Unimus 2.2.0 & Unimus Core 2.2.0 release

Official news and announcements
Post Reply
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Feb 28, 2022 10:03 pm

Unimus version 2.2.0 is being released today! 2.2.0 has been in development for 6 months and brings new major and minor features, together with heavy focus on performance and security.

We have published a Release Overview on our blog if you prefer to read up on this release.
Alternatively, you can watch the Release Overview video below:



Release highlights:
- Device Variables in Config Push
- New APIv3
- Improved API Token Management
- Performance improvements
- Security improvements and bug fixes
- Support for 12 new device types

Links at https://unimus.net/download.html have been updated with the newest version.

Edit: we have also released a hotfix for a few annoying issues that early adopters reported. This hotfix was released as 2.2.1.

Full Changelog:
= Version 2.2.0 =
Features:
Added option to set UI session timeout (example "-Dserver.servlet.session.timeout=1h")
Updated NetXMS client library to latest version (4.0.2156)
Added additional built-in Backup Filters for FortiOS devices
Added missing search in Config Mode Password binding window (Devices > Edit)
Unmanaged devices are now displayed with Italic font in "Backups" screen (same as in "Devices")
Added support for device selection menus on Cisco IOS
Added support for CLI sections in FortiOS
Improved Huawei VRP driver compatibility
Improved detection and grouping of invalid commands in Config Push
Reordered buttons on the Devices screen into logical groups (better UX)

New Device Variables feature for Config Push
- Variables can be defined for devices in the Device screen
- both single and multi device variables edit are supported
- Variables can be used in Config Push in the "${variable_name}" format
- more info: https://wiki.unimus.net/display/UNPUB/Device+Variables

Added new APIv3:
- implemented new v3 API, exposing functionality currently missing in APIv2
- currently available endpoints: "Jobs", "Zones", "Tags", "Credentials", "CliModeChangePasswords"
- API tokens now have a new "Allow access to credentials" checkbox
- please check http(s)://your_unimus_address/api/v3/ui for new built-in API docs
- APIv2 will remain functional for the foreseeable future

Improvements to API Token management:
- added "Description" to API tokens
- API tokens now have a new "Allow access to credentials" checkbox
- added an "Edit" button for API tokens

Mass Config Push is now available over APIv3:
- added an "API Jobs" tab to Config Push if any API jobs exist
- new retention settings for API Push Job history
- see above section for details on APIv3

Performance improvements:
- general improvements across the application due to DB structure and data access improvements
- substantial performance improvements in high-concurrency environments due to JDBC datasource change
- Config Search has been offloaded to the database (as required per DB engine), bringing much better performance
- optimized job initialization time (10x faster when running jobs on 5.000 devices)
- a single Unimus instance can now handle 120.000 devices with full discovery + backup on 120k devices in 2 hours 45 minutes
- UI component responsiveness massively improved (for example, select all on 120k objects in the UI now takes 8 seconds, from 3 minutes previously)
- with 120.000 devices in Unimus, all screens now load in under 10 seconds max (average screen load at 2 seconds)

Security improvements:
- performed an internal security audit of Unimus in advance of full Penetration Testing
- more info on found and fixed issues in the "Security fixes" section
- updated user password hashing algorithm to Argon2 (previously Bcrypt2 was used)
- existing user passwords will be migrated on first successful login
- Unimus 2.2.0 will undergo a full pentest cycle, results will be published publicly on our Blog

Optimization of device connection count during Discovery:
- only open a single CLI session when only a single credential is available for a device
- applies when credential discovery is not needed due to Credential Binding
- more info: https://wiki.unimus.net/display/UNPUB/Discovery

Rewrite of MikroTik RouterOS driver:
- performance increases, average discovery on ROS down to ~9 seconds (from 21 seconds)
- added handling for new CLI behaviors introduced in latest ROSv6 versions
- added support for ROSv7

Added support for:
- ArubaOS v6
- DrayTek VigorSwitch
- Engage IPTube
- FiberStore Campus switches
- Hatteras / Overture Networks
- Huawei USG
- JunOS EVO
- MikroTik RouterOS 7
- Planet XGS switches
- other various Planet switches
- Ubiquiti Dream Machine (UDM)
- Ubiquiti LTU / LTU-Pro

