2017-07-26 20:47:41 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: api
|
|
|
|
|
page_title: /sys/replication - HTTP API
|
|
|
|
|
description: >-
|
|
|
|
|
The '/sys/replication/performance' endpoint focuses on managing general
|
|
|
|
|
operations in Vault Enterprise Performance Replication
|
2017-07-26 20:47:41 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# `/sys/replication/performance`
|
|
|
|
|
|
|
|
|
|
~> **Enterprise Only** – These endpoints require Vault Enterprise.
|
|
|
|
|
|
|
|
|
|
## Check Performance Status
|
|
|
|
|
|
|
|
|
|
This endpoint prints information about the status of replication (mode,
|
|
|
|
|
sync progress, etc).
|
|
|
|
|
|
|
|
|
|
This is an authenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------ |
|
|
|
|
|
| `GET` | `/sys/replication/performance/status` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/status
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
2018-06-13 23:43:39 +00:00
|
|
|
|
### Sample Response from Primary
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
The printed status of the replication environment. As an example, for a
|
|
|
|
|
primary, it will look something like:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"known_secondaries": ["2"],
|
2018-06-13 23:43:39 +00:00
|
|
|
|
"last_wal": 87,
|
|
|
|
|
"merkle_root": "c31e40f6ff02f32c37b70e6a4d58732ac812abf0",
|
2020-06-29 22:11:17 +00:00
|
|
|
|
"mode": "primary",
|
|
|
|
|
"secondaries": [
|
|
|
|
|
{
|
|
|
|
|
"api_address": "https://127.0.0.1:49264",
|
|
|
|
|
"cluster_address": "https://127.0.0.1:49267",
|
|
|
|
|
"connection_status": "connected",
|
|
|
|
|
"last_heartbeat": "2020-06-10T15:40:47-07:00",
|
|
|
|
|
"node_id": "2"
|
|
|
|
|
}
|
|
|
|
|
]
|
2020-01-18 00:18:09 +00:00
|
|
|
|
}
|
2018-06-13 23:43:39 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response from Secondary
|
|
|
|
|
|
|
|
|
|
The printed status of the replication environment. As an example, for a
|
|
|
|
|
secondary, it will look something like:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"known_primary_cluster_addrs": ["https://127.0.0.1:8201"],
|
2018-06-13 23:43:39 +00:00
|
|
|
|
"last_remote_wal": 87,
|
|
|
|
|
"merkle_root": "c31e40f6ff02f32c37b70e6a4d58732ac812abf0",
|
|
|
|
|
"mode": "secondary",
|
2020-06-29 22:11:17 +00:00
|
|
|
|
"primaries": [
|
|
|
|
|
{
|
|
|
|
|
"api_address": "https://127.0.0.1:49244",
|
|
|
|
|
"cluster_address": "https://127.0.0.1:8201",
|
|
|
|
|
"connection_status": "connected",
|
|
|
|
|
"last_heartbeat": "2020-06-10T15:40:46-07:00"
|
|
|
|
|
}
|
|
|
|
|
],
|
2018-06-13 23:43:39 +00:00
|
|
|
|
"primary_cluster_addr": "https://127.0.0.1:8201",
|
|
|
|
|
"secondary_id": "2",
|
|
|
|
|
"state": "stream-wals"
|
2020-01-18 00:18:09 +00:00
|
|
|
|
}
|
2017-07-26 20:47:41 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Enable Performance Primary Replication
|
|
|
|
|
|
|
|
|
|
This endpoint enables replication in primary mode. This is used when replication
|
|
|
|
|
is currently disabled on the cluster (if the cluster is already a secondary, it
|
|
|
|
|
must be promoted).
|
|
|
|
|
|
|
|
|
|
!> Only one primary should be active at a given time. Multiple primaries may
|
|
|
|
|
result in data loss!
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/enable` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
|
|
|
|
|
primary gives to secondary nodes. Useful if the primary's cluster address is
|
|
|
|
|
not directly accessible and must be accessed via an alternate path/address,
|
|
|
|
|
such as through a TCP-based load balancer. If not set, uses vault's configured
|
|
|
|
|
cluster address.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/enable
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Demote Performance Primary
|
|
|
|
|
|
2017-08-25 13:51:33 +00:00
|
|
|
|
This endpoint demotes a performance primary cluster to a performance secondary.
