open-vault/command/commands.go

801 lines
24 KiB
Go
Raw Normal View History

2017-09-05 04:05:53 +00:00
package command
import (
"os"
"os/signal"
"syscall"
"github.com/hashicorp/vault/audit"
2018-11-07 01:21:24 +00:00
"github.com/hashicorp/vault/builtin/plugin"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/sdk/version"
2017-09-05 04:05:53 +00:00
"github.com/mitchellh/cli"
2018-11-07 01:21:24 +00:00
/*
The builtinplugins package is initialized here because it, in turn,
initializes the database plugins.
They register multiple database drivers for the "database/sql" package.
*/
_ "github.com/hashicorp/vault/helper/builtinplugins"
2017-09-05 04:05:53 +00:00
auditFile "github.com/hashicorp/vault/builtin/audit/file"
auditSocket "github.com/hashicorp/vault/builtin/audit/socket"
auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
2018-01-19 11:03:33 +00:00
credCentrify "github.com/hashicorp/vault-plugin-auth-centrify"
credCF "github.com/hashicorp/vault-plugin-auth-cf"
credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
credOIDC "github.com/hashicorp/vault-plugin-auth-jwt"
credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
2019-09-04 23:46:00 +00:00
credOCI "github.com/hashicorp/vault-plugin-auth-oci"
2017-09-05 04:05:53 +00:00
credAws "github.com/hashicorp/vault/builtin/credential/aws"
credCert "github.com/hashicorp/vault/builtin/credential/cert"
credGitHub "github.com/hashicorp/vault/builtin/credential/github"
credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
credOkta "github.com/hashicorp/vault/builtin/credential/okta"
credToken "github.com/hashicorp/vault/builtin/credential/token"
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
2018-11-07 01:21:24 +00:00
logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
logicalDb "github.com/hashicorp/vault/builtin/logical/database"
physAerospike "github.com/hashicorp/vault/physical/aerospike"
2018-08-13 21:03:24 +00:00
physAliCloudOSS "github.com/hashicorp/vault/physical/alicloudoss"
2017-09-05 04:05:53 +00:00
physAzure "github.com/hashicorp/vault/physical/azure"
physCassandra "github.com/hashicorp/vault/physical/cassandra"
physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
physConsul "github.com/hashicorp/vault/physical/consul"
physCouchDB "github.com/hashicorp/vault/physical/couchdb"
physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
physEtcd "github.com/hashicorp/vault/physical/etcd"
2018-07-16 14:18:09 +00:00
physFoundationDB "github.com/hashicorp/vault/physical/foundationdb"
2017-09-05 04:05:53 +00:00
physGCS "github.com/hashicorp/vault/physical/gcs"
physManta "github.com/hashicorp/vault/physical/manta"
2017-09-05 04:05:53 +00:00
physMSSQL "github.com/hashicorp/vault/physical/mssql"
physMySQL "github.com/hashicorp/vault/physical/mysql"
physOCI "github.com/hashicorp/vault/physical/oci"
2017-09-05 04:05:53 +00:00
physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
Raft Storage Backend (#6888) * Work on raft backend * Add logstore locally * Add encryptor and unsealable interfaces * Add clustering support to raft * Remove client and handler * Bootstrap raft on init * Cleanup raft logic a bit * More raft work * Work on TLS config * More work on bootstrapping * Fix build * More work on bootstrapping * More bootstrapping work * fix build * Remove consul dep * Fix build * merged oss/master into raft-storage * Work on bootstrapping * Get bootstrapping to work * Clean up FMS and node-id * Update local node ID logic * Cleanup node-id change * Work on snapshotting * Raft: Add remove peer API (#906) * Add remove peer API * Add some comments * Fix existing snapshotting (#909) * Raft get peers API (#912) * Read raft configuration * address review feedback * Use the Leadership Transfer API to step-down the active node (#918) * Raft join and unseal using Shamir keys (#917) * Raft join using shamir * Store AEAD instead of master key * Split the raft join process to answer the challenge after a successful unseal * get the follower to standby state * Make unseal work * minor changes * Some input checks * reuse the shamir seal access instead of new default seal access * refactor joinRaftSendAnswer function * Synchronously send answer in auto-unseal case * Address review feedback * Raft snapshots (#910) * Fix existing snapshotting * implement the noop snapshotting * Add comments and switch log libraries * add some snapshot tests * add snapshot test file * add TODO * More work on raft snapshotting * progress on the ConfigStore strategy * Don't use two buckets * Update the snapshot store logic to hide the file logic * Add more backend tests * Cleanup code a bit * [WIP] Raft recovery (#938) * Add recovery functionality * remove fmt.Printfs * Fix a few fsm bugs * Add max size value for raft backend (#942) * Add max size value for raft backend * Include physical.ErrValueTooLarge in the message * Raft snapshot Take/Restore API (#926) * Inital work on raft snapshot APIs * Always redirect snapshot install/download requests * More work on the snapshot APIs * Cleanup code a bit * On restore handle special cases * Use the seal to encrypt the sha sum file * Add sealer mechanism and fix some bugs * Call restore while state lock is held * Send restore cb trigger through raft log * Make error messages nicer * Add test helpers * Add snapshot test * Add shamir unseal test * Add more raft snapshot API tests * Fix locking * Change working to initalize * Add underlying raw object to test cluster core * Move leaderUUID to core * Add raft TLS rotation logic (#950) * Add TLS rotation logic * Cleanup logic a bit * Add/Remove from follower state on add/remove peer * add comments * Update more comments * Update request_forwarding_service.proto * Make sure we populate all nodes in the followerstate obj * Update times * Apply review feedback * Add more raft config setting (#947) * Add performance config setting * Add more config options and fix tests * Test Raft Recovery (#944) * Test raft recovery * Leave out a node during recovery * remove unused struct * Update physical/raft/snapshot_test.go * Update physical/raft/snapshot_test.go * fix vendoring * Switch to new raft interface * Remove unused files * Switch a gogo -> proto instance * Remove unneeded vault dep in go.sum * Update helper/testhelpers/testhelpers.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * Update vault/cluster/cluster.go * track active key within the keyring itself (#6915) * track active key within the keyring itself * lookup and store using the active key ID * update docstring * minor refactor * Small text fixes (#6912) * Update physical/raft/raft.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * review feedback * Move raft logical system into separate file * Update help text a bit * Enforce cluster addr is set and use it for raft bootstrapping * Fix tests * fix http test panic * Pull in latest raft-snapshot library * Add comment
2019-06-20 19:14:58 +00:00
physRaft "github.com/hashicorp/vault/physical/raft"
2017-09-05 04:05:53 +00:00
physS3 "github.com/hashicorp/vault/physical/s3"
physSpanner "github.com/hashicorp/vault/physical/spanner"
2017-09-05 04:05:53 +00:00
physSwift "github.com/hashicorp/vault/physical/swift"
physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
2019-04-15 18:51:33 +00:00
physFile "github.com/hashicorp/vault/sdk/physical/file"
physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
sr "github.com/hashicorp/vault/serviceregistration"
csr "github.com/hashicorp/vault/serviceregistration/consul"
ksr "github.com/hashicorp/vault/serviceregistration/kubernetes"
2017-09-05 04:05:53 +00:00
)
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format
2018-02-12 23:12:16 +00:00
const (
// EnvVaultCLINoColor is an env var that toggles colored UI output.
EnvVaultCLINoColor = `VAULT_CLI_NO_COLOR`
// EnvVaultFormat is the output format
EnvVaultFormat = `VAULT_FORMAT`
// EnvVaultLicense is an env var used in Vault Enterprise to provide a license blob
EnvVaultLicense = "VAULT_LICENSE"
// EnvVaultLicensePath is an env var used in Vault Enterprise to provide a
// path to a license file on disk
EnvVaultLicensePath = "VAULT_LICENSE_PATH"
// DisableSSCTokens is an env var used to disable index bearing
// token functionality
DisableSSCTokens = "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS"
// flagNameAddress is the flag used in the base command to read in the
// address of the Vault server.
flagNameAddress = "address"
// flagnameCACert is the flag used in the base command to read in the CA
// cert.
flagNameCACert = "ca-cert"
// flagnameCAPath is the flag used in the base command to read in the CA
// cert path.
flagNameCAPath = "ca-path"
// flagNameClientCert is the flag used in the base command to read in the
// client key
flagNameClientKey = "client-key"
// flagNameClientCert is the flag used in the base command to read in the
// client cert
flagNameClientCert = "client-cert"
// flagNameTLSSkipVerify is the flag used in the base command to read in
// the option to ignore TLS certificate verification.
flagNameTLSSkipVerify = "tls-skip-verify"
// flagTLSServerName is the flag used in the base command to read in
// the TLS server name.
flagTLSServerName = "tls-server-name"
// flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable
flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys"
// flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable
flagNameAuditNonHMACResponseKeys = "audit-non-hmac-response-keys"
// flagNameDescription is the flag name used for tuning the secret and auth mount description parameter
flagNameDescription = "description"
// flagListingVisibility is the flag to toggle whether to show the mount in the UI-specific listing endpoint
flagNameListingVisibility = "listing-visibility"
// flagNamePassthroughRequestHeaders is the flag name used to set passthrough request headers to the backend
flagNamePassthroughRequestHeaders = "passthrough-request-headers"
2019-02-05 21:02:15 +00:00
// flagNameAllowedResponseHeaders is used to set allowed response headers from a plugin
flagNameAllowedResponseHeaders = "allowed-response-headers"
2018-10-15 16:56:24 +00:00
// flagNameTokenType is the flag name used to force a specific token type
flagNameTokenType = "token-type"
// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
flagNameAllowedManagedKeys = "allowed-managed-keys"
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format
2018-02-12 23:12:16 +00:00
)
var (
auditBackends = map[string]audit.Factory{
"file": auditFile.Factory,
"socket": auditSocket.Factory,
"syslog": auditSyslog.Factory,
}
credentialBackends = map[string]logical.Factory{
2018-11-07 01:21:24 +00:00
"plugin": plugin.Factory,
}
logicalBackends = map[string]logical.Factory{
2018-11-07 01:21:24 +00:00
"plugin": plugin.Factory,
"database": logicalDb.Factory,
// This is also available in the plugin catalog, but is here due to the need to
// automatically mount it.
"kv": logicalKv.Factory,
}
physicalBackends = map[string]physical.Factory{
"aerospike": physAerospike.NewAerospikeBackend,
2018-08-13 21:03:24 +00:00
"alicloudoss": physAliCloudOSS.NewAliCloudOSSBackend,
"azure": physAzure.NewAzureBackend,
"cassandra": physCassandra.NewCassandraBackend,
"cockroachdb": physCockroachDB.NewCockroachDBBackend,
"consul": physConsul.NewConsulBackend,
"couchdb_transactional": physCouchDB.NewTransactionalCouchDBBackend,
"couchdb": physCouchDB.NewCouchDBBackend,
"dynamodb": physDynamoDB.NewDynamoDBBackend,
"etcd": physEtcd.NewEtcdBackend,
"file_transactional": physFile.NewTransactionalFileBackend,
"file": physFile.NewFileBackend,
2018-07-16 14:18:09 +00:00
"foundationdb": physFoundationDB.NewFDBBackend,
"gcs": physGCS.NewBackend,
"inmem_ha": physInmem.NewInmemHA,
"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
"inmem_transactional": physInmem.NewTransactionalInmem,
"inmem": physInmem.NewInmem,
2018-02-13 02:01:14 +00:00
"manta": physManta.NewMantaBackend,
"mssql": physMSSQL.NewMSSQLBackend,
"mysql": physMySQL.NewMySQLBackend,
"oci": physOCI.NewBackend,
"postgresql": physPostgreSQL.NewPostgreSQLBackend,
"s3": physS3.NewS3Backend,
"spanner": physSpanner.NewBackend,
"swift": physSwift.NewSwiftBackend,
Raft Storage Backend (#6888) * Work on raft backend * Add logstore locally * Add encryptor and unsealable interfaces * Add clustering support to raft * Remove client and handler * Bootstrap raft on init * Cleanup raft logic a bit * More raft work * Work on TLS config * More work on bootstrapping * Fix build * More work on bootstrapping * More bootstrapping work * fix build * Remove consul dep * Fix build * merged oss/master into raft-storage * Work on bootstrapping * Get bootstrapping to work * Clean up FMS and node-id * Update local node ID logic * Cleanup node-id change * Work on snapshotting * Raft: Add remove peer API (#906) * Add remove peer API * Add some comments * Fix existing snapshotting (#909) * Raft get peers API (#912) * Read raft configuration * address review feedback * Use the Leadership Transfer API to step-down the active node (#918) * Raft join and unseal using Shamir keys (#917) * Raft join using shamir * Store AEAD instead of master key * Split the raft join process to answer the challenge after a successful unseal * get the follower to standby state * Make unseal work * minor changes * Some input checks * reuse the shamir seal access instead of new default seal access * refactor joinRaftSendAnswer function * Synchronously send answer in auto-unseal case * Address review feedback * Raft snapshots (#910) * Fix existing snapshotting * implement the noop snapshotting * Add comments and switch log libraries * add some snapshot tests * add snapshot test file * add TODO * More work on raft snapshotting * progress on the ConfigStore strategy * Don't use two buckets * Update the snapshot store logic to hide the file logic * Add more backend tests * Cleanup code a bit * [WIP] Raft recovery (#938) * Add recovery functionality * remove fmt.Printfs * Fix a few fsm bugs * Add max size value for raft backend (#942) * Add max size value for raft backend * Include physical.ErrValueTooLarge in the message * Raft snapshot Take/Restore API (#926) * Inital work on raft snapshot APIs * Always redirect snapshot install/download requests * More work on the snapshot APIs * Cleanup code a bit * On restore handle special cases * Use the seal to encrypt the sha sum file * Add sealer mechanism and fix some bugs * Call restore while state lock is held * Send restore cb trigger through raft log * Make error messages nicer * Add test helpers * Add snapshot test * Add shamir unseal test * Add more raft snapshot API tests * Fix locking * Change working to initalize * Add underlying raw object to test cluster core * Move leaderUUID to core * Add raft TLS rotation logic (#950) * Add TLS rotation logic * Cleanup logic a bit * Add/Remove from follower state on add/remove peer * add comments * Update more comments * Update request_forwarding_service.proto * Make sure we populate all nodes in the followerstate obj * Update times * Apply review feedback * Add more raft config setting (#947) * Add performance config setting * Add more config options and fix tests * Test Raft Recovery (#944) * Test raft recovery * Leave out a node during recovery * remove unused struct * Update physical/raft/snapshot_test.go * Update physical/raft/snapshot_test.go * fix vendoring * Switch to new raft interface * Remove unused files * Switch a gogo -> proto instance * Remove unneeded vault dep in go.sum * Update helper/testhelpers/testhelpers.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * Update vault/cluster/cluster.go * track active key within the keyring itself (#6915) * track active key within the keyring itself * lookup and store using the active key ID * update docstring * minor refactor * Small text fixes (#6912) * Update physical/raft/raft.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * review feedback * Move raft logical system into separate file * Update help text a bit * Enforce cluster addr is set and use it for raft bootstrapping * Fix tests * fix http test panic * Pull in latest raft-snapshot library * Add comment
2019-06-20 19:14:58 +00:00
"raft": physRaft.NewRaftBackend,
"zookeeper": physZooKeeper.NewZooKeeperBackend,
}
serviceRegistrations = map[string]sr.Factory{
"consul": csr.NewServiceRegistration,
"kubernetes": ksr.NewServiceRegistration,
}
initCommandsEnt = func(ui, serverCmdUi cli.Ui, runOpts *RunOptions) {}
)
2017-09-05 04:05:53 +00:00
// Commands is the mapping of all the available commands.