Fixes:
Fixed a memory leak if a Core connection connected and disconnected frequently
Fixed wrong Running Job state could be set on devices during heavy concurrency operations
Fixed job history records would not be created for devices with extremely long addresses
Fixed a running Network Scan not being stopped if it's Preset was deleted
Fixed description missing in Mode Change Password binding (Devices > Edit)
Fixed running job state could be reverted to a wrong state when Managing / Unmanaging devices while a job was running
Fixed select all / deselect all and the selection model in general could break in the "Device credentials" table
Fixed moving devices between Zones could cause the Zone Number to update even if device was not moved due to address conflict
Fixed changing a user's role to visually break the Backups screen if the affected user was already on it
Fixed possibility to add Comments to deleted objects if the Comment window was opened while object was deleted
Fixed actions buttons not working properly in "Backups > Configuration" in specific cases
Fixed wrong time formatting in "Use management > System access history > Session end" (values were correct in DB)
Fixed "Other settings > Per-Tag connectors" would not properly show all configured ports for a connector
Fixed attempting to remove all Users would throw an exception (will now properly remove all users other than yours)
Fixed the Zones screen not properly refreshing when specific changes were done to Zones by another user
Fixed select all on tables with extremely large amounts of objects could causing loading for a very long time
Fixed enabling "Show all passwords" in the "CLI mode change passwords" table could cause bad behavior in the "Device credentials" table
Fixed search in "Import history jobs" did not work
Fixed the "port" field being formatted wrongly in the "Notifications > Email" screen
Fixed changing a user's role to duplicate the Theme selector on the Dashboard if the affected user was already on it
Fixed Credentials screen did not live-update changes to counters when credentials were Bound / Unbound by another user
Fixed "Basic import > CSV file import" could throw exceptions to the UI when an invalid CSV file was provided
Fixed possibility to add Device Access restriction without selecting and account, which resulted in an exception
Fixed Comment icon column in the Schedules screen was not properly sized
Fixed rare scenarios where upgrade from 2.0 or 2.1 to latest versions could fail
Fixed possible invalid input in "Notification settings > Diff before and after lines"
Fixed multiple rare errors on concurrent operation attempts on already deleted objects during multi-user workflows
Fixed multiple other minor UI and UX issues and missing live value changes during multi-user workflows
Fixed discovery failing on some models of Adtran TA
Fixed discovery failing on JunOS-EVO devices
Fixed discovery failing to recognize newer Planet switch types
Fixed Config Push on MikroTik RouterOS could fail on specific commands with long output
Fixed output formatting in Config Push on some MikroTik RouterOS versions could be broken
Fixed backup could contain some extra unwanted data on some MikroTik RouterOS versions

Security fixes:
Completely removed log4j library due to multiple exploits that were identified in this library
Log out all other user's sessions if a user changes their password (other than the session changing the password)
Log out all sessions of a user if their password is changed by another Administrator user
Users logged out due to session timeout are redirected to the Login screen instead of just an overlay on their last screen
Fixed user could remove Backup Filters applied to Tags the user didn't have access to
Fixed users could re-run Push presents from output group context menu even if they didn't have access to do this
Close currently opened "Show password" popups in the Credentials and "Device > Info" screens when a password is set to "High security mode"
Close currently opened "Show password" popups in the Credentials and "Device > Info" screens when a user's role is changed to READ-ONLY
Fixed Backups screen would not remove access to already opened device backups if access to a device was lost
Fixed users without access to the Default Zone could still add devices through "Network Scan"
Changed APIv2 to no longer expose credential passwords through Device endpoints (there was no way to control this), use APIv3 for credential access

Fixed multiple instances of "live" access changes not working (screen change / reload was required to apply new access restrictions):
- for all affected screens affected data will be added / removed immediately after accessibility is changed now
- fixed Dashboard not listening to live device access changes
- fixed Zones not listening to live access changes
- fixed "Mass Config Push > Targets" not listening to live device access changes
- fixed "Mass Config Push > Output groups" not listening to live device access changes
- fixed "Other settings > Per-Tag connectors" not listening to live access changes
- fixed Devices screen not listening to Zone-based device Tag live access changes (Tag propagations to Devices from Zones)
- fixed "Basic import" not listening to live Zone access changes

= Version 2.2.1 =
Features:
Improved table behavior and data loading with high latency

Fixes:
Fixed failing DB upgrade to 2.2 in specific cases
Fixed wrong variable could be substituted for devices in Config Push in specific cases
Fixed "Config Search > Regex Search" did not work in specific cases
Fixed errors in Config Push could completely break the UI for the user running the push
Finally, there are a few minor known issues to be aware of:
Known issues:
ISSUE: "Re-discover affected devices when Ports or Connectors change" Advanced Settings option does not work
WORKAROUND: none
STATUS: issue scheduled for fixing

ISSUE: "Stop" in Config Push does not work
WORKAROUND: none
STATUS: issue scheduled for fixing

ISSUE: Some screens in Unimus show time in server's time zone, others in client's (browser's) time zone
WORKAROUND: none, issue only relevant if client has different time zone than server
STATUS: we are debating on how to fix this - will likely create a setting to select which TZ should be used
Let us know if you have any feedback / questions on this release, or if you run into any issues!
jktucker58
Posts: 2
Joined: Tue Feb 08, 2022 3:33 pm

Tue Mar 01, 2022 9:19 pm

I was hoping LDAP/AD authentication would have made it in the next release. Any time soon?
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Tue Mar 01, 2022 9:41 pm

jktucker58 wrote:
Tue Mar 01, 2022 9:19 pm
I was hoping LDAP/AD authentication would have made it in the next release. Any time soon?
Rework of the AAA system is coming in 2.3. This including addition of LDAP, login from external sources without the need to create an account in Unimus itself, support for MFA in Unimus, etc.

This is what we are working on now - expect this to be available around the end of Q2 :)
marcohald
Posts: 4
Joined: Thu Dec 16, 2021 7:35 am

Wed Mar 02, 2022 1:26 pm

Automatic user creation via Radius would be also great.
It would be perfect if the privileges can be assigned via Radius Attributes like you can do it on Cisco Devices.
For Example CVPN3000-Privilege-Level:15 for Admin Access and CVPN3000-Privilege-Level:5 for read only.
Other attributes are also fine, but i prefer to provide a own attribute as we already use it for Cisco authentication.
Post Reply