Release Notes

Current release versions can be downloaded here.

Development Build (Mar 19, 2024)

  1. Introduce our database access portal, allowing the management of database users, supporting compliance efforts around Segregation of Duty, Principle of least privilege, approval chains and data access audit capabilities
  2. Improved LDAP configuration wizard;
  3. Improve Kerberos configuration capabilities and support GSS Encryption mode for Postgres;
  4. Support Kerberos+passthrough for the SQL Server proxy, to allow service accounts to use SQL Auth, while others use Kerberos;
  5. Allow forcing the TLS ciphers supported, to allow optimization on systems where one cipher outperforms the defaults;
  6. Add data sensitivity tagging capability to databases via the database browser, schemas, tables and columns to support future audit and role management capabilities;
  7. Add the ability to edit roles in the database browser;
  8. Improved functionality of the database browser and increased compatibility across database types;
  9. Add the ability to send alerts to SNS, EMail and LDAP (email) driven targets;
  10. Improved across all databases the included user synchronization scripts for improved functionality and compatibility;
  11. Improved compatibility with multiple database types including Redshift, Babelfish, Greenplum, SQL Server, Postgres, MySQL and others;
  12. Improve Redis compatibility in cluster mode;
  13. Add an alert to the admin user if any user has the default password set to “heimdall”;
  14. Add a notice when accessing the manager via HTTP to redirect to HTTPS;
  15. Include LDAP to group mapping for synchronized users;
  16. Improved parsing of SQL to identify DML vs. non-DML queries;
  17. Numerous cosmetic changes to help clarify behaviors and function;
  18. Numerous compatibility fixes identified by customers for all databases;
  19. Tons of additional and updated documentation across all areas;
  20. Inclusion of PDF documentation, ideal for importing into ChatGPT-4 to assist in answering questions and providing self-guided support.

Major pending items before release: 

  1. Add support to all cases where a password is configured to use AWS Secrets Manager;
  2. Add a report option to provide an audit trail of who has access to security tagged database resources based on tag;
  3. Update our including manager Java version to Java 17, and update the Spring.boot version, to avoid false alerts on security scanning;  This will require an update of Java on any currently installed system once merged;
  4. Add a check of required java version for new updates to ensure we don’t install code requiring a new version into a system with the old version;
  5. Review all documentation to ensure it accurately reflects all the changes since Nov 6.

Release build (Nov 6, 2023)

  1. Add option to strip comments when forming the cache key from a query, due to DataDog’s query tagging feature to track individual queries
  2. Improve handling of CTE queries, in particular with more than one CTE table in a single query;
  3. Reordered admin tab options for more logical sense;
  4. Add options for Kerberos for Greenplum and Redshift;
  5. Improved database browser for Postgres;
  6. All previous updates and fixes.

Development build (October 27, 2023)

  1. Support for Kerberos with Postgres and SQL Server proxies;
  2. Token authentication, to hide the real password used to connect to the database from users, to avoid bypassing the proxy;
  3. Initial database browser implementation for Postgres, to support other databases within the next month;
  4. LDAP Wizard to assist in configuring LDAP authentication correctly;
  5. Provide automation to install synchronization scripts for use with Zero touch user management;
  6. Provide alerts if memory usage triggers swap usage, as this can impact performance;
  7. Provide an option to always forward a query, overriding other checks, for situations where “eventual” consistency is appropriate;
  8. Provide a template system so Heimdall can create application templates for use in the wizard, with an initial template for Odoo;
  9. Provide the means to automatically upload logs to S3 for debugging, and to customize what S3 bucket to upload to;
  10. Provide an interface to manage CA certificates used to validate other TLS certs;
  11. Provide active/standby interface and manual promotion options, when using autoscaling mode and to indicate standby nodes in blue on status tab;
  12. Add automation to create IP tables rules when ports are opened by the proxy;
  13. Adjust the default rules created by the configuration wizard for read/write split to help avoid issues;
  14. Add AWS Secrets Manager support for the default/monitoring user in the data source tab;
  15. New VDB’s configured to use ldap will inherit the config from the manager if it is configured for ldap;
  16. Bypass forwarding of MySQL queries including binary blob data in a prepared statement to prevent read/write split issues;
  17. Improve support for LDAP systems other than Active Directory, including with the new Wizard;
  18. Allow choosing of the cloud manually in the server configuration, in the event the cloud is not detected properly;
  19. Add Kerberos support for the Heimdall Manager;
  20. Improved performance with Oracle in JDBC mode;
  21. Improved Oracle compatibility in JDBC mode;
  22. Improve compatibility with the Elixir driver for Postgres;
  23. Improved nested transaction support for SQL Server;
  24. Improve parsing of multiple CTE statement formats for Odoo;
  25. Provide one to many group to role mappings when synchronizing users into databases;
  26. Provide key tracking configuration (or the lack of) notification for Redis and Hazelcast;
  27. Automatically capture pcap files from proxy trace logging to log dumps;
  28. Resolve issues with the Analytics tab where searching wasn’t returning the proper results at times;
  29. Resolve issue where the manager login history wasn’t reporting logins properly;
  30. Resolve issue with queries using the “force” keyword for MySQL;
  31. Resolve some issues where some queries would be tagged as DML when they shouldn’t be, preventing caching;
  32. Add a huge number of new tests for new and old functionality to assist with regression testing;
  33. Large numbers of smaller bug fixes and tuning for improved compatibility, performance and logging capability.

