Skip to content

0.12.0 / 2016-06-30

Compare
Choose a tag to compare
@GUI GUI released this 30 Jun 14:39

This update brings a variety of fixes and new features. A few potential security issues are also addressed. Upgrading is recommended.

Special thanks to @ThibautGery and @shaliko for their contributions to this release, and to anyone else reporting issues!

Upgrade Instructions

If you're upgrading a previous API Umbrella version, you may upgrade the api-umbrella package using your package manager.

Compatibility Notes: There are two small changes in how the raw analytics data is stored in v0.12.0. This should only be relevant if you were querying the Elasticsearch analytics database directly (not via the admin UI or APIs) and interacting with the request_at or request_query fields. See the "Changed" section below for more details. Otherwise, v0.12.0 should be fully backwards compatible.

Added

  • E-mail notification to admins on new API key signups: You may optionally notify specified e-mail addresses whenever users signup for an API key. (#246, @ThibautGery)
  • Elasticsearch 2 compatibility: API Umbrella continues to bundle Elasticsearch 1.7 as the default version, but it now offers compatibility with external Elasticsearch 2 instances. (#253, @ThibautGery)
  • Allow limited admins to create new groups or sub-scopes: Non-superuser admins now may create more groups or other API scopes underneath their current permissions. (#238, api.data.gov#135, api.data.gov#339)
  • Improve navigation of admin accounts in the admin interface: When viewing or editing Admin Groups, the members of each admin group are displayed. (api.data.gov#256)
  • Ubuntu 16.04 Packages: Binary packages are now available for Ubuntu 16.04. (09f8f3c)
  • Run web-app tests in Docker: The test suite for the web-app component may be run with Docker. (#243, @ThibautGery)
  • Experimental support of Hadoop/Kylin-based analytics: Initial support has been added to optionally store the analytics data in Hadoop and query from Kylin. This offers an alternative to Elasticsearch for analytics that can scale to larger capacities in a more efficient manner. (#227, api.data.gov#235)

Changed

  • Analytics timestamps now reflect the ending time of the request: The request_at timestamp logged in the analytics database now reports the time the request ended, rather than when the request began. (#251)
  • Analytics fields no longer contain dots: To prepare for Elasticsearch 2 upgrades, the request_query field in Elasticsearch may no longer contain dots/periods. (#253)
  • Better SSL defaults and more configurable settings: If using API Umbrella for SSL, the default SSL settings are now better. The defaults can also now be customized via the API Umbrella configuration file. (#240, @shaliko)
  • Switch internal log collecting process: The internal process used for buffering and transmitting log data for analytics storage has been switched from Heka to rsyslog. (#227)
  • Switch to CMake based builds: For better maintainability of the build process, CMake is now used. (#226)
  • Linting changes for shell scripts: Shell scripts used throughout the project now have a more consistent style, and any issues around variable quoting should be fixed. (#237)
  • Upgrade bundled software dependencies:
    • Elasticsearch 1.7.4 -> 1.7.5
    • MongoDB 3.0.8 -> 3.0.12
    • OpenResty 1.9.7.4 -> 1.9.15.1 (Security updates: CVE-2016-4450)
    • Ruby 2.2.4 -> 2.2.5

Fixed

  • Fix admin searches involving special characters: If using the search tools in the admin, searching for special characters did not behave as expected. (api.data.gov#334)
  • Fix "unexpected error" message when publishing with empty selection: If you tried to publish API Backend changes without selecting any changes to publish, you received an "unexpected error" message. (api.data.gov#307)
  • Fix listing of website backends being visible to all admins: Non-superuser admin accounts could view the complete listing of Website Backends in the database, even if they did not have permission to edit the website backend. (api.data.gov#261)
  • Fix running feature tests on non-English computers: Some browser integration tests in the web-app component would fail if running the tests from a non-English computer (#242)
  • Fix potential load conflicts if system has other Lua libraries install: If the system running API Umbrella also has other Lua libraries installed into system-wide locations, potential conflicts could occur when API Umbrella tried to load its own dependencies. (#250)
  • Fix potential for negative TTLs when distributing rate limit info: If API Umbrella is operating in a cluster, unexpected negative TTLs could be calculated when distributing rate limit information among the servers in the cluster. (api.data.gov#335)
  • Fix the GeoIP data updater downloading too frequently on restarts: If API Umbrella was manually restarted, the GeoIP data could be re-downloaded with more frequency than needed (38d4654)
  • Fix running tests in NodeJS v0.10.42+: Some UTF-8 integration tests would fail if running the integration test suite in NodeJS v0.10.42 or higher. (2a329ad)

Security

  • Fix potential security issue if limited admins had knowledge of internal record UUIDs: If non-superuser admins knew the random UUIDs for records they did not have permissions to, they could potentially overwrite the records. (#238)
  • Fix possibility of admins abusing regex searches: Admins could search for regular expressions, allowing for regular expression denial of service. (api.data.gov#334)
  • Fix listing of website backends being visible to all admins: Non-superuser admin accounts could view the complete listing of Website Backends in the database, even if they did not have permission to edit the website backend. (api.data.gov#261)
  • Updated bundled dependencies: