open-vault/sdk/plugin/pb/backend.proto

688 lines
21 KiB
Protocol Buffer
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
syntax = "proto3";
package pb;
option go_package = "github.com/hashicorp/vault/sdk/plugin/pb";
import "google/protobuf/timestamp.proto";
import "sdk/logical/event.proto";
import "sdk/logical/identity.proto";
import "sdk/logical/plugin.proto";
message Empty {}
message Header {
repeated string header = 1;
}
message ProtoError {
// Error type can be one of:
// ErrTypeUnknown uint32 = iota
// ErrTypeUserError
// ErrTypeInternalError
// ErrTypeCodedError
// ErrTypeStatusBadRequest
// ErrTypeUnsupportedOperation
// ErrTypeUnsupportedPath
// ErrTypeInvalidRequest
// ErrTypePermissionDenied
// ErrTypeMultiAuthzPending
// ErrTypeUnrecoverable
uint32 err_type = 1;
string err_msg = 2;
int64 err_code = 3;
}
// Paths is the structure of special paths that is used for SpecialPaths.
2018-10-15 16:56:24 +00:00
message Paths {
// Root are the paths that require a root token to access
repeated string root = 1;
// Unauthenticated are the paths that can be accessed without any auth.
repeated string unauthenticated = 2;
// LocalStorage are paths (prefixes) that are local to this instance; this
// indicates that these paths should not be replicated
repeated string local_storage = 3;
// SealWrapStorage are storage paths that, when using a capable seal,
// should be seal wrapped with extra encryption. It is exact matching
// unless it ends with '/' in which case it will be treated as a prefix.
repeated string seal_wrap_storage = 4;
Add path based primary write forwarding (PBPWF) - OSS (#18735) * Add WriteForwardedStorage to sdk's plugin, logical in OSS This should allow backends to specify paths to forward write (storage.Put(...) and storage.Delete(...)) operations for. Notably, these semantics are subject to change and shouldn't yet be relied on. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Collect paths for write forwarding in OSS This adds a path manager to Core, allowing tracking across all Vault versions of paths which could use write forwarding if available. In particular, even on OSS offerings, we'll need to template {{clusterId}} into the paths, in the event of later upgrading to Enterprise. If we didn't, we'd end up writing paths which will no longer be accessible post-migration, due to write forwarding now replacing the sentinel with the actual cluster identifier. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add forwarded writer implementation to OSS Here, for paths given to us, we determine if we need to do cluster translation and perform local writing. This is the OSS variant. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Wire up mount-specific request forwarding in OSS Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Clarify that state lock needs to be held to call HAState in OSS Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move cluster sentinel constant to sdk/logical Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Expose ClusterID to Plugins via SystemView This will let plugins learn what the Cluster's ID is, without having to resort to hacks like writing a random string to its cluster-prefixed namespace and then reading it once it has replicated. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add GRPC ClusterID implementation For any external plugins which wish to use it. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-20 21:36:18 +00:00
// WriteForwardedStorage are storage paths that, when running on a PR
// Secondary cluster, cause a GRPC call up to the PR Primary cluster's
// active node to handle storage.Put(...) and storage.Delete(...) events.
//
// See extended note in /sdk/logical/logical.go.
repeated string write_forwarded_storage = 5;
}
message Request {
// Id is the uuid associated with each request
string id = 1;
// If set, the name given to the replication secondary where this request
// originated
string ReplicationCluster = 2;
// Operation is the requested operation type
string operation = 3;
// Path is the part of the request path not consumed by the
// routing. As an example, if the original request path is "prod/aws/foo"
// and the AWS logical backend is mounted at "prod/aws/", then the
// final path is "foo" since the mount prefix is trimmed.
string path = 4;
// Request data is a JSON object that must have keys with string type.
string data = 5;
// Secret will be non-nil only for Revoke and Renew operations
// to represent the secret that was returned prior.