Development/Daily builds (Jul 10, 2023)

  1. Add MS-SQL and Redshift Sync_user script examples;
  2. Improve sync_user scripts to include lookup_tables for group to role mapping, including support for one to many mapping of groups to roles;
  3. Add checking for key tracking to the test cache button, to ensure distributed invalidation will be handled cleanly;
  4. Improve log format to make it easier to read in many cases;
  5. Generate alerts if a user is added to a temporary login blacklist after three failed login attempts;
  6. Blacklist users with an increasing time between attempts if they fail login three or more times;
  7. Resolve issue where a proxy is not stopped if running as a service, and this is disabled AND the local proxy option disabled at the same time;
  8. Resolve issue with “select … for update” queries not being flagged as a DML (short-term regression);
  9. Resolve issue in the Wizard with AWS Detect where clicking next didn’t progress after selecting a database cluster, and cases where Elasticache was not listed properly;
  10. Add “production” flag to force a VDB to the top of the status tab, and to flag it as a production instance;
  11. Resolve SQL exception case where the exception counter wasn’t being incremented;
  12. Resolve issue with copy interface with Postgres and Redshift for loading data via stdin;
  13. Improved table extraction logic for parsing tables in a variety of cases;
  14. Improve LDAP debug logic in the logs;
  15. Improve compatibility of LDAP group extraction with DNs containing special characters like commas;
  16. Add current pcap downloads to the log file download to avoid a second step;
  17. Improve AlloyDB documentation and support;
  18. Resolve issue with Moneytype and MoneyNtype (and a few others) for SQL Server;
  19. Resolve a variety of issues with Redis cluster mode behavior;
  20. Add “show key” command;
  21. Resolve a few cases where the AWS SDK was not being used, triggering issues when the v2 metadata api was configured.

Release build (June 2, 2023)

This release includes refactoring and changes that have been ongoing since Sept 2022, so there are a large number of internal changes.  The most visible changes to users include however:

  1. Include support for LDAP authentication in the GUI, as well as a general overhaul of the authentication system used by the central manager;
  2. Include an option to upload logs directly to a write-only S3 bucket for Heimdall support;
  3. Include explicit support for Google AlloyDB, including cluster tracking support;
  4. Remove from the user objects the ability to limit logins from particular IP ranges, as firewall rules were typically used for this;
  5. Improve the filters for various log types on the log tab;
  6. Include user count tracking in the “show pools” command (the result will be in the logs);
  7. Add option to delete unused certificates;
  8. Add the option to enable token authentication to the HTTP health check port, to avoid data leakage;
  9. Removal of some unused options that added complexity to the GUI, but were never used by customers;
  10. A huge number of various optimizations, bug fixes, and other changes that are too numerous to detail.

We will probably be adding details to this list, however due to the number of changes internally, not everything will be documented here.  This is a major release structurally.

Release build (Mar 30, 2023)

  1. Adjust default preferQueryMode to extended to avoid cases that could trigger an OOM on Postgres;
  2. Add support for Systemd service watchdog support–this requires a full image update to activate;
  3. Support proxy port ranges in the format start-end.

Development build (Mar 4, 2023)

  1. Move clear cache and restart proxy to a menu on the status tab by the VDB name, and include clear authentication cache as an option (docs not yet updated);
  2. Resolve issue introduced with concurrency statistics that broke some Cloudwatch statistics reporting;
  3. Resolve issue with SQL Authentication introduced pool controls for per-user control;
  4. Resolve a few stats reporting issues when not using load balancing;
  5. Improve replication lag handling to ensure we don’t run more than one instance of checks at a time;
  6. Report on the GUI if a client uses older SQL Server drivers that can cause issues with caching;
  7. Improve the behavior of the MySQL proxy when a change-user request is issued;
  8. Maintain consist order of hazelcast and Redis nodes when displayed on the status tab (Manage via cache only);
  9. Add support for ${authBypass} to assist with graceful DB to LDAP managed users;
  10. Various small optimizations and bugfixes

Release build Feb 15, 2023)

  1. Revert to the older Postgres streaming driver to avoid OOM issues.

Release build (Feb14, 2023)

  1. Augment status tab with traffic metrics on what source served a query (reader/writer/cache) and connection reuse statistics;
  2. Provide average connect times in connection pool information via show pools and JMX stats;
  3. Resolved several issues with SQL Server prepared statements.  Please note–using the MS SQL Server JDBC driver 4.x and earlier is not advised, as it can cause issues.  Please upgrade to a newer JDBC driver for full compatibility;
  4. Resolve an issue with the MS SQL Geometry & Geography type;
  5. Hide disabled VDBs on the status tab;
  6. re-enable SQL Server caching with TDS RPC 13, disabled on the 4th;
  7. Resolve issue with Postgres prepared statements that in rare situations could cause a typecast mismatch issue.

Development build (Feb 4, 2023)

  1. Remove summary tab, as it was misleading users on what benefits they were getting (it downplayed the benefits, not exaggerated them);
  2. Added the ability to install updates from an arbitrary URL, to allow updates to be maintained in a secure repository such as pre-signed S3 URLs;
  3. Hide disabled VDBs from the status tab;
  4. Add connect time on connect timeout interval messages to help debug timeout issues;
  5. Disable AWS RDS api probes if LB is disabled, even if an AWS ARN is configured;
  6. (Temporary) Disable caching when SQL Server uses TDS RPC 13 (prepare-exec) to generate queries;
  7. Improve compatibility with Redis for TLS and password authentication, and add TLS detection to the AWS wizard code;
  8. Make Redis node display on status screen when “manage via cluster” is enabled consistent;
  9. Add the ability to specify the maximum number of rows allowed to be returned in a rule;
  10. Removed the confusing “pin” option from the status tab;
  11. Add the manager version number to the menu side-bar to help visualize the current version of code installed;
  12. Improve compatibility with AWS Babelfish, including supporting automatic failover of Babelfish clusters;
  13. Correct handling of MS-SQL GUID fields when sent to the server as part of a prepared statement;
  14. Immediately return an error if Postgres returns an error about too many connections vs. allowed for a role vs. trying to wait for a new connection;
  15. Change MySQL socket names to include port numbers to avoid conflicts when multiple proxies are running on different ports;
  16. Numerous added documentation updates and test case enhancements.