var Commands map[string]cli.CommandFactory
func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) {
loginHandlers := map[string]LoginHandler{
"alicloud": &credAliCloud.CLIHandler{},
2018-02-05 15:56:57 +00:00
"aws": &credAws.CLIHandler{},
"centrify": &credCentrify.CLIHandler{},
"cert": &credCert.CLIHandler{},
2019-09-04 23:46:00 +00:00
"cf": &credCF.CLIHandler{},
"gcp": &credGcp.CLIHandler{},
2018-02-05 15:56:57 +00:00
"github": &credGitHub.CLIHandler{},
"kerberos": &credKerb.CLIHandler{},
2018-02-05 15:56:57 +00:00
"ldap": &credLdap.CLIHandler{},
2019-09-04 23:46:00 +00:00
"oci": &credOCI.CLIHandler{},
"oidc": &credOIDC.CLIHandler{},
2018-02-05 15:56:57 +00:00
"okta": &credOkta.CLIHandler{},
"pcf": &credCF.CLIHandler{}, // Deprecated.
2017-09-05 04:05:53 +00:00
"radius": &credUserpass.CLIHandler{
DefaultMount: "radius",
},
"token": &credToken.CLIHandler{},
"userpass": &credUserpass.CLIHandler{
DefaultMount: "userpass",
},
}
getBaseCommand := func() *BaseCommand {
return &BaseCommand{
UI: ui,
tokenHelper: runOpts.TokenHelper,
flagAddress: runOpts.Address,
client: runOpts.Client,
}
}
2017-09-05 04:05:53 +00:00
Commands = map[string]cli.CommandFactory{
2018-07-25 02:02:27 +00:00
"agent": func() (cli.Command, error) {
return &AgentCommand{
BaseCommand: &BaseCommand{
UI: serverCmdUi,
},
ShutdownCh: MakeShutdownCh(),
}, nil
},
"audit": func() (cli.Command, error) {
return &AuditCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"audit disable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuditDisableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"audit enable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuditEnableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"audit list": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuditListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth tune": func() (cli.Command, error) {
return &AuthTuneCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
"auth": func() (cli.Command, error) {
return &AuthCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth disable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthDisableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth enable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthEnableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth help": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthHelpCommand{
BaseCommand: getBaseCommand(),
Handlers: loginHandlers,
2017-09-05 04:05:53 +00:00
}, nil
},
"auth list": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
2022-02-18 16:50:05 +00:00
"auth move": func() (cli.Command, error) {
return &AuthMoveCommand{
BaseCommand: getBaseCommand(),
}, nil
},
Vault Debug (#7375) * cli: initial work on debug; server-status target * debug: add metrics capture target (#7376) * check against DR secondary * debug: add compression * refactor check into preflight func * debug: set short test time on tests, fix exit code bug * debug: use temp dir for output on tests * debug: use mholt/archiver for compression * first pass on adding pprof * use logger for output * refactor polling target capture logic * debug: poll and collect replication status * debug: poll and collect host-info; rename output files and collection refactor * fix comments * add archive test; fix bugs found * rename flag name to singular target * add target output test; scaffold other tests cases * debug/test: add pprof and index file tests * debug/test: add min timing check tests * debug: fix index gen race and collection goroutine race * debug: extend archive tests, handle race between program exit and polling goroutines * update docstring * debug: correctly add to pollingWg * debug: add config target support * debug: don't wait on interrupt shutdown; add file exists unit tests * move pprof bits into its goroutine * debug: skip empty metrics and some pprof file creation if permission denied, add matching unit test * address comments and feedback * Vault debug using run.Group (#7658) * debug: switch to use oklog/run.Group * debug: use context to cancel requests and interrupt rungroups. * debug: trigger the first interval properly * debug: metrics collection should use metrics interval * debug: add missing continue on metrics error * debug: remove the use of buffered chan to trigger first interval * debug: don't shadow BaseCommand's client, properly block on interval capture failures * debug: actually use c.cachedClient everywhere * go mod vendor * debug: run all pprof in goroutines; bump pprof timings in tests to reduce flakiness * debug: update help text
2019-10-15 22:39:19 +00:00
"debug": func() (cli.Command, error) {
return &DebugCommand{
BaseCommand: getBaseCommand(),
ShutdownCh: MakeShutdownCh(),
}, nil
},
"delete": func() (cli.Command, error) {
return &DeleteCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"lease": func() (cli.Command, error) {
return &LeaseCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"lease renew": func() (cli.Command, error) {
return &LeaseRenewCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"lease lookup": func() (cli.Command, error) {
return &LeaseLookupCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"lease revoke": func() (cli.Command, error) {