|
|
|
|
|
This secondary cluster will not attempt to connect to a primary (see the update-primary call),
|
2017-07-26 20:47:41 +00:00
|
|
|
|
but will maintain knowledge of its cluster ID and can be reconnected to the same
|
|
|
|
|
replication set without wiping local storage.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/demote` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/demote
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Disable Performance Primary
|
|
|
|
|
|
|
|
|
|
This endpoint disables performance replication entirely on the cluster. Any
|
|
|
|
|
performance secondaries will no longer be able to connect. Caution: re-enabling
|
|
|
|
|
this node as a primary or secondary will change its cluster ID; in the secondary
|
|
|
|
|
case this means a wipe of the underlying storage when connected to a primary,
|
|
|
|
|
and in the primary case, secondaries connecting back to the cluster (even if
|
|
|
|
|
they have connected before) will require a wipe of the underlying storage.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/disable` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/disable
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Performance Secondary Token
|
|
|
|
|
|
|
|
|
|
This endpoint generates a performance secondary activation token for the
|
|
|
|
|
cluster with the given opaque identifier, which must be unique. This
|
|
|
|
|
identifier can later be used to revoke a secondary's access.
|
|
|
|
|
|
|
|
|
|
**This endpoint requires 'sudo' capability.**
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/secondary-token` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
|
|
|
|
|
|
|
|
|
|
- `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
|
|
|
|
|
token.
|
|
|
|
|
|
2019-11-06 21:37:46 +00:00
|
|
|
|
- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
|
|
|
|
|
public key, if using encryption rather than response wrapping to protect the
|
|
|
|
|
secondary credentials. (Vault 1.3+)
|
|
|
|
|
|
2017-07-27 13:28:52 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"id": "us-east-1"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-07-26 20:47:41 +00:00
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2017-07-27 13:28:52 +00:00
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/secondary-token
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"request_id": "",
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"data": null,
|
|
|
|
|
"warnings": null,
|
|
|
|
|
"wrap_info": {
|
|
|
|
|
"token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
|
|
|
|
|
"ttl": 300,
|
|
|
|
|
"creation_time": "2016-09-28T14:41:00.56961496-04:00",
|
|
|
|
|
"wrapped_accessor": ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Revoke Performance Secondary Token
|
|
|
|
|
|
|
|
|
|
This endpoint revokes a performance secondary's ability to connect to the
|
|
|
|
|
performance primary cluster; the secondary will immediately be disconnected and
|
|
|
|
|
will not be allowed to connect again unless given a new activation token.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------ |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/revoke-secondary` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"id": "us-east"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/revoke-secondary
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
## Create Paths Filter
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
|
|
|
|
This endpoint is used to modify the mounts and namespaces that are filtered to a secondary.
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Filtering can be specified in allow mode or deny mode. In allow
|
2019-11-11 23:25:48 +00:00
|
|
|
|
mode the secret and auth mounts that are specified are included to the
|
2020-01-18 00:18:09 +00:00
|
|
|
|
selected secondary. In deny mode, the mount and namespace paths are excluded.
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------ |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/paths-filter/:id` |
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `mode` `(string: "allow")` – Specifies the filtering mode. Available values
|
2019-11-11 23:25:48 +00:00
|
|
|
|
are "allow" and "deny".
|
|
|
|
|
|
|
|
|
|
- `paths` `(array: [])` – The list of mount and namespace paths that are filtered.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"mode": "allow",
|
|
|
|
|
"paths": ["secret/", "ns1/"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2019-11-11 23:25:48 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Paths Filter
|
|
|
|
|
|
|
|
|
|
This endpoint is used to read the mode and the mount/namespace paths that are filtered
|
|
|
|
|
for a secondary.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
2020-12-17 21:53:33 +00:00
|
|
|
|
| :----- | :------------------------------------------------------ | ------------------ |
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| `GET` | `/sys/replication/performance/primary/paths-filter/:id` | `200 (empty body)` |
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2019-11-11 23:25:48 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"mode": "allow",
|
|
|
|
|
"paths": ["secret/", "ns1/"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Paths Filter
|
|
|
|
|
|
|
|
|
|
This endpoint is used to delete the mount and namespace filters for a secondary.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :------------------------------------------------------ |
|
|
|
|
|
| `DELETE` | `/sys/replication/performance/primary/paths-filter/:id` |
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2019-11-11 23:25:48 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Dynamically Generated Filter (PRIMARY)
|
|
|
|
|
|
|
|
|
|
This endpoint is used to read the namespace and the mount paths that are dynamically
|
|
|
|
|
filtered for a secondary on the primary.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
2020-12-17 21:53:33 +00:00
|
|
|
|
| :----- | :-------------------------------------------------------- | ------------------ |
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| `GET` | `/sys/replication/performance/primary/dynamic-filter/:id` | `200 (empty body)` |
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2019-11-11 23:25:48 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/dynamic-filter/mySecondaryID
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"dynamic_filtered_mounts": ["ns1/ns2/secret/", "ns1/kv/"],
|
|
|
|
|
"dynamic_filtered_namespaces": ["ns1/", "ns1/ns2/"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Dynamically Generated Filter (SECONDARY)
|
|
|
|
|
|
|
|
|
|
This endpoint is used to read the namespace and the mount paths that are dynamically
|
|
|
|
|
filtered for a secondary on the secondary.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
2020-12-17 21:53:33 +00:00
|
|
|
|
| :----- | :---------------------------------------------------------- | ------------------ |
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| `GET` | `/sys/replication/performance/secondary/dynamic-filter/:id` | `200 (empty body)` |
|
2019-11-11 23:25:48 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2019-11-11 23:25:48 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/secondary/dynamic-filter/mySecondaryID
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"dynamic_filtered_mounts": ["ns1/ns2/secret/", "ns1/kv/"],
|
|
|
|
|
"dynamic_filtered_namespaces": ["ns1/", "ns1/ns2/"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create Mounts Filter (DEPRECATED)
|
|
|
|
|
|
|
|
|
|
~> This API is deprecated and will be removed in a future version of Vault.