Release build (Jan 3, 2023)  (note–currently in publishing phase, please install from “test” build from the GUI):

  1. Massively add more tests to cover issues found in last three months;
  2. Include per-user pool statistics in JMX;
  3. Allow postgres warnings generated before a result-set to be reported in real-time vs. waiting till after the result is done;
  4. Improve table name extraction, in particular with joins followed by a “(” character;
  5. Resolve library and base OS issues for CVE-2022-42889, CVE-2022-41853, CVE-2022-3602 and CVE-2022-3786;
  6. Add support for Oracle Cloud default passwords and license handling;
  7. Log info on what TLS cert is used at the proxy level to assist in debugging if the proper cert is being used;
  8. Provide metrics for concurrency controls;
  9. Resolve issue with query time reporting on the dashboard, which would exagerate longer execution times in certain situations;
  10. Add statistics for read/write split to JMX;
  11. Update libraries for Redis 7 support;
  12. Adjust timing of service start to be after cloud.init, to prevent incorrect start behaviors;
  13. Restart local proxy if the vdb name, or access/secret keys change;
  14. Improve connection behavior on various fatal connection conditions, so it returns an error immediately;
  15. Add generic threshold matching, allowing rules to match based on “typical” performance of a query pattern, for slow query control;
  16. Allow ${connid} for rule replacement, to support per-connection throttling;
  17. Adjust ldap authentication to require a group extracted ONLY if a group filter is provided;
  18. Allow username and password to be overwritten in SQL authentication, so front-side and DB side credentials don’t have to match;
  19. Add credential syncinterval option to VDB for credential synchronization;
  20. Improve search path handling with multiplexing enabled;
  21. Resolve issue that could result in the status tab not reporting data;
  22. Many documentation updates and fixes;
  23. Resolve issue with PostGREST where it can’t cache the schema;
  24. Enable TLS certificate debugging on the proxy, to print important fields about the certificate used.

Release build (Sept 26, 2022)

  1. Added “named” throttle and concurrency support, allowing per-user throttling and active query limits;
  2. Resolved issue that could prevent a proxy from logging to the manager;
  3. Support regular expression matching on API invalidations (via HTTP API);
  4. Support regular expression matching for most metadata rules;
  5. Initial beta support for row deletion capabilities and data masking;
  6. Added Greenplum proxy (behaves as Postgres proxy for now).

Development build (Sept 8, 2022)

  1. Add response rules processing (beta) to drop rows in a result-set, intended to help remove bulky metadata for GUI apps interacting with the database that is unneeded;
  2. Provide a certificate viewer interface to view the loaded certs;
  3. Improved transaction isolation state tracking when using delayed transactions;
  4. Provide “tablesonly” matching filter for rules;
  5. Improved application_name handling including support for inline “set application_name” for Postgres, and matching on the set value in rules;
  6. Resolve issue with Postgres COPY operations to stdin for downloading bulk data, in particular with pg_dump;
  7. Resolve issue if user-data isn’t set fast enough on system startup, where a management server may have started, but a proxy is desired;
  8. Add “shared” cache option to force cached result-sets to be shared across users;
  9. Adjust most metadata matching to test first for exact matches, then as a regex match;
  10. Adjust install script to support Oracle Linux 7.x;
  11. Improve compatibility with SQL Server;
  12. Add startswith, endswith and literal support for matching queries.

Development build (Aug 19, 2022)

  1. Added the ability to upload third party certs, and assign them to the GUI interface;
  2. Provide interface for managing the /etc/heimdall.conf file for the manager via the GUI;
  3. Resolved a SQL Server parsing issue with prepared statements involving internal variables and multi-line comments;
  4. Provide functionality to override usernames, passwords and database names via SQL Authentication via columns named db_user_name, db_password, and db_database.

Development build (Aug 16, 2022)

  1. Resolve issue with new cache “revalidateOnly” option where it was building the nocache rule incorrectly;
  2. Updated documentation on packet capturing and other minor changes;
  3. Resolve issue with Analytics if a multiple-component search path was specified on a connection (cosmetic);
  4. Resolved issue with PyODBC connections without autocommit enabled;
  5. Honor the “enabled” column for SQL authentication even if disabled rules are not filtered via query;
  6. Include a sanitized vdb configuration in log dumps to assist in debugging.  Passwords, certs, keys and similar fields will be automatically removed from the configuration files;
  7. Resolved more SQL Server prepared statement issues;
  8. Resolve issues when starting Heimdall in ECS containers, and in honoring heimdall.conf environmental variables when set for a container;  Note:  This requires a full update of the baseline scripts to take effect completely;
  9. Delete old pcap files on a log delete.

Release build (Aug 1, 2022)

  1. Improve let’s encrypt interface to allow aliases, and selection of the alias in the vdb, along with documentation;
  2. Handle special case of @@rowcount for Entity Framework requests and SQL Server;
  3. Resolve ODBC TLS compatibility issue for SQL Server involving TLS frame lengths.

Development build (July 22, 2022)

  1. Add in a packet capture option in the status tab’s proxy menu (beta);
  2. Initial implementation of a certificate manager to use let’s encrypt certificates for VDBs (beta);
  3. Add a option to clear the authentication cache in the proxy menu;
  4. Add connection pool information into JMX (per-user pools are not yet exposed however);
  5. Improved compatibility with SQL Server cursors and prepared queries, along with regression tests to go with the improvements;
  6. properly replace ${database} in authentication queries with the requested database on a per-connection basis;
  7. Provide no-cache reasons in the query breakout screen;
  8. Adjustments to license handling, including support for the Greenplum Community Edition license;
  9. Add default logic to use sp_reset_connection on SQL Server connections when returned to the connection pool by default;
  10. Remove delay if a user’s credentials fail on the back-end database for Postgres due to the database not being present.

