preferences screen +should now function normally, and errors from the CAS server should now be +correctly logged. + + * [GUACAMOLE-341](https://issues.apache.org/jira/browse/GUACAMOLE-341) - GUAC_USERNAME token not defined if using SSO + * [GUACAMOLE-355](https://issues.apache.org/jira/browse/GUACAMOLE-355) - CAS Module Missing Error Handling + * [GUACAMOLE-358](https://issues.apache.org/jira/browse/GUACAMOLE-358) - CAS Authentication issue handling sessions + + +Extension hooks for logout and shutdown +--------------------------------------- + +Functions which are invoked upon user logout, session expiration, and/or server +shutdown have been added to the applicable interfaces of the Guacamole +extension API, allowing extensions to hook into these events to handle cleanup +of resources, synchronization of user signout, etc. + +Note that because these new functions are defined at the interface level, all +extensions which implement these interfaces will need to implement these +functions. Please see the [deprecation / compatibility +notes](#deprecation--compatibility-notes) section for more information. + + * [GUACAMOLE-393](https://issues.apache.org/jira/browse/GUACAMOLE-393) - Allow extensions to hook into logout / server shutdown + + +Restoration of Windows support for libguac +------------------------------------------ + +Although guacd has hard dependencies on Linux- or UNIX-specific features, +Guacamole historically supported Windows builds at least at the library level. +This support continued until recently, when changes resulted in libguac failing +to build on Windows platforms. Support for Windows builds of libguac has now +been restored, allowing development of Windows applications which leverage the +Guacamole protocol. + + * [GUACAMOLE-325](https://issues.apache.org/jira/browse/GUACAMOLE-325) - Restore Windows compatibility for libguac / libguacd + * [GUACAMOLE-337](https://issues.apache.org/jira/browse/GUACAMOLE-337) - Move libguacd functionality into libguac + + +Miscellaneous fixes/improvements +-------------------------------- + +Among several other minor changes and fixes, this latest release of Guacamole +also addresses several low-impact memory leaks within guacamole-server, adds +support for redefining the terminal color palette SSH and telnet through the +console codes used by xterm, and fixes the behavior of file downloads for RDP +where the desired file contains multiple alternative streams. + + * [GUACAMOLE-279](https://issues.apache.org/jira/browse/GUACAMOLE-279) - Add support for redefining the terminal color palette + * [GUACAMOLE-326](https://issues.apache.org/jira/browse/GUACAMOLE-326) - Alternative streams on Windows 10 result in multiple file downloads + * [GUACAMOLE-328](https://issues.apache.org/jira/browse/GUACAMOLE-328) - Documentation omits that libssl is required for ssh support + * [GUACAMOLE-338](https://issues.apache.org/jira/browse/GUACAMOLE-338) - Always display selected connections/groups within admin UI + * [GUACAMOLE-339](https://issues.apache.org/jira/browse/GUACAMOLE-339) - Add Remote Host IP to Guacamole Connection History table + * [GUACAMOLE-345](https://issues.apache.org/jira/browse/GUACAMOLE-345) - Ensure SQL scripts are compatible with PostgreSQL 8 + * [GUACAMOLE-346](https://issues.apache.org/jira/browse/GUACAMOLE-346) - Improve performance of in-browser recording playback + * [GUACAMOLE-357](https://issues.apache.org/jira/browse/GUACAMOLE-357) - Update documentation for libjpeg-turbo dependency with respect to Ubuntu + * [GUACAMOLE-383](https://issues.apache.org/jira/browse/GUACAMOLE-383) - Failures to open guacd.conf, read RDP clipboard data, or load terminal font may leak memory + * [GUACAMOLE-385](https://issues.apache.org/jira/browse/GUACAMOLE-385) - HTTP tunnel uses incorrect content type for write operations + * [GUACAMOLE-391](https://issues.apache.org/jira/browse/GUACAMOLE-391) - guacd_conf_load() leaks structure if config file fails to parse + * [GUACAMOLE-395](https://issues.apache.org/jira/browse/GUACAMOLE-395) - User "expired" column not actually queried for MySQL + * [GUACAMOLE-398](https://issues.apache.org/jira/browse/GUACAMOLE-398) - guac_common_ssh_create_session() potentially leaks address info + * [GUACAMOLE-402](https://issues.apache.org/jira/browse/GUACAMOLE-402) - Out-of-tree build doesn't compile + * [GUACAMOLE-411](https://issues.apache.org/jira/browse/GUACAMOLE-411) - guacd_send_fd call's sendmsg with uninitialized buffer + + +Deprecation / Compatibility notes +================================= + +As of 0.9.14, the following changes have been made which affect compatibility +with past releases: + + +Database schema changes +----------------------- + +The MySQL and PostgreSQL schemas have changed, adding new columns to the +`guacamole_connection` table for specifying connection weight (for use in +weighted balancing) and for designating connections as failover-only, adding a +new column to `guacamole_connnection_history` for tracking the remote address +of each connecting user, and adding a new `guacamole_user_history` table for +tracking user login and logout. + +Users of the database authentication will need to run the +`upgrade-pre-0.9.14.sql` script specific to their chosen database. + +Extension API changes +--------------------- + +### Session and server shutdown hooks + +The +[`AuthenticatedUser`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/AuthenticatedUser.html) +and +[`UserContext`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/UserContext.html) +interfaces now define an `invalidate()` function which is invoked when the +associated user session is being terminated due to logout, expiration, or +server shutdown. Because these new functions are defined at the +interface level, implementations of these interfaces will now need to define +these functions: + + * [`AuthenticatedUser.invalidate()`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/AuthenticatedUser.html#invalidate--) + * [`UserContext.invalidate()`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/UserContext.html#invalidate--) + +Similarly, the +[`AuthenticationProvider`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html) +interface now defines a `shutdown()` +function which is invoked upon server shutdown. As with the new `invalidate()` +function, this function is defined at the interface level and will need to be +implemented by all classes implementing `AuthenticationProvider`: + + * [`AuthenticationProvider.shutdown()`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#shutdown--) + +### Deprecation of `ConnectionRecordSet` + +The +[`ConnectionRecordSet`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/ConnectionRecordSet.html) +interface and +[`SimpleConnectionRecordSet`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/simple/SimpleConnectionRecordSet.html) +class have been deprecated, replaced by the more generic +[`ActivityRecordSet`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/ActivityRecordSet.html) +interface and +[`SimpleActivityRecordSet`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/simple/SimpleActivityRecordSet.html) +class. Extensions using the old interface or class will continue to build, but +should be migrated over to the newer API as soon as possible. + +### Additional history functions for `Connection` and `User` + +The +[`Connection`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/Connection.html) +and +[`User`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/User.html) +interfaces now define essentially the same pair of +`getLastActive()` and `getHistory()` functions, as both types of objects now +have associated history within the extension API. For `Connection`, the only +new function here is `getLastActive()`: + + * [`Connection.getLastActive()`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/Connection.html#getLastActive--) + +History tracking of users is entirely +new, however, and implementations of `User` will need to define both functions: + + * [`User.getHistory()`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/User.html#getHistory--) + * [`User.getLastActive()`](/doc/0.9.14/guacamole-ext/org/apache/guacamole/net/auth/User.html#getLastActive--) + +Note that extensions are not required to implement history tracking; if the +extension will not implement or expose such tracking, the implementations of +these functions can simply return nothing. +