Secret secret = 6;
// Auth will be non-nil only for Renew operations
// to represent the auth that was returned prior.
Auth auth = 7;
// Headers will contain the http headers from the request. This value will
// be used in the audit broker to ensure we are auditing only the allowed
// headers.
map<string, Header> headers = 8;
// ClientToken is provided to the core so that the identity
// can be verified and ACLs applied. This value is passed
// through to the logical backends but after being salted and
// hashed.
string client_token = 9;
// ClientTokenAccessor is provided to the core so that the it can get
// logged as part of request audit logging.
string client_token_accessor = 10;
// DisplayName is provided to the logical backend to help associate
// dynamic secrets with the source entity. This is not a sensitive
// name, but is useful for operators.
string display_name = 11;
// MountPoint is provided so that a logical backend can generate
// paths relative to itself. The `Path` is effectively the client
// request path with the MountPoint trimmed off.
string mount_point = 12;
// MountType is provided so that a logical backend can make decisions
// based on the specific mount type (e.g., if a mount type has different
// aliases, generating different defaults depending on the alias)
string mount_type = 13;
// MountAccessor is provided so that identities returned by the authentication
// backends can be tied to the mount it belongs to.
string mount_accessor = 14;
// WrapInfo contains requested response wrapping parameters
RequestWrapInfo wrap_info = 15;
// ClientTokenRemainingUses represents the allowed number of uses left on the
// token supplied
int64 client_token_remaining_uses = 16;
// EntityID is the identity of the caller extracted out of the token used
// to make this request
string entity_id = 17;
// PolicyOverride indicates that the requestor wishes to override
// soft-mandatory Sentinel policies
bool policy_override = 18;
// Whether the request is unauthenticated, as in, had no client token
// attached. Useful in some situations where the client token is not made
// accessible.
bool unauthenticated = 19;
// Connection will be non-nil only for credential providers to
// inspect the connection information and potentially use it for
// authentication/protection.
Connection connection = 20;
}
message Auth {
LeaseOptions lease_options = 1;
// InternalData is a JSON object that is stored with the auth struct.
// This will be sent back during a Renew/Revoke for storing internal data
// used for those operations.
string internal_data = 2;
// DisplayName is a non-security sensitive identifier that is
// applicable to this Auth. It is used for logging and prefixing
// of dynamic secrets. For example, DisplayName may be "armon" for
// the github credential backend. If the client token is used to
// generate a SQL credential, the user may be "github-armon-uuid".
// This is to help identify the source without using audit tables.
string display_name = 3;
// Policies is the list of policies that the authenticated user
// is associated with.
repeated string policies = 4;
// Metadata is used to attach arbitrary string-type metadata to
// an authenticated user. This metadata will be outputted into the
// audit log.
map<string, string> metadata = 5;
// ClientToken is the token that is generated for the authentication.
// This will be filled in by Vault core when an auth structure is
// returned. Setting this manually will have no effect.
string client_token = 6;
// Accessor is the identifier for the ClientToken. This can be used
// to perform management functionalities (especially revocation) when
// ClientToken in the audit logs are obfuscated. Accessor can be used
// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
// both without actually knowing the ClientToken.
string accessor = 7;
// Period indicates that the token generated using this Auth object
// should never expire. The token should be renewed within the duration
// specified by this period.
int64 period = 8;
// Number of allowed uses of the issued token
int64 num_uses = 9;
// EntityID is the identifier of the entity in identity store to which the
// identity of the authenticating client belongs to.
string entity_id = 10;
// Alias is the information about the authenticated client returned by
// the auth backend
logical.Alias alias = 11;
// GroupAliases are the informational mappings of external groups which an
// authenticated user belongs to. This is used to check if there are
// mappings groups for the group aliases in identity store. For all the
// matching groups, the entity ID of the user will be added.
repeated logical.Alias group_aliases = 12;
2018-05-09 22:39:55 +00:00
// If set, restricts usage of the certificates to client IPs falling within
// the range of the specified CIDR(s).