Development build (July 9, 2022)

  1. Important: Resolve issue on updates where modules were not updated properly, a regression starting with the June 22, 2022 builds.  If you experience an issue on update where the modules are not registered, simply update to this new development build a second time to resolve;
  2. Initial build to recognize the Greenplum community edition license flag, will show on the license tab–further controls to limit the functionality to only licensed features will be added for the next full release;
  3. Add the regex “literals” keyword to do exact string matches vs. regex, reducing overhead significantly with many rules;
  4. Optimize the rule processing code path when regex capture groups are present, but no replacement is needed in properties;
  5. Resolve issue with the catalogprefix regex keyword, preventing proper operation with more than one prefix;
  6. Resolved issue where the test query was lost on data source changes;
  7. Improve schema handling with Postgres when building the fully-qualified table name, which impacted invalidation in some cases.  There is also now a vdb parameter of “schema” to set the initial schema on a connection, if not specified by the connection;
  8. Move documentation and support links to the top of the page to avoid issues where they aren’t rendered due to screen resolution;
  9. Correct several compatibility regressions with SQL Server with prepared statements and certain type conversions and query parsing;
  10. Correct several compatibility issues with Postgres and prepared statements;
  11. Resolve issue with server-side stats configuration not honoring the ${database} variable;
  12. Corrected an issue where with SQL Server, cached results could be corrupted in certain rare cases;
  13. Updated documentation, including some specific items for MySQL, including noting one performance impacting bug found in MySQL itself involving indexes and the server character set;
  14. Updated cloudwatch documentation, including how to log cloudwatch logs when proxies are on private IP’s;
  15. Added many regression tests to avoid regressions and issues.

Release build (June 20, 2022)

  1. Include Redshift as a new proxy type, and include the Redshift driver in the new baseline configuration.  For updates, this driver will need to be added manually;
  2. Adjust how Cloudwatch metrics are generated, putting them in the “Heimdall-proxy” category, and making them multi-dimensional metrics, allowing for easier generation of dashboards on autoscaling groups;
  3. Add autodetection of Postgres sequence handling that can impact caching, and disabling caching and read/write split when used in a query;
  4. Update AWS SDK version;
  5. Resolve issue with Global AWS Aurora clusters, where remote clusters would use the wrong region name;
  6. Fix an issue that can cause issues with SQL Server while caching is enabled;
  7. Improved ${host} handling for SaaS deployments, allowing SQL authentication to drive what cluster a given user should be served from dynamically;
  8. Resolved issue where connection pooling was not activated if LB was not also active;
  9. Resolved issue of MySQL driver not loading cleanly on proxy startup due to timing issues in some cases;
  10. Adjust default Postgresql sslmode to prefer;
  11. Documentation updates.

Release build (May 30, 2022)

  1. Update the Postgres driver to include a fix that prevented back-end TLS connections from working with the custom PG driver–this driver will need to be updated manually, contact Heimdall support if needed;
  2. Resolve issue that at times prevented proxy initialization when the built-in port 80 health check was active;
  3. Resolved issue with ${schema} replacement variable of the variable was set, but empty;
  4. Improved auto-nocache and no-read/write split for Postgres sequences, improving Odoo compatibility.

Release build (May 23, 2022)

  1. Improved handling for all proxies with large result-sets to avoid memory overflows with very large result-sets;
  2. Resolve issue where cloudwatch logging could cause heartbeat delays;
  3. Provide distinct download button on the software management tab to download the current software, simplifying rollbacks;
  4. Add Graviton3 instances to AWS Marketplace offering (pending).

Release build (Apr 15, 2022)

  1. The new build includes an internal postgres driver that supports streaming of arbitrary large result-sets.  This driver should not be used with other applications as it is not 100% api complete for the JDBC api.  An upgrade to this version of code will not update the driver however, this step needs to be done manually–please contact Heimdall support for assistance.;
  2. If the TLS certificates used by Heimdall have less than 7 days until expiration, each day an alert will be generated on the UI now;
  3. Resolve several code path issues with “set search_path to <path>” where the schema was not handled properly;
  4. Add a custom cache key option to use the schema as part of the key creation;
  5. Add a “lite” debug option to trigger dumping one second of verbose debug logs in the event of an exception, to reduce the size when debugging rare issues;
  6. Resolve an issue where if the internal health-check was enabled, but the interval was set to 0, the proxy would never start listening;
  7. Add “since started” counters to the JMX interface.

Development build (Apr 4, 2022)

  1. Update spring libraries to avoid detection against cve-2022-22965.  Note–we are not vulnerable, this is a proactive update to avoid automatic scanning from warning on this issue;
  2. Resolve rare incompatibilities with the proxy code with various client libraries;
  3. Added “serverFilter” read/write split function to allow selective use of readers for particular workloads;
  4. Provide ${schema} handling in JDBC URL’s to support set search_list = <schema> for Postgres (please contact Heimdall support for assistance with this feature);
  5. Resolved some rare cases where autodetection of Postgres clusters wasn’t working properly after a scripted failover;
  6. Updated documentation to account for corner cases such as non-default sql_mode for MySQL, etc;
  7. Improve logging in verbose debug mode to help with LDAP debugging;
  8. Resolved issues with ${host} in data source JDBC urls including a defaultHost option.  Please contact Heimdall support for use of this option in SaaS environments;
  9. Read/write split statistics forwarded to cloudwatch;
  10. Significant internal regression test improvements and code cleanup.