return &LeaseRevokeCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"list": func() (cli.Command, error) {
return &ListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"login": func() (cli.Command, error) {
return &LoginCommand{
BaseCommand: getBaseCommand(),
Handlers: loginHandlers,
}, nil
},
2018-08-10 16:17:17 +00:00
"namespace": func() (cli.Command, error) {
return &NamespaceCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace list": func() (cli.Command, error) {
return &NamespaceListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace lookup": func() (cli.Command, error) {
return &NamespaceLookupCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace create": func() (cli.Command, error) {
return &NamespaceCreateCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace delete": func() (cli.Command, error) {
return &NamespaceDeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace lock": func() (cli.Command, error) {
return &NamespaceAPILockCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace unlock": func() (cli.Command, error) {
return &NamespaceAPIUnlockCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator": func() (cli.Command, error) {
return &OperatorCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator diagnose": func() (cli.Command, error) {
return &OperatorDiagnoseCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator generate-root": func() (cli.Command, error) {
return &OperatorGenerateRootCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator init": func() (cli.Command, error) {
return &OperatorInitCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator key-status": func() (cli.Command, error) {
return &OperatorKeyStatusCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator migrate": func() (cli.Command, error) {
return &OperatorMigrateCommand{
BaseCommand: getBaseCommand(),
PhysicalBackends: physicalBackends,
ShutdownCh: MakeShutdownCh(),
}, nil
},
"operator raft": func() (cli.Command, error) {
return &OperatorRaftCommand{
BaseCommand: getBaseCommand(),
}, nil
},
Autopilot: Server Stabilization, State and Dead Server Cleanup (#10856) * k8s doc: update for 0.9.1 and 0.8.0 releases (#10825) * k8s doc: update for 0.9.1 and 0.8.0 releases * Update website/content/docs/platform/k8s/helm/configuration.mdx Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Autopilot initial commit * Move autopilot related backend implementations to its own file * Abstract promoter creation * Add nil check for health * Add server state oss no-ops * Config ext stub for oss * Make way for non-voters * s/health/state * s/ReadReplica/NonVoter * Add synopsis and description * Remove struct tags from AutopilotConfig * Use var for config storage path * Handle nin-config when reading * Enable testing autopilot by using inmem cluster * First passing test * Only report the server as known if it is present in raft config * Autopilot defaults to on for all existing and new clusters * Add locking to some functions * Persist initial config * Clarify the command usage doc * Add health metric for each node * Fix audit logging issue * Don't set DisablePerformanceStandby to true in test * Use node id label for health metric * Log updates to autopilot config * Less aggressively consume config loading failures * Return a mutable config * Return early from known servers if raft config is unable to be pulled * Update metrics name * Reduce log level for potentially noisy log * Add knob to disable autopilot * Don't persist if default config is in use * Autopilot: Dead server cleanup (#10857) * Dead server cleanup * Initialize channel in any case * Fix a bunch of tests * Fix panic * Add follower locking in heartbeat tracker * Add LastContactFailureThreshold to config * Add log when marking node as dead * Update follower state locking in heartbeat tracker * Avoid follower states being nil * Pull test to its own file * Add execution status to state response * Optionally enable autopilot in some tests * Updates * Added API function to fetch autopilot configuration * Add test for default autopilot configuration * Configuration tests * Add State API test * Update test * Added TestClusterOptions.PhysicalFactoryConfig * Update locking * Adjust locking in heartbeat tracker * s/last_contact_failure_threshold/left_server_last_contact_threshold * Add disabling autopilot as a core config option * Disable autopilot in some tests * s/left_server_last_contact_threshold/dead_server_last_contact_threshold * Set the lastheartbeat of followers to now when setting up active node * Don't use config defaults from CLI command * Remove config file support * Remove HCL test as well * Persist only supplied config; merge supplied config with default to operate * Use pointer to structs for storing follower information * Test update * Retrieve non voter status from configbucket and set it up when a node comes up * Manage desired suffrage * Consider bucket being created already * Move desired suffrage to its own entry * s/DesiredSuffrageKey/LocalNodeConfigKey * s/witnessSuffrage/recordSuffrage * Fix test compilation * Handle local node config post a snapshot install * Commit to storage first; then record suffrage in fsm * No need of local node config being nili case, post snapshot restore * Reconcile