|
|
|
|
|
Please use Paths Filter instead.
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
|
|
|
|
This endpoint is used to modify the mounts that are filtered to a secondary.
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Filtering can be specified in whitelist mode or blacklist mode. In whitelist
|
2017-08-25 13:51:33 +00:00
|
|
|
|
mode the secret and auth mounts that are specified are included to the
|
2020-01-18 00:18:09 +00:00
|
|
|
|
selected secondary. In blacklist mode, the mount paths are excluded.
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------ |
|
|
|
|
|
| `POST` | `/sys/replication/performance/primary/mount-filter/:id` |
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `mode` `(string: "whitelist")` – Specifies the filtering mode. Available values
|
2017-07-27 13:28:52 +00:00
|
|
|
|
are "whitelist" and blacklist".
|
|
|
|
|
|
|
|
|
|
- `paths` `(array: [])` – The list of mount paths that are filtered.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"mode": "whitelist",
|
|
|
|
|
"paths": ["secret/"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-27 13:28:52 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
|
2017-07-27 13:28:52 +00:00
|
|
|
|
```
|
|
|
|
|
|
2019-11-11 23:25:48 +00:00
|
|
|
|
## Read Mounts Filter (DEPRECATED)
|
|
|
|
|
|
|
|
|
|
~> This API is deprecated and will be removed in a future version of Vault.
|
|
|
|
|
Please use Paths Filter instead.
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
|
|
|
|
This endpoint is used to read the mode and the mount paths that are filtered
|
|
|
|
|
for a secondary.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
2020-12-17 21:53:33 +00:00
|
|
|
|
| :----- | :------------------------------------------------------ | ------------------ |
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| `GET` | `/sys/replication/performance/primary/mount-filter/:id` | `200 (empty body)` |
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-27 13:28:52 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
|
2017-07-27 13:28:52 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"mode": "whitelist",
|
|
|
|
|
"paths": ["secret/"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2019-11-11 23:25:48 +00:00
|
|
|
|
## Delete Mounts Filter (DEPRECATED)
|
|
|
|
|
|
|
|
|
|
~> This API is deprecated and will be removed in a future version of Vault.
|
|
|
|
|
Please use Paths Filter instead.
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
|
|
|
|
This endpoint is used to delete the mount filters for a secondary.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :------------------------------------------------------ |
|
|
|
|
|
| `DELETE` | `/sys/replication/performance/primary/mount-filter/:id` |
|
2017-07-27 13:28:52 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-27 13:28:52 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
|
2017-07-27 13:28:52 +00:00
|
|
|
|
```
|
|
|
|
|
|
2019-11-06 21:37:46 +00:00
|
|
|
|
## Fetch Performance Secondary Public Key
|
|
|
|
|
|
|
|
|
|
(Vault 1.3+)
|
|
|
|
|
|
|
|
|
|
This endpoint allows fetching a public key that is used to encrypt the returned
|
|
|
|
|
credential information (instead of using a response wrapped token). This avoids
|
|
|
|
|
needing to make an API call to the primary during activation.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/secondary/generate-public-key` |
|
2019-11-06 21:37:46 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2019-11-06 21:37:46 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/secondary/generate-public-key
|
|
|
|
|
```
|
|
|
|
|
|
2017-07-26 20:47:41 +00:00
|
|
|
|
## Enable Performance Secondary
|
|
|
|
|
|
|
|
|
|
This endpoint enables performance replication on a secondary using a secondary activation
|
|
|
|
|
token.
|
|
|
|
|
|
|
|
|
|
!> This will immediately clear all data in the secondary cluster!