Development build (Feb 18, 2022)

  1. Support dynamic redis reconfiguration without restart;
  2. Provide warning when an application uses the search_path and update postgres documentation on the search_path compatibility;
  3. Add an option to force configuration requests to be redirected through HTTPS;
  4. Resolve issues with savepoints that could prevent them from working properly;
  5. Make the “response metric multiplier” configurable for determining appropriate read nodes;
  6. Provide aggressive notification on utf8 configuration issues on MySQL;
  7. Resolve logging issue if the database port contained more than four digits;
  8. Updated Postgres password sync script to remove unneeded quotes in group membership;
  9. Resolved an issue where the MySQL column size field was changed on results in some cases;

Release build (Jan 29, 2022)

  1. Small build and test changes.
  2. Added a default value of ‘0’ for the MySQL JDBC driver parameter of “netTimeoutForStreamingResults”.

Development build (Jan 27, 2022)

  1. Resolve driver registration issues on update;
  2. Add in new rule type for SQL Server to “wrap” SQL into a stored procedure, to resolve certain cases with complex parsing of prepared statements;
  3. Provide port number in the logs, to assist in debugging what port a VDB may have received a query on, in the case of multiple ports;
  4. Resolve an issue with SQL Cursor queries performing “relative” access against the result-set;
  5. Resolve SQL Server issue when a SQL parameter name is included in a text field as part of the query;
  6. Add the last modified (epoch) timestamp to the printtables output to assist in debugging invalidation issues;
  7. add “reset query cache” command to proxy, to delete cache.  Includes an option to specify the table name;
  8. Log what HTTP method is used as part of rest api call logging;
  9. Resolve an issue where the wizard doesn’t create the data source properly in some AWS use cases;
  10. Resolve an issue with invalidation when the database name is in all capital letters;
  11. Resolve an issue with table name matching in rules when the database name is in all capitol letters and ${database} is used in the regex field;
  12. Remove the library jnr-unixsockets to junixsocket to avoid license issue;
  13. Allow balancing of traffic across multiple servers of last resort (weight of 0);
  14. Large amounts of code cleanup (non-customer impacting) as part of ongoing code quality improvements.

Development build (Jan 9, 2022)

  1. Swap instanceid and vdb in AWS metrics to allow easier sorting by vdb;
  2. Remove excessive logging in verbose debug mode for lag detection;
  3. Remove documentation for the “get keymap” command which is not currently available;
  4. Resolve NPE in a particular case with multiplexing enabled;
  5. Resolve issue where drivers are not always registered on the initial startup, requiring the driver to be re-downloaded or a commit issued on the driver tab;
  6. Correct error when an incorrect password is used, and a TLS error is generated for the Postgres proxy;
  7. Update parsing with “with” statements, where some tables were not extracted in certain cases;
  8. Significant code cleanup to remove tech debt.

Release build (Dec 21, 2021)

  1. Library updates, including the removal of all libraries under the CDDL, MPL, EPL and GPL w/ CPE licenses.  This is to simplify the release process for GCP, due to their strict interpretation of how these licenses need to be handled;
  2. Implement a parameter consolidation change to simplify queries with a large number of parameters;

Release build (Dec 14, 2021)

  1. Due to a new version of log4j being released to completely fix the security issues found, we have updated log4j to 2.16.0.  Further, we have updated nearly every other library to ensure that as of now, even the strictest scanners will validate the security of all the libraries used.
  2. Add code to wipe central manager analytics if memory usage becomes too high automatically, as this is the most likely cause of any issue;
  3. Added code to condense parameters in queries for logging to a few, avoiding issues where millions of parameters would result in queries not being logged due to their size;
  4. Removed an extra debug line in the previous build that could cause excessive log entries, even when verbose debug mode was not enabled;
  5. Added retry logic on auto-driver downloads to avoid issues if there is a transient error;
  6. For AWS Marketplace images, add the RDS CA certificates to the image by default to allow drivers to validate the CA cert issuing the database cert.

Release build (Dec 11, 2021)

  1. While we believe there is no remote exploit available, log4j version was updated to 2.15.0 to ensure we are not vulnerable to cve-2021-44228 and of course:;
  2. Resolved an issue with AWS autodetection of regional clusters;
  3. Dramatically improved regression tests, although these didn’t result in any actual code changes;
  4. Improved warnings if there are overlapping ports for DNS or HTTP monitoring;
  5. Throttle certain warnings that could generate large numbers of messages;

Release Build (Nov 24, 2021)

  1. When using the test source button, use the same default properties that the driver uses internally, so that they behave the same.  This is in particular important for TLS behavior, so that the test is accurate;
  2. Dramatically improve lag detection logic, so that it can track much closer to the real lag.  Now, it uses a stored procedure or function call on each database as part of the lag detection;
  3. Resolved issues with SQL Server using array parameter types;
  4. Resolved an issue preventing pgbench from working when loading data via the COPY operation;
  5. Add the option to run proxies as systemd services, even when on the same server as the central manager.  This allows manager restarts without disrupting traffic through the proxy;
  6. Improved the AWS RDS detection code;
  7. Removed (currently) unused MySQL8 driver configuration and files;
  8. Resolved other customer encountered bugs and discrepencies;
  9. Improve the naming of servers when using AWS autodetect and cluster tracking, so they are in alignment;
  10. Added the ability to route traffic to the nearest reader node by latency, for global deployments;
  11. Added many more regression test cases.

