2015-06-19 17:10:19 +00:00
|
|
|
package cassandra
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/fatih/structs"
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
defaultCreationCQL = `CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;`
|
|
|
|
defaultRollbackCQL = `DROP USER '{{username}}';`
|
|
|
|
)
|
|
|
|
|
|
|
|
func pathRoles(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
2015-08-21 07:56:13 +00:00
|
|
|
Pattern: "roles/" + framework.GenericNameRegex("name"),
|
2015-06-19 17:10:19 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Name of the role",
|
|
|
|
},
|
|
|
|
|
|
|
|
"creation_cql": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Default: defaultCreationCQL,
|
|
|
|
Description: `CQL to create a user and optionally grant
|
|
|
|
authorization. If not supplied, a default that
|
|
|
|
creates non-superuser accounts with the built-in
|
|
|
|
password authenticator will be used; no
|
|
|
|
authorization grants will be configured. Separate
|
|
|
|
statements by semicolons; use @file to load from a
|
|
|
|
file. Valid template values are '{{username}}' and
|
|
|
|
'{{password}}' -- the single quotes are important!`,
|
|
|
|
},
|
|
|
|
|
|
|
|
"rollback_cql": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Default: defaultRollbackCQL,
|
|
|
|
Description: `CQL to roll back an account operation. This will
|
|
|
|
be used if there is an error during execution of a
|
|
|
|
statement passed in via the "creation_cql" parameter
|
|
|
|
parameter. The default simply drops the user, which
|
|
|
|
should generally be sufficient. Separate statements
|
|
|
|
by semicolons; use @file to load from a file. Valid
|
|
|
|
template values are '{{username}}' and
|
|
|
|
'{{password}}' -- the single quotes are important!`,
|
|
|
|
},
|
|
|
|
|
|
|
|
"lease": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Default: "4h",
|
|
|
|
Description: "The lease length; defaults to 4 hours",
|
|
|
|
},
|
|
|
|
|
|
|
|
"lease_grace_period": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Default: "1h",
|
|
|
|
Description: `Grace period for secret renewal; defaults to
|
|
|
|
one hour`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.ReadOperation: b.pathRoleRead,
|
|
|
|
logical.WriteOperation: b.pathRoleCreate,
|
|
|
|
logical.DeleteOperation: b.pathRoleDelete,
|
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathRoleHelpSyn,
|
|
|
|
HelpDescription: pathRoleHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func getRole(s logical.Storage, n string) (*roleEntry, error) {
|
|
|
|
entry, err := s.Get("role/" + n)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if entry == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var result roleEntry
|
|
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &result, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathRoleDelete(
|
|
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
|
|
err := req.Storage.Delete("role/" + data.Get("name").(string))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathRoleRead(
|
|
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
|
|
role, err := getRole(req.Storage, data.Get("name").(string))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if role == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return &logical.Response{
|
|
|
|
Data: structs.New(role).Map(),
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathRoleCreate(
|
|
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
|
|
name := data.Get("name").(string)
|
|
|
|
|
|
|
|
creationCQL := data.Get("creation_cql").(string)
|
|
|
|
|
|
|
|
rollbackCQL := data.Get("rollback_cql").(string)
|
|
|
|
|
|
|
|
leaseRaw := data.Get("lease").(string)
|
|
|
|
lease, err := time.ParseDuration(leaseRaw)
|
|
|
|
if err != nil {
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf(
|
|
|
|
"Error parsing lease value of %s: %s", leaseRaw, err)), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
leaseGracePeriodRaw := data.Get("lease_grace_period").(string)
|
|
|
|
leaseGracePeriod, err := time.ParseDuration(leaseGracePeriodRaw)
|
|
|
|
if err != nil {
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf(
|
|
|
|
"Error parsing lease_grace value of %s: %s", leaseGracePeriodRaw, err)), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
entry := &roleEntry{
|
|
|
|
Lease: lease,
|
|
|
|
LeaseGracePeriod: leaseGracePeriod,
|
|
|
|
CreationCQL: creationCQL,
|
|
|
|
RollbackCQL: rollbackCQL,
|
|
|
|
}
|
|
|
|
|
|
|
|
// Store it
|
|
|
|
entryJSON, err := logical.StorageEntryJSON("role/"+name, entry)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if err := req.Storage.Put(entryJSON); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type roleEntry struct {
|
|
|
|
CreationCQL string `json:"creation_cql" structs:"creation_cql"`
|
|
|
|
Lease time.Duration `json:"lease" structs:"lease"`
|
|
|
|
LeaseGracePeriod time.Duration `json:"lease_grace_period" structs:"lease_grace_period"`
|
|
|
|
RollbackCQL string `json:"rollback_cql" structs:"rollback_cql"`
|
|
|
|
}
|
|
|
|
|
|
|
|
const pathRoleHelpSyn = `
|
|
|
|
Manage the roles that can be created with this backend.
|
|
|
|
`
|
|
|
|
|
|
|
|
const pathRoleHelpDesc = `
|
|
|
|
This path lets you manage the roles that can be created with this backend.
|
|
|
|
|
|
|
|
The "creation_cql" parameter customizes the CQL string used to create users
|
|
|
|
and assign them grants. This can be a sequence of CQL queries separated by
|
|
|
|
semicolons. Some substitution will be done to the CQL string for certain keys.
|
|
|
|
The names of the variables must be surrounded by '{{' and '}}' to be replaced.
|
|
|
|
Note that it is important that single quotes are used, not double quotes.
|
|
|
|
|
|
|
|
* "username" - The random username generated for the DB user.
|
|
|
|
|
|
|
|
* "password" - The random password generated for the DB user.
|
|
|
|
|
|
|
|
If no "creation_cql" parameter is given, a default will be used:
|
|
|
|
|
|
|
|
` + defaultCreationCQL + `
|
|
|
|
|
|
|
|
This default should be suitable for Cassandra installations using the password
|
|
|
|
authenticator but not configured to use authorization.
|
|
|
|
|
|
|
|
Similarly, the "rollback_cql" is used if user creation fails, in the absense of
|
|
|
|
Cassandra transactions. The default should be suitable for almost any
|
|
|
|
instance of Cassandra:
|
|
|
|
|
|
|
|
` + defaultRollbackCQL + `
|
|
|
|
|
|
|
|
"lease" and "lease_grace_period" control the lease time and the allowed grace
|
|
|
|
period past lease expiration, respectively.
|
|
|
|
`
|