autopilot config when a new leader takes over duty * Grab fsm lock when recording suffrage * s/Suffrage/DesiredSuffrage in FollowerState * Instantiate autopilot only in leader * Default to old ways in more scenarios * Make API gracefully handle 404 * Address some feedback * Make IsDead an atomic.Value * Simplify follower hearbeat tracking * Use uber.atomic * Don't have multiple causes for having autopilot disabled * Don't remove node from follower states if we fail to remove the dead server * Autopilot server removals map (#11019) * Don't remove node from follower states if we fail to remove the dead server * Use map to track dead server removals * Use lock and map * Use delegate lock * Adjust when to remove entry from map * Only hold the lock while accessing map * Fix race * Don't set default min_quorum * Fix test * Ensure follower states is not nil before starting autopilot * Fix race Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-03-03 18:59:50 +00:00
"operator raft autopilot get-config": func() (cli.Command, error) {
return &OperatorRaftAutopilotGetConfigCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft autopilot set-config": func() (cli.Command, error) {
return &OperatorRaftAutopilotSetConfigCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft autopilot state": func() (cli.Command, error) {
return &OperatorRaftAutopilotStateCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft list-peers": func() (cli.Command, error) {
return &OperatorRaftListPeersCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft join": func() (cli.Command, error) {
return &OperatorRaftJoinCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft remove-peer": func() (cli.Command, error) {
return &OperatorRaftRemovePeerCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft snapshot": func() (cli.Command, error) {
return &OperatorRaftSnapshotCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft snapshot restore": func() (cli.Command, error) {
return &OperatorRaftSnapshotRestoreCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft snapshot save": func() (cli.Command, error) {
return &OperatorRaftSnapshotSaveCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator rekey": func() (cli.Command, error) {
return &OperatorRekeyCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator rotate": func() (cli.Command, error) {
return &OperatorRotateCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator seal": func() (cli.Command, error) {
return &OperatorSealCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator step-down": func() (cli.Command, error) {
return &OperatorStepDownCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator usage": func() (cli.Command, error) {
return &OperatorUsageCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator unseal": func() (cli.Command, error) {
return &OperatorUnsealCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator members": func() (cli.Command, error) {
return &OperatorMembersCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
"path-help": func() (cli.Command, error) {
return &PathHelpCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"plugin": func() (cli.Command, error) {
return &PluginCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin deregister": func() (cli.Command, error) {
return &PluginDeregisterCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin info": func() (cli.Command, error) {
return &PluginInfoCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin list": func() (cli.Command, error) {
return &PluginListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin register": func() (cli.Command, error) {
return &PluginRegisterCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin reload": func() (cli.Command, error) {
return &PluginReloadCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin reload-status": func() (cli.Command, error) {
return &PluginReloadStatusCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy": func() (cli.Command, error) {
return &PolicyCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"policy delete": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &PolicyDeleteCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"policy fmt": func() (cli.Command, error) {
return &PolicyFmtCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy list": func() (cli.Command, error) {
return &PolicyListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy read": func() (cli.Command, error) {
return &PolicyReadCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy write": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &PolicyWriteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"print": func() (cli.Command, error) {
return &PrintCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"print token": func() (cli.Command, error) {
return &PrintTokenCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"read": func() (cli.Command, error) {
return &ReadCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets": func() (cli.Command, error) {
return &SecretsCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets disable": func() (cli.Command, error) {
return &SecretsDisableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets enable": func() (cli.Command, error) {