Test Build (Oct 16, 2021)

  1. Resolve an issue when updated from older code that may result in the MySQL JDBC driver not being present;
  2. Resolved a compatibility issue with SQL Server when using “table value” parameters in prepared statements, while also using forwarding or read/write split;
  3. Added a new “multiplex” rule type that allows saving of named parameters (such as cursor names) when disabling multiplexing, and removing them to enable multiplexing again.  This allows nested cursors and other types of queries to trigger multiplex disabling in complex situations;
  4. Resolve an issue with parsing when a comment is at the end of the query;
  5. Resolved an issue with Postgres with array parameter types in prepared statements;
  6. Improve nocache reasons in several cases.

Release Build (Oct 1, 2021)

  1. All changes carried forward from prior test build
  2. NOTE:  If you have issues connecting to the MySQL database after upgrading, please enter the following value in the “maven id” in the MySQL driver section:  “mysql:mysql-connector-java:5.1.49”.  This should resolve the issue.

Test build (Sept 29, 2021)

  1. Integration with and support for RDS Global databases for auto failover;
  2. Support for latency based reader selection in multi-az and region configurations;
  3. added metrics to track jvm heap allocation rate and hiccups;
  4. updated RHEL install logic for newer Redhat versions;
  5. Fixed issue with the self-diagnostic http health check where it was using the non-lb url for all checks, and didn’t adjust with changing configurations after start;
  6. Added synchronization of TLS certificates so all proxies will use the same certificate and updated tls certificate management documentation;
  7. Added a knob to enable TLS 1.0 and 1.1 for older drivers that don’t support tls 1.2+;
  8. Significant improvements to the Cloudformation template to make it more flexible and cover more customer environment configurations;
  9. Resolved issues with using TLS for proxy to manager communication, and changing the base image to use HTTPS by default for such communication;
  10. Added to DNS redirection mode the ability to redirect to AWS public IP’s, not just private;
  11. Resolved issues with Hazelcast AWS autodetect logic;
  12. Allow downloading of drivers from Maven central to avoid packaging the MySQL driver for legal reasons;
  13. Resolved issue with DNS LB when more than 10 proxies were available, impacting proper load distribution;
  14. Improve documentation for heimdall sync user functionality;
  15. disabled vdbs will now be put at the bottom of the status tab;
  16. Improve Postgres copy support;
  17. Removed the “track” option from the admin software tab, now alerts will only be for release versions;
  18. Alerts added if the cache client isn’t ready;
  19. Fixed missing SQL queries for SQL server stored procedure calls;
  20. Added support to cache MySQL stored procedure calls, although they require a table attribute before cache will work;
  21. Provide additional tooltip info for servers on the info tab;
  22. Add 1GB of swap space by default to AWS images to help avoid out of memory situations;
  23. Vastly improved nocache reasons, including the ability to report multiple reasons at once;
  24. Improved compatibility with all database protocol types;
  25. Detect when binary values are used for primary key inserts and handle it properly when using client-side prepares at the driver level for MySQL;
  26. Adjust images so that initial console logging can be observed with “journalctl -u heimdall.service”;
  27. Huge improvements in test infrastructure to improve regression coverage.


Release build (July 30, 2021)

Note:  This build was pushed out to update the AWS ARM instance only for now

  1. Add a 1GB swapfile to avoid out of memory errors on the proxy
  2. Change the systemd configuration so that the stdout and stderr logs will go to /var/log/messages vs. being thrown out, to assist in debugging issues

Release Build (July 23, 2021)

  1. Adjust the yellow alert on the status tab to show on 5% heap vs. 10% heap free;
  2. Generate gc overhead alerts based on total cpu usage, not just a single core;
  3. Add missing useServerPrepStmts to mysql property list;
  4. Ensure a self-signed certificate is generated by the management server on first startup, and port 8443 opened for secure access;
  5. Provide an option to download a software image backup on a software update, allowing old versions to be easily archived by users for downgrades;
  6. Resolve an issue with mysql with multiple result-set responses and another with prepared statements in certain rare situations;
  7. Improved the overall readability of the status tab;
  8. Include dumping the SQL Server AG status on a cluster detect operation, to allow debugging if the detection process fails to operate cleanly;
  9. Significant performance optimizations on the cache path with multiplexing, resulting in 7x improvement in qps for 100% cache hit situations.

Test Build (July 19th, 2021)

  1. Added the ability to store central manager configurations into the AWS Secret store (see the AWS help topic for details);
  2. Added cpu load onto the status and dashboard tabs;
  3. Added an example log roll script that compresses log files on roll.  This can be modified to include transmit to S3, splunk, etc.;
  4. Disable spaces in configuration names;
  5. Remove duplication of query patterns in analytics due to temporary tables;
  6. Resolved an issue with cluster detect logic, where the jdbc driver may not load properly;
  7. Improve the no-cache reason when no cache rule is active;
  8. Resolve issues with MySQL and results containing multiple results for a single query;
  9. Resolve issue with Postgres COPY operation to allow whitespace before the copy;
  10. Add vdb “rejectPrepated” parameter to refuse prepared statement executes to help track down where they are happening;
  11. Add vdb “reparsePrepared” parameter to avoid query pattern buildup when prepares are not fully parameratized, with this, it could cause central manager memory buildup;
  12. Added support for Jumpcloud LDAP authentication, including specific examples;
  13. Added option for “Duplicate request tracking” to only ingest queries that have been observed twice in the maxTTL interval, to avoid ingesting content that is never accessed a second time;

Test Build (July 7th, 2021)

Note:  AWS images are being regenerated due to errors in the version numbering published, but the base image has not changed since the prior build.  There is no need to update the AMI if they have been already updated.

  1. Remove unnecessary log entry that was filling some logs;
  2. Adjust timing of proxy start when the management server was starting to ensure the management server was fully initialized.

Test Build (July 5th, 2021)

Note:  This test build is the base build for AWS images, but can be downgraded to the current “release” build as needed until the next release build is approved.  