repeated string bound_cidrs = 13;
2018-09-18 03:03:00 +00:00
2018-10-15 16:56:24 +00:00
// TokenPolicies and IdentityPolicies break down the list in Policies to
2018-09-18 03:03:00 +00:00
// help determine where a policy was sourced
repeated string token_policies = 14;
repeated string identity_policies = 15;
// Explicit maximum lifetime for the token. Unlike normal TTLs, the maximum
// TTL is a hard limit and cannot be exceeded, also counts for periodic tokens.
int64 explicit_max_ttl = 16;
2018-10-15 16:56:24 +00:00
// TokenType is the type of token being requested
uint32 token_type = 17;
// Whether the default policy should be added automatically by core
bool no_default_policy = 18;
2018-09-18 03:03:00 +00:00
}
message TokenEntry {
string id = 1;
string accessor = 2;
string parent = 3;
repeated string policies = 4;
string path = 5;
map<string, string> meta = 6;
string display_name = 7;
int64 num_uses = 8;
int64 creation_time = 9;
int64 ttl = 10;
int64 explicit_max_ttl = 11;
string role = 12;
int64 period = 13;
string entity_id = 14;
repeated string bound_cidrs = 15;
string namespace_id = 16;
string cubbyhole_id = 17;
2018-10-15 16:56:24 +00:00
uint32 type = 18;
map<string, string> internal_meta = 19;
string inline_policy = 20;
bool no_identity_policies = 21;
string external_id = 22;
}
message LeaseOptions {
int64 TTL = 1;
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
bool renewable = 2;
int64 increment = 3;
google.protobuf.Timestamp issue_time = 4;
int64 MaxTTL = 5;
}
message Secret {
LeaseOptions lease_options = 1;
// InternalData is a JSON object that is stored with the secret.
// This will be sent back during a Renew/Revoke for storing internal data
// used for those operations.
string internal_data = 2;
// LeaseID is the ID returned to the user to manage this secret.
// This is generated by Vault core. Any set value will be ignored.
// For requests, this will always be blank.
string lease_id = 3;
}
message Response {
// Secret, if not nil, denotes that this response represents a secret.
Secret secret = 1;
// Auth, if not nil, contains the authentication information for
// this response. This is only checked and means something for
// credential backends.
Auth auth = 2;
// Response data is a JSON object that must have string keys. For
// secrets, this data is sent down to the user as-is. To store internal
// data that you don't want the user to see, store it in
// Secret.InternalData.
string data = 3;
// Redirect is an HTTP URL to redirect to for further authentication.
// This is only valid for credential backends. This will be blanked
// for any logical backend and ignored.
string redirect = 4;
// Warnings allow operations or backends to return warnings in response
// to user actions without failing the action outright.
repeated string warnings = 5;
// Information for wrapping the response in a cubbyhole
ResponseWrapInfo wrap_info = 6;
2019-02-05 21:02:15 +00:00
// Headers will contain the http headers from the response. This value will
// be used in the audit broker to ensure we are auditing only the allowed
// headers.
map<string, Header> headers = 7;
}
message ResponseWrapInfo {
// Setting to non-zero specifies that the response should be wrapped.
// Specifies the desired TTL of the wrapping token.
int64 TTL = 1;
// The token containing the wrapped response
string token = 2;
// The token accessor for the wrapped response token
string accessor = 3;
// The creation time. This can be used with the TTL to figure out an
// expected expiration.
google.protobuf.Timestamp creation_time = 4;
// If the contained response is the output of a token creation call, the
// created token's accessor will be accessible here
string wrapped_accessor = 5;
// WrappedEntityID is the entity identifier of the caller who initiated the
// wrapping request
string wrapped_entity_id = 6;
// The format to use. This doesn't get returned, it's only internal.
string format = 7;
// CreationPath is the original request path that was used to create
// the wrapped response.
string creation_path = 8;
// Controls seal wrapping behavior downstream for specific use cases
bool seal_wrap = 9;
}
message RequestWrapInfo {
// Setting to non-zero specifies that the response should be wrapped.
