open-vault/website/source/docs/configuration/storage/zookeeper.html.md

155 lines
5.1 KiB
Markdown
Raw Normal View History

---
layout: "docs"
page_title: "Zookeeper - Storage Backends - Configuration"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Zookeeper"
sidebar_current: "docs-configuration-storage-zookeeper"
description: |-
The Zookeeper storage backend is used to persist Vault's data in Zookeeper.
---
# Zookeeper Storage Backend
The Zookeeper storage backend is used to persist Vault's data in
[Zookeeper][zk].
- **High Availability** the Zookeeper storage backend supports high
availability.
- **Community Supported** the Zookeeper storage backend is supported by the
community. While it has undergone review by HashiCorp employees, they may not
be as knowledgeable about the technology. If you encounter problems with them,
you may be referred to the original author.
```hcl
storage "zookeeper" {
address = "localhost:2181"
path = "vault/"
}
```
## `zookeeper` Parameters
- `address` `(string: "localhost:2181")` Specifies the addresses of the
Zookeeper instances as a comma-separated list.
- `path` `(string: "vault/")` Specifies the path in Zookeeper where data will
be stored.
The following optional settings can be used to configure zNode ACLs:
~> **Warning!** If neither `auth_info` nor `znode_owner` are set, the backend
will not authenticate with Zookeeper and will set the `OPEN_ACL_UNSAFE` ACL on
all nodes. In this scenario, anyone connected to Zookeeper could change Vaults
znodes and, potentially, take Vault out of service.
- `auth_info` `(string: "")` Specifies an authentication string in Zookeeper
AddAuth format. For example, `digest:UserName:Password` could be used to
authenticate as user `UserName` using password `Password` with the `digest`
mechanism.
- `znode_owner` `(string: "")` If specified, Vault will always set all
permissions (CRWDA) to the ACL identified here via the Schema and User parts
of the Zookeeper ACL format. The expected format is `schema:user-ACL-match`,
for example:
```text
# Access for user "UserName" with corresponding digest "HIDfRvTv623G=="
digest:UserName:HIDfRvTv623G==
```
```text
# Access from localhost only
ip:127.0.0.1
```
```text
# Access from any host on the 70.95.0.0 network (Zookeeper 3.5+)
ip:70.95.0.0/16
```
- `tls_enabled` `(bool: false)` Specifies if TLS communication with the Zookeeper
backend has to be enabled.
- `tls_ca_file` `(string: "")` Specifies the path to the CA certificate file used
for Zookeeper communication. Multiple CA certificates can be provided in the same file.
- `tls_cert_file` `(string: "")` (optional) Specifies the path to the
client certificate for Zookeeper communication.
- `tls_key_file` `(string: "")` Specifies the path to the private key for
Zookeeper communication.
- `tls_min_version` `(string: "tls12")` Specifies the minimum TLS version to
use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
- `tls_skip_verify` `(bool: false)` Specifies if the TLS host verification
should be disabled. It is highly discouraged that you disable this option.
- `tls_verify_ip` `(bool: false)` - This property comes into play only when
'tls_skip_verify' is set to false. When 'tls_verify_ip' is set to 'true', the
zookeeper server's IP is verified in the presented certificates CN/SAN entry.
When set to 'false' the server's DNS name is verified in the certificates CN/SAN entry.
## `zookeeper` Examples
### Custom Address and Path
This example shows configuring Vault to communicate with a Zookeeper
installation running on a custom port and to store data at a custom path.
```hcl
storage "zookeeper" {
address = "localhost:3253"
path = "my-vault-data/"
}
```
### zNode Vault User Only
This example instructs Vault to set an ACL on all of its zNodes which permit
access only to the user "vaultUser". As per Zookeeper's ACL model, the digest
value in `znode_owner` must match the user in `znode_owner`.
```hcl
storage "zookeeper" {
znode_owner = "digest:vaultUser:raxgVAfnDRljZDAcJFxznkZsExs="
auth_info = "digest:vaultUser:abc"
}
```
### zNode Localhost Only
This example instructs Vault to only allow access from localhost. As this is the
`ip` no `auth_info` is required since Zookeeper uses the address of the client
for the ACL check.
```hcl
storage "zookeeper" {
znode_owner = "ip:127.0.0.1"
}
```
### zNode connection over TLS.
This example instructs Vault to connect to Zookeeper using the provided TLS configuration. The host verification will happen with the presented certificate using the servers IP because 'tls_verify_ip' is set to true.
```hcl
storage "zookeeper" {
address = "host1.com:5200,host2.com:5200,host3.com:5200"
path = "vault_path_on_zk/"
znode_owner = "digest:vault_user:digestvalueforpassword="
auth_info = "digest:vault_user:thisisthepassword"
redirect_addr = "http://localhost:8200"
tls_verify_ip = "true"
tls_enabled= "true"
tls_min_version= "tls12"
tls_cert_file = "/path/to/the/cert/file/zkcert.pem"
tls_key_file = "/path/to/the/key/file/zkkey.pem"
tls_skip_verify= "false"
tls_ca_file= "/path/to/the/ca/file/ca.pem"
}
```
[zk]: https://zookeeper.apache.org/