  1. Adjust the Java version from 8 to 11 again, and changes the default garbage collector to the Shenandoah collector, resulting in far more consistent behavior under heavy cache ingest (requires a new base image);
  2. In the Amazon Linux builds, install the RDS certificates into /etc/ssl/certs/rds-combined-ca-bundle.pem (requires a new base image);
  3. Limit the number of IO threads the Redis library Lettuce uses, to prevent certain thread saturation issues;
  4. Set the Lettuce command timeout to 3s vs. the default 60s;
  5. Adjust the cache logic so that the string () is not checked for if the unconditional flag is set.  Normally, this can trigger caching to stop due to possible indeterministic functions being used;
  6. Add ports in the status tab to help identify overlaps;
  7. Remove internal default limits for cache object count and ttl, to ensure more “expected” behavior.  In conjunction with the new garbage collector, this should help ensure optimal usage of memory resources;
  8. Generate an alert if garbage collection takes more than 50% of one cpu core over a minute;
  9. Improved the extraction of tables in some cases, in particular with sub-selects, where the string “(” had been detected as a table name;
  10. Sorted disabled VDB’s on the status tab to the bottom;
  11. Added a counter to JMX to allow tracking of grid ingest overflows, earlier it resulted in a log message, which could become very verbose;
  12. Adjusted MySQL transmit buffer from 8k to 32k to better use larger TCP window sizes.

Test build (June 30, 2021)

  1.  Adjust the mysql defaultFetchSize to override the internal API call to set the same value, which is set to the Integer.min_size, needed to enable streaming of result-sets.  This default may trigger a slight performance degredation, so setting the value to 0 in the connection properties will override this, but revert to full response buffering.  The possible regression is being investigated.
  2. Adjusted the MySQL proxy transmit buffer from 8k to 32k, to improve performance;
  3. Include logging when the max cache object size is reached for MySQL in the nocache reason (pending for other proxies);
  4. Hide the “drain” option in the status tab proxy menus, as it isn’t fully implemented for most use cases;
  5. Detect when garbage collection is taking more than 15% of cpu time, and disable caching for the next minute;
  6. Disable aggregating transmit buffers for non-cacheable results, which should improve memory behavior for non-cache use cases like pure read/write split;
  7. Trigger a back-end connection drop when a MySQL change-user request is received, which should trigger any reset logic at the connection pool level and return the connection to the pool;
  8. Display the advanced features enabled even if the advanced feature tab is closed on the vdb;
  9. Add counter to JMX to track how often a result is dropped due to the cache ingest queue being full for the remote cache (CacheIngestQueueFullCount);
  10. Adjust the self-balancing DNS mode to “band” load by 10% increments, and randomize query responses within those bands, to avoid fast-start benchmarks from triggering many clients connecting to the same proxy node;
  11. Flag if a known bad version of java is used that can impact TLS;
  12. Make the Postgres COPY command case insensitive when parsing for it;

Development build 21.06.24 (June 24, 2021)

  1. Enable tcp keepalive on the client connections, set to “ping” every 300 seconds.  This is to avoid issues with NLB’s hard timeout of 350s, which results in connections not cleaning up properly when behind a load balancer;
  2. Added DNS redirection capabilities to the Heimdall proxy, when in auto-scaling mode.  This allows delegation of a DNS name directly to the proxies themselves to allow load balancing based on load;
  3. Added additional fields to the debug and queryinfo properties to allow tracking of overhead for cache requests, db execution time, and others;
  4. Changed the default MySQL configuration to not use the maxResultBuffer option, and to default to using streaming result-sets.  This should resolve most issues with very large result-sets not processing properly;
  5. Resolved an issue where the analytics database would grow without bound;

Development build 21.06.03 (June 3, 2021)

  1. Migrate from using the MySQL 5.1.x branch to the 8.0.x branch of code to access the database;    This change has been reverted for now, due to compatibility issues found in testing
  2. Update other JDBC drivers with minor changes;
  3. For Postgres, we now support handling listen requests, optimizing the number of connections to the server needed.  If multiple clients request the same listen configuration, only one connection will be made for a proxy to the database, and all the connected clients will be serviced with the one connection;
  4. For Postgres, we now have an option of “hdNotifyDBs” which provides a csv list of databases to listen to for invalidations.  Wildcards and exclusions are supported, and when a wildcard is used, the list is refreshed every five minutes;
  5. With the MySQL proxy, support auto-redirection of clients to balance load on the proxy nodes, avoiding NLB and other overhead.  This requires special drivers (contact Heimdall support for more assistance on this);
  6. For all drivers, auto-redirection can be done via DNS as well.  When auto-scaling mode is enabled, a DNS listener can be activated, which provides an ordered list of proxy IP addresses based on load, with the first being the best proxy to select.  
  7. Configurable result-set size limits are now available in the cache settings, to limit the size of an object to ingest.
  8. MySQL Proxy: Improved behavior to allow streaming of result-sets via the driver in more cases, avoiding issues with oversized results generating an exception.
  9. With Azure MySQL, we now provide a MySQL JDBC driver (based on Oracle’s 8.0.x) that supports redirect for their “single server” offering.  The code patches for this will be submitted as open source, but not guaranteed to be accepted by Oracle;  this feature is still pending compatibility testing with the MySQL 8.0 driver codebase.
  10. License handling has been redesigned, to allow most customers to be “licensed” via DNS configuration by Heimdall, avoiding the need for distinct licenses to be issued.  Improvements have also been made to detect cloud purchased offerings from AWS, Azure, and GCP;
  11. Improved JMX statistics, including per-server per-second statistics equivalent to what is used to plot our own dashboard, and also allow ${ip} for the “jmx hostname” field to detect the local IP for JMX redirection.  With JMX, you connect to the host you specify in your tool, but the server then redirects you to another host or IP, which needs to match.  This allows configurations with dynamic IP’s to work cleanly, such as with docker;
  12. Improved multiplexing and delayed transaction compatibility, including the ability to flag disabling multiplexing for X queries by rule;
  13. Improved internal CI/CD pipeline to test patches and push them as our “development” branch;
  14. Re-enable Geode support–for Gemfire use, contact Heimdall for a module compiled against Gemfire instead;
  15. Adjust the memory graph on the dashboard to make it easier to observe with many nodes;
  16. And… include all other fixes from prior builds, as well as many small documentation changes and updates.