// Specifies the desired TTL of the wrapping token.
int64 TTL = 1;
// The format to use for the wrapped response; if not specified it's a bare
// token
string format = 2;
// A flag to conforming backends that data for a given request should be
// seal wrapped
bool seal_wrap = 3;
}
// HandleRequestArgs is the args for HandleRequest method.
message HandleRequestArgs {
uint32 storage_id = 1;
Request request = 2;
}
// HandleRequestReply is the reply for HandleRequest method.
message HandleRequestReply {
Response response = 1;
ProtoError err = 2;
}
AWS upgrade role entries (#7025) * upgrade aws roles * test upgrade aws roles * Initialize aws credential backend at mount time * add a TODO * create end-to-end test for builtin/credential/aws * fix bug in initializer * improve comments * add Initialize() to logical.Backend * use Initialize() in Core.enableCredentialInternal() * use InitializeRequest to call Initialize() * improve unit testing for framework.Backend * call logical.Backend.Initialize() from all of the places that it needs to be called. * implement backend.proto changes for logical.Backend.Initialize() * persist current role storage version when upgrading aws roles * format comments correctly * improve comments * use postUnseal funcs to initialize backends * simplify test suite * improve test suite * simplify logic in aws role upgrade * simplify aws credential initialization logic * simplify logic in aws role upgrade * use the core's activeContext for initialization * refactor builtin/plugin/Backend * use a goroutine to upgrade the aws roles * misc improvements and cleanup * do not run AWS role upgrade on DR Secondary * always call logical.Backend.Initialize() when loading a plugin. * improve comments * on standbys and DR secondaries we do not want to run any kind of upgrade logic * fix awsVersion struct * clarify aws version upgrade * make the upgrade logic for aws auth more explicit * aws upgrade is now called from a switch * fix fallthrough bug * simplify logic * simplify logic * rename things * introduce currentAwsVersion const to track aws version * improve comments * rearrange things once more * conglomerate things into one function * stub out aws auth initialize e2e test * improve aws auth initialize e2e test * finish aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * fix typo in test suite * simplify logic a tad * rearrange assignment * Fix a few lifecycle related issues in #7025 (#7075) * Fix panic when plugin fails to load
2019-07-05 23:55:40 +00:00
// InitializeArgs is the args for Initialize method.
message InitializeArgs {
}
// InitializeReply is the reply for Initialize method.
message InitializeReply {
ProtoError err = 1;
}
// SpecialPathsReply is the reply for SpecialPaths method.
message SpecialPathsReply {
Paths paths = 1;
}
// HandleExistenceCheckArgs is the args for HandleExistenceCheck method.
message HandleExistenceCheckArgs {
uint32 storage_id = 1;
Request request = 2;
}
// HandleExistenceCheckReply is the reply for HandleExistenceCheck method.
message HandleExistenceCheckReply {
bool check_found = 1;
bool exists = 2;
ProtoError err = 3;
}
// SetupArgs is the args for Setup method.
message SetupArgs {
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
uint32 broker_id = 1;
map<string, string> Config = 2;
string backendUUID = 3;
}
// SetupReply is the reply for Setup method.
message SetupReply {
string err = 1;
}
// TypeReply is the reply for the Type method.
message TypeReply {
uint32 type = 1;
}
message InvalidateKeyArgs {
string key = 1;
}
// Backend is the interface that plugins must satisfy. The plugin should
// implement the server for this service. Requests will first run the
2018-03-20 18:54:10 +00:00
// HandleExistenceCheck rpc then run the HandleRequests rpc.
service Backend {
// HandleRequest is used to handle a request and generate a response.
