BLOG POST

New Conjur CLI v4.29.0 Release

 

February 11, 2016 | DevOps | Dustin Collins

Earlier this week we released a new version of the Conjur CLI. You can download it now from the Conjur developer site.

Conjur CLI v4.29.0 contains many new features and bugfixes. This update takes advantage of several new features in Conjur v4.6.0, also released this week.


Here are the highlights:

Rotate API keys more easily

User and host API keys can now be rotated from the CLI. You no longer need access to a Conjur server to refresh API keys or reset user passwords. New API keys are randomly generated.

$ conjur user rotate_api_key --user vincent.cruz
168cn7m1edk95c343z60m2rgjgaa2b2sz164wg60v1v8jkv92z2h64q

$ conjur host rotate_api_key --host prod/redis/redis004
kynrha2kt3cwedky95t2ere7wfbe0b6333qrf4qv39nhg38sndzp

Set expiration timestamps on variables

Variables can now be set to expire. Once a variable has expired, it can no longer be used and a new value must be added. All expiration events are recorded in the audit log. This feature requires Conjur v4.6.0 or newer.

$ conjur variable expire --days 90 prod/docker-registry/ssl-cert
{
"id": "prod/docker-registry/ssl-cert",
"resource_identifier": "conjurops:variable:prod/docker-registry/ssl-cert",
"expiration/timestamp": "2016-05-09T22:11:32Z"
}

# Show me the variables that expire within the next 100 days
$ conjur variable expirations --days 100
[
{
"id": "conjurops:variable:prod/docker-registry/ssl-cert",
...
}
]

Whitelist access to Conjur by IP range

User and host access to Conjur can now be restricted by one or more CIDR ranges. In short, if you set an IP range for a user or host, they can only contact your Conjur environment from that range. CIDR limiting also works with host factory tokens, making them more secure.

# Restrict user access by company subnet
$ conjur user update --cidr 257.32.12.0/32 vincent.cruz
User updated

# Restrict host access by VPC subnet
$ conjur host update --cidr 10.10.1.0/32 prod/redis/redis004
Host updated

# Restrict host factory token usage by VPC subnet
$ conjur hostfactory tokens create --cidr 10.10.1.0/32 prod/redis-factory
[
{
"token": "2sp6r1e0zjf0gjqwa01mq7xe9mqtt95nc9f6v6gc7rbbp7rg3",
"expiration": "2016-02-11T16:52:14+00:00",
"cidr": [
"10.10.1.0/32"
]
}
]

Check server health and version info

You can now check the health of any node in your Conjur environment from the CLI (and API). Conjur service version information is now available as well.

# Checking the health of the Conjur master
$ conjur server health
{
"services": {
"host-factory": "ok",
"pubkeys": "ok",
"authn": "ok",
"audit": "ok",
"core": "ok",
"authz": "ok",
"ldap": "ok",
"expiration": "ok",
"ok": true
},
"database": {
"ok": true,
"connect": {
"main": "ok"
},
"replication_status": {
"pg_current_xlog_location": "0/1E3E6A0",
"pg_current_xlog_location_bytes": 31712928
}
},
"ok": true
}

# View the installed version of the CLI and Conjur server
$ conjur version
Conjur client version 4.29.0
Conjur appliance version: 4.6.0-200-g84ad06c
Conjur service versions:
audit: 4.6.0-21-g2235f6e
authn: 4.6.0-40-ge3e4255
authn-ldap: 0.4.0-9-gf70b32e
authn-tv: 4.6.0-38-ge4df928
authz: 4.6.0-5-gdd22bca
cli: 4.29.0-dev-94-ga4757fe
core: 4.6.0-15-gfa546f0
evoke: 4.7.1-30-g9b17039
expiration: 0.2.1-50-g0ca4bde
host-factory: 4.6.0-47-gaf3b9a1
ldap-server: 4.6.0-19-ga7002c9
pubkeys: 4.6.0-7-g0ca60a4

View the CHANGELOG on GitHub for a full list of changes. The CLI reference page contains full details for each new command. All new features also have corresponding routes in the Conjur API.

Download the new CLI, try it out, and let us know what you think!

 

Share This