You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/src/release_notes.rst
+37Lines changed: 37 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,6 +11,43 @@ Release Notes
11
11
0.4.20
12
12
------
13
13
14
+
- API security
15
+
16
+
- Tightened authorization checks for all non-public API endpoints.
17
+
18
+
All non-public endpoints now properly respect the current user rights
19
+
defined in the participant user management service.
20
+
Revoking user rights on the participant will revoke access to the corresponding API endpoints.
21
+
22
+
In general, endpoints that required authentication before will now check that the authenticated user
23
+
is not deactivated on the participant has has ``actAs`` rights for the relevant party
24
+
(wallet party for the wallet app API, SV operator party for the SV app API, etc).
25
+
26
+
- Administrative SV app endpoints now require participant admin rights.
27
+
28
+
The following SV app endpoints now require the user to have participant admin rights in
29
+
the participant user management service. This allows for finer grained access control
30
+
where users with ``actAs`` rights for the SV operator party but without participant admin
31
+
rights may use the SV or wallet UIs, but may not perform administrative actions like
32
+
hard synchronizer migrations.
33
+
34
+
- ``/v0/admin/domain/pause``
35
+
- ``/v0/admin/domain/unpause``
36
+
- ``/v0/admin/domain/migration-dump``
37
+
- ``/v0/admin/domain/migration-dump``
38
+
- ``/v0/admin/domain/identities-dump``
39
+
- ``/v0/admin/domain/data-snapshot``
40
+
41
+
Note that only the service users of the SV and validator apps should automatically have participant admin rights.
42
+
If you are using other users to access the above endpoints, check their rights.
43
+
44
+
- Some endpoints will have changed authorization rules in an upcoming release.
45
+
46
+
- SV app ``/v0/dso`` is currently public, but will require authorization as SV operator,
47
+
similar to most other SV app endpoints.
48
+
Use the corresponding public endpoint in the scan app if you need to fetch DSO info.
49
+
50
+
14
51
- Deployment
15
52
16
53
- Fix a bug where the setting the affinity for the ``splice-cometbft`` and ``splice-global-domain`` helm charts would remove the anti affinity for the ``cometbft`` and the ``sequencer`` deployment. This ensures that if multiple SVs are run on the same nodes, not more than one ``cometbft`` pod can be deployed on the same node and that no more than one ``sequencer`` pod can be deployed to the same node (a ``cometbft`` pod can still share a node with a ``sequencer`` pod). This can be disabled by setting the ``enableAntiAffinity`` helm value to ``false`` (default ``true``).
0 commit comments