// The plugins must check the operation type and handle appropriately.
rpc HandleRequest(HandleRequestArgs) returns (HandleRequestReply);
// SpecialPaths is a list of paths that are special in some way.
// See PathType for the types of special paths. The key is the type
// of the special path, and the value is a list of paths for this type.
// This is not a regular expression but is an exact match. If the path
// ends in '*' then it is a prefix-based match. The '*' can only appear
// at the end.
rpc SpecialPaths(Empty) returns (SpecialPathsReply);
// HandleExistenceCheck is used to handle a request and generate a response
// indicating whether the given path exists or not; this is used to
// understand whether the request must have a Create or Update capability
// ACL applied. The first bool indicates whether an existence check
// function was found for the backend; the second indicates whether, if an
// existence check function was found, the item exists or not.
rpc HandleExistenceCheck(HandleExistenceCheckArgs) returns (HandleExistenceCheckReply);
// Cleanup is invoked during an unmount of a backend to allow it to
// handle any cleanup like connection closing or releasing of file handles.
// Cleanup is called right before Vault closes the plugin process.
rpc Cleanup(Empty) returns (Empty);
// InvalidateKey may be invoked when an object is modified that belongs
// to the backend. The backend can use this to clear any caches or reset
// internal state as needed.
rpc InvalidateKey(InvalidateKeyArgs) returns (Empty);
// Setup is used to set up the backend based on the provided backend
// configuration. The plugin's setup implementation should use the provided
// broker_id to create a connection back to Vault for use with the Storage
// and SystemView clients.
rpc Setup(SetupArgs) returns (SetupReply);
AWS upgrade role entries (#7025) * upgrade aws roles * test upgrade aws roles * Initialize aws credential backend at mount time * add a TODO * create end-to-end test for builtin/credential/aws * fix bug in initializer * improve comments * add Initialize() to logical.Backend * use Initialize() in Core.enableCredentialInternal() * use InitializeRequest to call Initialize() * improve unit testing for framework.Backend * call logical.Backend.Initialize() from all of the places that it needs to be called. * implement backend.proto changes for logical.Backend.Initialize() * persist current role storage version when upgrading aws roles * format comments correctly * improve comments * use postUnseal funcs to initialize backends * simplify test suite * improve test suite * simplify logic in aws role upgrade * simplify aws credential initialization logic * simplify logic in aws role upgrade * use the core's activeContext for initialization * refactor builtin/plugin/Backend * use a goroutine to upgrade the aws roles * misc improvements and cleanup * do not run AWS role upgrade on DR Secondary * always call logical.Backend.Initialize() when loading a plugin. * improve comments * on standbys and DR secondaries we do not want to run any kind of upgrade logic * fix awsVersion struct * clarify aws version upgrade * make the upgrade logic for aws auth more explicit * aws upgrade is now called from a switch * fix fallthrough bug * simplify logic * simplify logic * rename things * introduce currentAwsVersion const to track aws version * improve comments * rearrange things once more * conglomerate things into one function * stub out aws auth initialize e2e test * improve aws auth initialize e2e test * finish aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * fix typo in test suite * simplify logic a tad * rearrange assignment * Fix a few lifecycle related issues in #7025 (#7075) * Fix panic when plugin fails to load
2019-07-05 23:55:40 +00:00
// Initialize is invoked just after mounting a backend to allow it to
// handle any initialization tasks that need to be performed.
rpc Initialize(InitializeArgs) returns (InitializeReply);
// Type returns the BackendType for the particular backend
rpc Type(Empty) returns (TypeReply);
}
message StorageEntry {
string key = 1;
bytes value = 2;
bool seal_wrap = 3;
}
message StorageListArgs {
string prefix = 1;
}
message StorageListReply {
repeated string keys = 1;
string err = 2;
}
message StorageGetArgs {
string key = 1;
}
message StorageGetReply {
StorageEntry entry = 1;
string err = 2;
}
message StoragePutArgs {
StorageEntry entry = 1;
}
message StoragePutReply {
string err = 1;
}
message StorageDeleteArgs {
string key = 1;
}
message StorageDeleteReply {
string err = 1;
}
// Storage is the way that plugins are able read/write data. Plugins should
// implement the client for this service.