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/secondary/enable` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2019-11-06 21:37:46 +00:00
|
|
|
|
- `token` `(string: <required>)` – Specifies the secondary activation token
|
|
|
|
|
fetched from the primary.
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
- `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
|
|
|
|
|
address) to override the value embedded in the token. This can be useful if
|
|
|
|
|
the primary's redirect address is not accessible directly from this cluster
|
|
|
|
|
(e.g. through a load balancer).
|
|
|
|
|
|
|
|
|
|
- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
|
|
|
|
|
that the secondary can use when unwrapping the token from the primary. If this
|
|
|
|
|
and ca_path are not given, defaults to system CA roots.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `ca_path` `(string: "")` – Specifies the path to a CA root directory
|
2017-07-26 20:47:41 +00:00
|
|
|
|
containing PEM-format files that the secondary can use when unwrapping the
|
|
|
|
|
token from the primary. If this and ca_file are not given, defaults to system
|
|
|
|
|
CA roots.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"token": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/secondary/enable
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Promote Performance Secondary
|
|
|
|
|
|
|
|
|
|
This endpoint promotes the performance secondary cluster to performance primary.
|
|
|
|
|
For data safety and security reasons, new secondary tokens will need to be
|
2017-08-25 13:51:33 +00:00
|
|
|
|
issued to other secondaries, and there should never be more than one performance
|
2017-07-26 20:47:41 +00:00
|
|
|
|
primary at a time.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/secondary/promote` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
|
|
|
|
|
primary gives to secondary nodes. Useful if the primary's cluster address is
|
|
|
|
|
not directly accessible and must be accessed via an alternate path/address
|
|
|
|
|
(e.g. through a load balancer).
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `force` `(bool: false)` - If true the cluster will be promoted even if it fails
|
|
|
|
|
certain safety checks. Caution: Forcing promotion could result in data loss if
|
2018-10-01 20:59:50 +00:00
|
|
|
|
data isn't fully replicated.
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/secondary/promote
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Disable Performance Secondary
|
|
|
|
|
|
|
|
|
|
This endpoint disables performance replication entirely on the cluster. The cluster will no
|
|
|
|
|
longer be able to connect to the performance primary.
|
|
|
|
|
|
|
|
|
|
!> Re-enabling this node as a performance primary or secondary will change its cluster ID;
|
|
|
|
|
in the secondary case this means a wipe of the underlying storage when connected
|
|
|
|
|
to a primary, and in the primary case, secondaries connecting back to the
|
|
|
|
|
cluster (even if they have connected before) will require a wipe of the
|
|
|
|
|
underlying storage.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------------------------- |
|
|
|
|
|
| `POST` | `/sys/replication/performance/secondary/disable` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/secondary/disable
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Update Performance Secondary's Primary
|
|
|
|
|
|
|
|
|
|
This endpoint changes a performance secondary cluster's assigned primary cluster using a
|
|
|
|
|
secondary activation token. This does not wipe all data in the cluster.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------ |
|
|
|
|
|
| `POST` | `/sys/replication/performance/secondary/update-primary` |
|
2017-07-26 20:47:41 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `token` `(string: <required>)` – Specifies the secondary activation token
|
|
|
|
|
fetched from the primary. If you set this to a blank string, the cluster will
|
|
|
|
|
stay a secondary but clear its knowledge of any past primary (and thus not
|
|
|
|
|
attempt to connect to the previous primary). This can be useful if the primary
|
|
|
|
|
is down to stop the secondary from trying to reconnect to it.
|
|
|
|
|
|
|
|
|
|
- `primary_api_addr` `(string: )` – Specifies the API address (normal Vault
|
|
|
|
|
address) to override the value embedded in the token. This can be useful if
|
|
|
|
|
the primary's redirect address is not accessible directly from this cluster.
|
|
|
|
|
|
|
|
|
|
- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
|
|
|
|
|
that the secondary can use when unwrapping the token from the primary. If this
|
|
|
|
|
and ca_path are not given, defaults to system CA roots.
|
|
|
|
|
|
|
|
|
|
- `ca_path` `string: ()` – Specifies the path to a CA root directory containing
|
|
|
|
|
PEM-format files that the secondary can use when unwrapping the token from the
|
|
|
|
|
primary. If this and ca_file are not given, defaults to system CA roots.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"token": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-07-26 20:47:41 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/replication/performance/secondary/update-primary
|
2017-07-26 20:47:41 +00:00
|
|
|
|
```
|