Release build (April 5, 2021)

  1. Improved compatibility with delayed transactions;
  2. Resolved issue where commands like commit and rollback would result in a sql log entry for the previous SQL command;
  3. Added logic to trim prepared statements on a connection to no more than 2000 prepares to prevent memory overflow.  Ruby trims to 1000, and Java to 256, so this should be plenty for most environments;
  4. Added logic to forget the last used parameters of a prepared statement after use, to reduce memory overhead;
  5. Added support for hstore types in binary format for Postgres;
  6. Added better support for commands like drop, alter, etc. that do not actually touch a table, but other metadata.  These will be flagged as modification queries, so that read/write split doesn’t send them to the wrong server;
  7. Added to the sql server pool logic a default resetQuery of exec sp_reset_connection;
  8. Improved SQL parsing for many different query formats to improve table extraction;
  9. Avoid using the /tmp directory created by tomcat for temporary file uploads, as centos and derived systems clean up directories over time, and can break the update and other logic;
  10. Added a filter on keys used by Heimdall in external grid caches to prevent non-heimdall keys from being tracked in the cache logic, adding to memory overhead;
  11. Added a limit of 10x the number of objects specified in the cache object limit (if set) for tracking remote keys, again to limit memory usage;
  12. Fix various issues with prepared SQL statements that include ? as part of the content, which impacted java prepared statement formats;
  13. Improved temporary table detection logic, in particular for SQL Server;
  14. Improvement in TLS handling, including disabling tls 1.3 with SQL Server, as it doesn’t support it yet, and trying to negotiate it with SQL server libraries often breaks them;
  15. Improved accuracy of Prepared statement performance in the Analytics tab;
  16. Prevent alerts from prior to a clean restart of the management server from showing back up after restart.

Release build (Feb 27, 2021)

  1. Critical: Fix a problem with MySQL when using prepared statements and read/write split (or anything that expands the prepared query to raw SQL) introduced in the last release build. This also impacted SQL logging in some cases as well;
  2. Critical: Disable TLS 1.3 only for SQL Server–clients often will attempt to negotiate tls 1.3 if the proxy supports it, but they aren’t tested with tls 1.3, and end up breaking. SQL Server itself doesn’t support TLS 1.3; This would be observed as a connection hang on any attempt to connect. This was triggered by tls 1.3 being backported by Oracle into Java 8 in late 2020, which is used by default by Heimdall;
  3. Change the downloaded log filename format for .zip files to include yyyyMMddHHmm, previously it was using minutes for the month position;
  4. Add logging of full query hash in debug logs, along with logging some other error conditions for TLS, etc;
  5. Resolved issue where a rule disabling multiplexing was not taking effect due to a rule processing optimization;
  6. Resolved an issue with insert queries with more than 500k fields inserted (across all rows) due to limit in regex processing that limited the number of capture groups that could be created;
  7. Removed a limit of 1024k for a single Postgres packet on query read, which limited the size of an insert that could be done as a single operation;
  8. Added DML detection for generic create and drop commands for non-table oriented SQL. This prevents such queries from being directed to a read node with read/write split;
  9. Ignore quotes and question marks in comments when looking for unbalanced quotes or parameters to fill in for SQL expansion;
  10. Add further compatibility with the PHP PDO drivers for MySQL;
  11. Correct an issue where rows read was not reported correctly for SQL Server at the protocol level;
  12. Resolved issue where proxy auth being disabled for Postgres still resulted in Proxy auth being enabled in the resulting wizard configuration.

Release Build (Feb 13, 2021)

  1. Minor usability improvements in the wizard
  2. Detect Azure marketplace deployments for licensing
  3. Improved TLS handling and error logging
  4. Support binary uploads with prepared queries for PDO MySQL (PHP)
  5. Improved handling of temporary tables
  6. Improve manual update process in low memory situations
  7. Resolve issue with the proxy where it wouldn’t update the code on a restart (requires updating the script)
  8. Add example configuration for PHP’s MySQL PDO to extract the certificate from the keystore
  9. Properly handle table names/aliases with question marks when expanding prepared queries for read/write split or transformation.

Release Build (Jan 24, 2021)

  1. Resolve issue with Data Direct MySQL drivers that prevented queries from completing execution;
  2. Improved logic for Postgres failovers in the Azure cloud environment in the parsing of the replication connect string and to support the hostaddr option;
  3. Corrected some cases where the defaultCatalog option was not being used properly to establish connections;
  4. Resolved an infinite loop that could occur if using TLS and the client connection was disconnected unexpectedly;
  5. Updated the default included driver database and driver names;
  6. Remove the creation of new configuration files if the update server API was used;
  7. Updated Hazelcast to 4.1.1 and include yaml configuration file support;
  8. Resolve issue with internal commands like show pool with MS-SQL Server proxy configurations;
  9. Added an option to allow recursive transform calls, to allow the transformation to be applied more than once on a single query;
  10. Resolve a memory leak when connections were dropped by the client under very high new connection/second loads;
  11. Improved logging (as normal).

Previous release notes can be found here.