luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/credential/aws/path_tidy_identity_accesslist.go

127 lines
4 KiB
Go
Raw Normal View History

Create unified aws auth backend (#2441) * Rename builtin/credential/aws-ec2 to aws The aws-ec2 authentication backend is being expanded and will become the generic aws backend. This is a small rename commit to keep the commit history clean. * Expand aws-ec2 backend to more generic aws This adds the ability to authenticate arbitrary AWS IAM principals using AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to just AWS with the expansion. * Add missing aws auth handler to CLI This was omitted from the previous commit * aws auth backend general variable name cleanup Also fixed a bug where allowed auth types weren't being checked upon login, and added tests for it. * Update docs for the aws auth backend * Refactor aws bind validation * Fix env var override in aws backend test Intent is to override the AWS environment variables with the TEST_* versions if they are set, but the reverse was happening. * Update docs on use of IAM authentication profile AWS now allows you to change the instance profile of a running instance, so the use case of "a long-lived instance that's not in an instance profile" no longer means you have to use the the EC2 auth method. You can now just change the instance profile on the fly. * Fix typo in aws auth cli help * Respond to PR feedback * More PR feedback * Respond to additional PR feedback * Address more feedback on aws auth PR * Make aws auth_type immutable per role * Address more aws auth PR feedback * Address more iam auth PR feedback * Rename aws-ec2.html.md to aws.html.md Per PR feedback, to go along with new backend name. * Add MountType to logical.Request * Make default aws auth_type dependent upon MountType When MountType is aws-ec2, default to ec2 auth_type for backwards compatibility with legacy roles. Otherwise, default to iam. * Pass MountPoint and MountType back up to the core Previously the request router reset the MountPoint and MountType back to the empty string before returning to the core. This ensures they get set back to the correct values.
2017-04-24 19:15:50 +00:00
package awsauth
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
"fmt"
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen.
2018-07-11 19:45:09 +00:00
"net/http"
Guard tidy functions
2016-05-05 18:28:46 +00:00
"sync/atomic"
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
"time"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/framework"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
)
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
func (b *backend) pathTidyIdentityAccessList() *framework.Path {
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
return &framework.Path{
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
Pattern: "tidy/identity-accesslist$",
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Fields: map[string]*framework.FieldSchema{
AWS credential plugin maintenance (#7114)
2019-07-31 23:11:35 +00:00
"safety_buffer": {
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Type: framework.TypeDurationSecond,
Default: 259200,
Description: `The amount of extra time that must have passed beyond the identity's
expiration, before it is removed from the backend storage.`,
},
},
AWS credential plugin maintenance (#7114)
2019-07-31 23:11:35 +00:00
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
Callback: b.pathTidyIdentityAccessListUpdate,
AWS credential plugin maintenance (#7114)
2019-07-31 23:11:35 +00:00
},
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
},
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
HelpSynopsis: pathTidyIdentityAccessListSyn,
HelpDescription: pathTidyIdentityAccessListDesc,
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
}
}
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
// tidyAccessListIdentity is used to delete entries in the access list that are expired.
func (b *backend) tidyAccessListIdentity(ctx context.Context, req *logical.Request, safetyBuffer int) (*logical.Response, error) {
Fix approle tidy on performance standbys (#5338) * Fix approle tidy on performance standbys * Forward PKI and AWS also
2018-09-17 16:53:23 +00:00
// If we are a performance standby forward the request to the active node
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
return nil, logical.ErrReadOnly
}
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
if !atomic.CompareAndSwapUint32(b.tidyAccessListCASGuard, 0, 1) {
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
resp := &logical.Response{}
resp.AddWarning("Tidy operation already in progress.")
return resp, nil
Guard tidy functions
2016-05-05 18:28:46 +00:00
}
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen.
2018-07-11 19:45:09 +00:00
s := req.Storage
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
go func() {
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
defer atomic.StoreUint32(b.tidyAccessListCASGuard, 0)
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
// Don't cancel when the original client request goes away
ctx = context.Background()
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
logger := b.Logger().Named("wltidy")
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
correct delete path for tidy operations (#4799)
2018-06-20 00:58:12 +00:00
bufferDuration := time.Duration(safetyBuffer) * time.Second
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
doTidy := func() error {
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
identities, err := s.List(ctx, identityAccessListStorage)
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
if err != nil {
return err
}
for _, instanceID := range identities {
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
identityEntry, err := s.Get(ctx, identityAccessListStorage+instanceID)
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
if err != nil {
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf()
2021-04-22 15:20:59 +00:00
return fmt.Errorf("error fetching identity of instanceID %q: %w", instanceID, err)
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
}
if identityEntry == nil {
return fmt.Errorf("identity entry for instanceID %q is nil", instanceID)
}
if identityEntry.Value == nil || len(identityEntry.Value) == 0 {
return fmt.Errorf("found identity entry for instanceID %q but actual identity is empty", instanceID)
}
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
var result accessListIdentity
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
if err := identityEntry.DecodeJSON(&result); err != nil {
return err
}
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
if err := s.Delete(ctx, identityAccessListStorage+instanceID); err != nil {
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf()
2021-04-22 15:20:59 +00:00
return fmt.Errorf("error deleting identity of instanceID %q from storage: %w", instanceID, err)
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
}
}
}
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
return nil
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
}
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
if err := doTidy(); err != nil {
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
logger.Error("error running access list tidy", "error", err)
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
return
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
}
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
}()
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
resp := &logical.Response{}
resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen.
2018-07-11 19:45:09 +00:00
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
Support periodic tidy callback and config endpoints.
2016-04-19 01:06:26 +00:00
}
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
// pathTidyIdentityAccessListUpdate is used to delete entries in the access list that are expired.
func (b *backend) pathTidyIdentityAccessListUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return b.tidyAccessListIdentity(ctx, req, data.Get("safety_buffer").(int))
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
}
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
const pathTidyIdentityAccessListSyn = `
Clean-up the access list instance identity entries.
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
`
Replace deprecated terms in AWS Auth (#10997) * Replace deprecated terms in AWS Auth This PR is part of an effort to remove non-inclusive language throughout Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term extensively, and these are the focus of the PR: * Add new API endpoints that use the preferred terminology, while deprecating the old endpoints. These endpoints offer identical functionality and are basically aliases. This is the only functional change in the PR except for terms in error messages. * Replace "whitelist" -> "access list", "blacklist" -> "deny list" in variable names, comments, etc. Note that storage locations were *not* changed at this time, as that is a more complex process involving versioning that we may tackle in a future revision. We have reduced the occurrences of non-inclusive language, however. Reviewers should be sure to "Ignore Whitespace" in diffs, especially for the tests, which were basically indented one level as part of looping over the tests with both the old and new names.
2021-02-26 07:23:34 +00:00
const pathTidyIdentityAccessListDesc = `
When an instance identity is in the access list, the expiration time of the access list
Update docs and path names to the new patterns
2016-05-12 11:19:29 +00:00
entry is set based on the maximum 'max_ttl' value set on: the role, the role tag
Fix the list response of role tags
2016-04-28 02:03:11 +00:00
and the backend's mount.
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
Fix the list response of role tags
2016-04-28 02:03:11 +00:00
When this endpoint is invoked, all the entries that are expired will be deleted.
AWS EC2 instances authentication backend
2016-04-06 00:42:26 +00:00
A 'safety_buffer' (duration in seconds) can be provided, to ensure deletion of
only those entries that are expired before 'safety_buffer' seconds.
`
Reference in a new issue Copy permalink