Update CHANGELOG.md and add BREAKING.md.

This commit is contained in:
Clement Michaud 2019-04-16 22:53:42 +02:00
parent 7d639df0b6
commit 9e90662a89
2 changed files with 48 additions and 0 deletions

42
BREAKING.md Normal file
View File

@ -0,0 +1,42 @@
Breaking changes
================
Since Authelia is still under active development, it is subject to breaking changes. We then recommend you don't blindly use the latest
Docker image but pick a version instead and check this file before upgrading. This is where you will get information about breaking changes and about what you should do to overcome those changes.
## Breaking in v3.14.0
### Headers in nginx configuration
In order to support Traefik as a third party proxy interacting with Authelia some changes had to be made
to Authelia and the nginx proxy configuration.
The `Host` header is not used anymore by Authelia in any way. It was previously used to compute the url of the link that is
sent by Authelia for confirming the identity of the user. In the new version X-Forwarded-Proto, X-Forwarded-Host
headers are used to build the URL.
Authelia endpoint /api/verify does not produce the `Redirect` header containing the target URL the user is trying to visit.
This header was used in early versions to redirect the user to the login portal providing the target URL as a query parameter.
However this target URL can be computed automatically with the following statement:
set $target_url $scheme://$http_host$request_uri;
## Breaking in v3.11.0
### ACL configuration
ACL definition in the configuration file has been updated to allow more authorization use cases.
The change basically removed the three categories "any", "groups" and "users" to introduce an
iptables-like format where the authorization policy is just an ordered list of rules with a few
attributes among which the attribute called `subject` used to map old categories.
So in order to upgrade from prior version, you simply need to flatten the rules you already have and
use the `subject` attribute to map your rules from the previous categories into the list. For `any`
rules, just don't specify the subject attribute, this rule will then apply to any user. For group-based
rules you can use `subject: 'group:mygroup'` where `mygroup` is the group you set authorizations for.
For user-based rules, use `subject: 'user:myuser'` where `myuser` is the user you set authorizations for.
Please note that in the new system, the first matching rule applies and the next ones are not taken into
account. If no rule apply, the default policy still applies and if no default policy is provided, the `deny`
policy applies.

View File

@ -1,3 +1,9 @@
Release Notes - Version 3.14.0
------------------------------
* [BREAKING] Add official support for Traefik with a dedicated suite.
* Add support for network-based ACL rules allowing to apply different authorization strategies on different networks.
* Several bug fixes (unusual error message when using U2F, X-Forwarded-User and X-Forwarded-Groups was not propagated on bypassed endpoints).
Release Notes - Version 3.13.0
------------------------------
* Rewrite Authelia portal in Typescript.