| --- |
| layout: docs |
| page_title: Upgrading to Vault 1.2.0 - Guides |
| description: |- |
| This page contains the list of deprecations and important or breaking changes |
| for Vault 1.2.0. Please read it carefully. |
| --- |
| |
| # Overview |
| |
| This page contains the list of deprecations and important or breaking changes |
| for Vault 1.2.0 compared to 1.1.0. Please read it carefully. |
| |
| ## Known issues |
| |
| ### AppRole upgrade issue |
| |
| Due to a bug, on upgrade AppRole roles cannot be read properly. If using AppRole, do not upgrade until this issue is fixed in 1.2.1. |
| |
| ## Changes/Deprecations |
| |
| ### Path character handling |
| |
| Due to underlying changes in Go's runtime past version 1.11.5, Vault is now |
| stricter about what characters it will accept in path names. Whereas before it |
| would filter out unprintable characters (and this could be turned off), control |
| characters and other invalid characters are now rejected within Go's HTTP |
| library before the request is passed to Vault, and this cannot be disabled. To |
| continue using these (e.g. for already-written paths), they must be properly |
| percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes `%00`, and so on). |
| |
| ### AWSKMS seal region |
| |
| The user-configured regions on the AWSKMS seal stanza will now be preferred |
| over regions set in the enclosing environment. |
| |
| ### Audit logging of empty values |
| |
| All values in audit logs now are omitted if they are empty. This helps reduce |
| the size of audit log entries by not reproducing keys in each entry that |
| commonly don't contain any value, which can help in cases where audit log |
| entries are above the maximum UDP packet size and others. |
| |
| ### Rollback logging |
| |
| Rollback will no longer display log messages when it runs; it will only display |
| messages if an error occurs. |
| |
| ### Database plugins |
| |
| Database plugins now default to 4 max open connections rather than 2. This |
| should be safe in nearly all cases and fixes some issues where a single |
| operation could fail with the default configuration because it needed three |
| connections just for that operation. However, this could result in an increase |
| in held open file descriptors for each database configuration, so ensure that |
| there is sufficient overhead. |
| |
| ### AppRole various changes |
| |
| - AppRole uses new, common token fields for values that overlap with other auth |
| methods. `period` and `policies` will continue to work, with priority being |
| given to the `token_` prefixed versions of these fields, but the values for |
| those will only be returned on read if they were set initially. |
| - `default` is no longer automatically added to policies after submission. It |
| was a no-op anyways since Vault's core would always add it, and changing this |
| behavior allows AppRole to support the new `token_no_default_policy` |
| parameter |
| - The long-deprecated `bound_cidr_list` is no longer returned when reading a |
| role. |
| |
| ### Token store roles changes |
| |
| Token store roles use new, common token fields for the values that overlap with |
| other auth backends. `period`, `explicit_max_ttl`, and `bound_cidrs` will |
| continue to work, with priority being given to the `token_` prefixed versions |
| of those parameters. They will also be returned when doing a read on the role |
| if they were used to provide values initially; however, in Vault 1.4 if |
| `period` or `explicit_max_ttl` is zero they will no longer be returned. |
| (`explicit_max_ttl` was already not returned if empty.) |
| |
| ### Go API/SDK changes |
| |
| Vault now uses Go's official dependency management system, Go Modules, to |
| manage dependencies. As a result to both reduce transitive dependencies for API |
| library users and plugin authors, and to work around various conflicts, we have |
| moved various helpers around, mostly under an `sdk/` submodule. A couple of |
| functions have also moved from plugin helper code to the `api/` submodule. If |
| you are a plugin author, take a look at some of our official plugins and the |
| paths they are importing for guidance. |
| |
| ### Change in LDAP group CN handling |
| |
| A bug fix put in place in Vault 1.1.1 to allow group CNs to be found from an |
| LDAP server in lowercase `cn` as well as uppercase `CN` had an unintended |
| consequence. If prior to that a group used `cn`, as in `cn=foo,ou=bar` then the |
| group that would need to be put into place in the LDAP plugin to match against |
| policies is `cn=foo,ou=bar` since the CN would not be correctly found. After |
| the change, the CN was correctly found, but this would result in the group name |
| being parsed as `foo` and would not match groups using the full DN. In 1.1.5+, |
| there is a boolean config setting `use_pre111_group_cn_behavior` to allow |
| reverting to the old matching behavior; we also attempt to upgrade exiting |
| configs to have that defaulted to true. |
| |
| ### JWT/OIDC plugin |
| |
| Logins of role_type "oidc" via the /login path are no longer allowed. |
| |
| ### ACL wildcards |
| |
| New ordering put into place in Vault 1.1.1 defines which policy wins when there |
| are multiple inexact matches and at least one path contains `+`. `+*` is now |
| illegal in policy paths. The previous behavior simply selected any matching |
| segment-wildcard path that matched. |
| |
| ### Replication |
| |
| Due to technical limitations, mounting and unmounting was not previously |
| possible from a performance secondary. These have been resolved, and these |
| operations may now be run from a performance secondary. |