service Storage {
rpc List(StorageListArgs) returns (StorageListReply);
rpc Get(StorageGetArgs) returns (StorageGetReply);
rpc Put(StoragePutArgs) returns (StoragePutReply);
rpc Delete(StorageDeleteArgs) returns (StorageDeleteReply);
}
message TTLReply {
int64 TTL = 1;
}
message TaintedReply {
bool tainted = 1;
}
message CachingDisabledReply {
bool disabled = 1;
}
message ReplicationStateReply {
int32 state = 1;
}
message ResponseWrapDataArgs {
string data = 1;
int64 TTL = 2;
bool JWT = 3;
}
message ResponseWrapDataReply {
ResponseWrapInfo wrap_info = 1;
string err = 2;
}
message MlockEnabledReply {
bool enabled = 1;
}
message LocalMountReply {
bool local = 1;
}
message EntityInfoArgs {
string entity_id = 1;
}
message EntityInfoReply {
logical.Entity entity = 1;
string err = 2;
}
message GroupsForEntityReply {
repeated logical.Group groups = 1;
string err = 2;
}
2018-08-03 16:32:17 +00:00
message PluginEnvReply {
logical.PluginEnvironment plugin_environment = 1;
string err = 2;
}
message GeneratePasswordFromPolicyRequest {
string policy_name = 1;
}
message GeneratePasswordFromPolicyReply {
string password = 1;
}
Add path based primary write forwarding (PBPWF) - OSS (#18735) * Add WriteForwardedStorage to sdk's plugin, logical in OSS This should allow backends to specify paths to forward write (storage.Put(...) and storage.Delete(...)) operations for. Notably, these semantics are subject to change and shouldn't yet be relied on. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Collect paths for write forwarding in OSS This adds a path manager to Core, allowing tracking across all Vault versions of paths which could use write forwarding if available. In particular, even on OSS offerings, we'll need to template {{clusterId}} into the paths, in the event of later upgrading to Enterprise. If we didn't, we'd end up writing paths which will no longer be accessible post-migration, due to write forwarding now replacing the sentinel with the actual cluster identifier. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add forwarded writer implementation to OSS Here, for paths given to us, we determine if we need to do cluster translation and perform local writing. This is the OSS variant. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Wire up mount-specific request forwarding in OSS Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Clarify that state lock needs to be held to call HAState in OSS Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move cluster sentinel constant to sdk/logical Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Expose ClusterID to Plugins via SystemView This will let plugins learn what the Cluster's ID is, without having to resort to hacks like writing a random string to its cluster-prefixed namespace and then reading it once it has replicated. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add GRPC ClusterID implementation For any external plugins which wish to use it. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-20 21:36:18 +00:00
message ClusterInfoReply {
string cluster_name = 1;
string cluster_id = 2;
string err = 3;
}
// SystemView exposes system configuration information in a safe way for plugins
// to consume. Plugins should implement the client for this service.
service SystemView {
// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
rpc DefaultLeaseTTL(Empty) returns (TTLReply);
// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
// authors should take care not to issue credentials that last longer than
// this value, as Vault will revoke them
rpc MaxLeaseTTL(Empty) returns (TTLReply);
// Tainted, returns true if the mount is tainted. A mount is tainted if it is in the
// process of being unmounted. This should only be used in special
// circumstances; a primary use-case is as a guard in revocation functions.