return &SecretsEnableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets list": func() (cli.Command, error) {
return &SecretsListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets move": func() (cli.Command, error) {
return &SecretsMoveCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets tune": func() (cli.Command, error) {
return &SecretsTuneCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"server": func() (cli.Command, error) {
return &ServerCommand{
BaseCommand: &BaseCommand{
UI: serverCmdUi,
tokenHelper: runOpts.TokenHelper,
flagAddress: runOpts.Address,
2017-09-05 04:05:53 +00:00
},
AuditBackends: auditBackends,
CredentialBackends: credentialBackends,
LogicalBackends: logicalBackends,
PhysicalBackends: physicalBackends,
ServiceRegistrations: serviceRegistrations,
ShutdownCh: MakeShutdownCh(),
SighupCh: MakeSighupCh(),
SigUSR2Ch: MakeSigUSR2Ch(),
2017-09-05 04:05:53 +00:00
}, nil
},
"ssh": func() (cli.Command, error) {
return &SSHCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"status": func() (cli.Command, error) {
return &StatusCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token": func() (cli.Command, error) {
return &TokenCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token create": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &TokenCreateCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token capabilities": func() (cli.Command, error) {
return &TokenCapabilitiesCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token lookup": func() (cli.Command, error) {
return &TokenLookupCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token renew": func() (cli.Command, error) {
return &TokenRenewCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token revoke": func() (cli.Command, error) {
return &TokenRevokeCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"unwrap": func() (cli.Command, error) {
return &UnwrapCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"version": func() (cli.Command, error) {
return &VersionCommand{
VersionInfo: version.GetVersion(),
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"version-history": func() (cli.Command, error) {
return &VersionHistoryCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
"write": func() (cli.Command, error) {
return &WriteCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"kv": func() (cli.Command, error) {
return &KVCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv put": func() (cli.Command, error) {
return &KVPutCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv patch": func() (cli.Command, error) {
return &KVPatchCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv rollback": func() (cli.Command, error) {
return &KVRollbackCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv get": func() (cli.Command, error) {
return &KVGetCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv delete": func() (cli.Command, error) {
return &KVDeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv list": func() (cli.Command, error) {
return &KVListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv destroy": func() (cli.Command, error) {
return &KVDestroyCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv undelete": func() (cli.Command, error) {
return &KVUndeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv enable-versioning": func() (cli.Command, error) {
return &KVEnableVersioningCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata": func() (cli.Command, error) {
return &KVMetadataCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata put": func() (cli.Command, error) {
return &KVMetadataPutCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata patch": func() (cli.Command, error) {
return &KVMetadataPatchCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata get": func() (cli.Command, error) {
return &KVMetadataGetCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata delete": func() (cli.Command, error) {
return &KVMetadataDeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"monitor": func() (cli.Command, error) {
return &MonitorCommand{
BaseCommand: getBaseCommand(),
ShutdownCh: MakeShutdownCh(),
}, nil
},
2017-09-05 04:05:53 +00:00
}
// Disabled by default until functional
if os.Getenv(OperatorDiagnoseEnableEnv) != "" {
Commands["operator diagnose"] = func() (cli.Command, error) {
return &OperatorDiagnoseCommand{
BaseCommand: getBaseCommand(),
}, nil
}
}
initCommandsEnt(ui, serverCmdUi, runOpts)
2017-09-05 04:05:53 +00:00
}
// MakeShutdownCh returns a channel that can be used for shutdown
// notifications for commands. This channel will send a message for every
// SIGINT or SIGTERM received.
func MakeShutdownCh() chan struct{} {
resultCh := make(chan struct{})
shutdownCh := make(chan os.Signal, 4)
signal.Notify(shutdownCh, os.Interrupt, syscall.SIGTERM)
go func() {
<-shutdownCh
close(resultCh)
}()
return resultCh
}
// MakeSighupCh returns a channel that can be used for SIGHUP
// reloading. This channel will send a message for every
// SIGHUP received.
func MakeSighupCh() chan struct{} {
resultCh := make(chan struct{})
signalCh := make(chan os.Signal, 4)
signal.Notify(signalCh, syscall.SIGHUP)
go func() {
for {
<-signalCh
resultCh <- struct{}{}
}
}()
return resultCh
}