// If revocation of a backend's leases fails it can keep the unmounting
// process from being successful. If the reason for this failure is not
// relevant when the mount is tainted (for instance, saving a CRL to disk
// when the stored CRL will be removed during the unmounting process
// anyways), we can ignore the errors to allow unmounting to complete.
rpc Tainted(Empty) returns (TaintedReply);
// CachingDisabled returns true if caching is disabled. If true, no caches
// should be used, despite known slowdowns.
rpc CachingDisabled(Empty) returns (CachingDisabledReply);
// ReplicationState indicates the state of cluster replication
rpc ReplicationState(Empty) returns (ReplicationStateReply);
// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
rpc ResponseWrapData(ResponseWrapDataArgs) returns (ResponseWrapDataReply);
// MlockEnabled returns the configuration setting for enabling mlock on
// plugins.
rpc MlockEnabled(Empty) returns (MlockEnabledReply);
// LocalMount, when run from a system view attached to a request, indicates
// whether the request is affecting a local mount or not
rpc LocalMount(Empty) returns (LocalMountReply);
// EntityInfo returns the basic entity information for the given entity id
rpc EntityInfo(EntityInfoArgs) returns (EntityInfoReply);
2018-08-03 16:32:17 +00:00
// PluginEnv returns Vault environment information used by plugins
rpc PluginEnv(Empty) returns (PluginEnvReply);
// GroupsForEntity returns the group membership information for the given
// entity id
rpc GroupsForEntity(EntityInfoArgs) returns (GroupsForEntityReply);
// GeneratePasswordFromPolicy generates a password from an existing password policy
rpc GeneratePasswordFromPolicy(GeneratePasswordFromPolicyRequest) returns (GeneratePasswordFromPolicyReply);
Add path based primary write forwarding (PBPWF) - OSS (#18735) * Add WriteForwardedStorage to sdk's plugin, logical in OSS This should allow backends to specify paths to forward write (storage.Put(...) and storage.Delete(...)) operations for. Notably, these semantics are subject to change and shouldn't yet be relied on. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Collect paths for write forwarding in OSS This adds a path manager to Core, allowing tracking across all Vault versions of paths which could use write forwarding if available. In particular, even on OSS offerings, we'll need to template {{clusterId}} into the paths, in the event of later upgrading to Enterprise. If we didn't, we'd end up writing paths which will no longer be accessible post-migration, due to write forwarding now replacing the sentinel with the actual cluster identifier. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add forwarded writer implementation to OSS Here, for paths given to us, we determine if we need to do cluster translation and perform local writing. This is the OSS variant. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Wire up mount-specific request forwarding in OSS Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Clarify that state lock needs to be held to call HAState in OSS Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move cluster sentinel constant to sdk/logical Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Expose ClusterID to Plugins via SystemView This will let plugins learn what the Cluster's ID is, without having to resort to hacks like writing a random string to its cluster-prefixed namespace and then reading it once it has replicated. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add GRPC ClusterID implementation For any external plugins which wish to use it. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-20 21:36:18 +00:00
// ClusterInfo returns the ClusterID information; may be reused if ClusterName is also exposed.
rpc ClusterInfo(Empty) returns (ClusterInfoReply);
}
message Connection {
// RemoteAddr is the network address that sent the request.
string remote_addr = 1;
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
// RemotePort is the network port that sent the request.
int32 remote_port = 3;
// ConnectionState is the marshalled tls.ConnectionState from the original
// request
ConnectionState connection_state = 2;
}
message ConnectionState {
uint32 version = 1;
bool handshake_complete = 2;
bool did_resume = 3;
uint32 cipher_suite = 4;
string negotiated_protocol = 5;
bool negotiated_protocol_is_mutual = 6;
string server_name = 7;
CertificateChain peer_certificates = 8;
repeated CertificateChain verified_chains = 9;
repeated bytes signed_certificate_timestamps = 10;
bytes ocsp_response = 11;
bytes tls_unique = 12;
}
message Certificate {
bytes asn1_data = 1;
}
message CertificateChain {
repeated Certificate certificates = 1;
}
message SendEventRequest {
string event_type = 1;
logical.EventData event = 2;
}
service Events {
rpc SendEvent(SendEventRequest) returns (Empty);
}