2017-05-02 08:59:36 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Plugin System"
|
|
|
|
sidebar_current: "docs-internals-plugins"
|
|
|
|
description: |-
|
|
|
|
Learn about Vault's plugin system.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Plugin System
|
|
|
|
Certain Vault backends utilize plugins to extend their functionality outside of
|
2018-04-24 17:41:37 +00:00
|
|
|
what is available in the core Vault code. Often times these backends will
|
2017-05-02 08:59:36 +00:00
|
|
|
provide both builtin plugins and a mechanism for executing external plugins.
|
2018-04-24 17:41:37 +00:00
|
|
|
Builtin plugins are shipped with Vault, often for commonly used implementations,
|
2017-05-02 08:59:36 +00:00
|
|
|
and require no additional operator intervention to run. Builtin plugins are
|
2018-04-24 17:41:37 +00:00
|
|
|
just like any other backend code inside Vault. External plugins, on the other
|
|
|
|
hand, are not shipped with the Vault binary and must be registered to Vault by
|
|
|
|
a privileged Vault user. This section of the documentation will describe the
|
2018-03-16 13:05:01 +00:00
|
|
|
architecture and security of external plugins.
|
2017-05-02 08:59:36 +00:00
|
|
|
|
|
|
|
# Plugin Architecture
|
|
|
|
Vault's plugins are completely separate, standalone applications that Vault
|
|
|
|
executes and communicates with over RPC. This means the plugin process does not
|
|
|
|
share the same memory space as Vault and therefore can only access the
|
|
|
|
interfaces and arguments given to it. This also means a crash in a plugin can not
|
|
|
|
crash the entirety of Vault.
|
|
|
|
|
|
|
|
## Plugin Communication
|
|
|
|
Vault creates a mutually authenticated TLS connection for communication with the
|
2017-08-08 16:39:19 +00:00
|
|
|
plugin's RPC server. While invoking the plugin process, Vault passes a [wrapping
|
2017-05-02 08:59:36 +00:00
|
|
|
token](https://www.vaultproject.io/docs/concepts/response-wrapping.html) to the
|
|
|
|
plugin process' environment. This token is single use and has a short TTL. Once
|
2017-08-08 16:39:19 +00:00
|
|
|
unwrapped, it provides the plugin with a uniquely generated TLS certificate and
|
2018-04-24 17:41:37 +00:00
|
|
|
private key for it to use to talk to the original Vault process.
|
2017-08-08 16:39:19 +00:00
|
|
|
|
2017-12-05 17:01:35 +00:00
|
|
|
The [`api_addr`][api_addr] must be set in order for the plugin process establish
|
|
|
|
communication with the Vault server during mount time. If the storage backend
|
|
|
|
has HA enabled and supports automatic host address detection (e.g. Consul),
|
|
|
|
Vault will automatically attempt to determine the `api_addr` as well.
|
|
|
|
|
2017-08-08 16:39:19 +00:00
|
|
|
~> Note: Reading the original connection's TLS connection state is not supported
|
|
|
|
in plugins.
|
2017-05-02 08:59:36 +00:00
|
|
|
|
|
|
|
## Plugin Registration
|
2017-05-02 09:22:06 +00:00
|
|
|
An important consideration of Vault's plugin system is to ensure the plugin
|
2018-04-24 17:41:37 +00:00
|
|
|
invoked by Vault is authentic and maintains integrity. There are two components
|
2017-05-02 23:20:07 +00:00
|
|
|
that a Vault operator needs to configure before external plugins can be run, the
|
|
|
|
plugin directory and the plugin catalog entry.
|
2017-05-02 08:59:36 +00:00
|
|
|
|
|
|
|
### Plugin Directory
|
|
|
|
The plugin directory is a configuration option of Vault, and can be specified in
|
|
|
|
the [configuration file](https://www.vaultproject.io/docs/configuration/index.html).
|
|
|
|
This setting specifies a directory that all plugin binaries must live. A plugin
|
2018-04-24 17:41:37 +00:00
|
|
|
can not be added to Vault unless it exists in the plugin directory. There is no
|
2017-05-02 08:59:36 +00:00
|
|
|
default for this configuration option, and if it is not set plugins can not be
|
2018-04-24 17:41:37 +00:00
|
|
|
added to Vault.
|
2017-05-02 08:59:36 +00:00
|
|
|
|
2018-04-24 17:41:37 +00:00
|
|
|
~> Warning: A Vault operator should take care to lock down the permissions on
|
2017-05-02 08:59:36 +00:00
|
|
|
this directory to ensure a plugin can not be modified by an unauthorized user
|
|
|
|
between the time of the SHA check and the time of plugin execution.
|
|
|
|
|
|
|
|
### Plugin Catalog
|
|
|
|
The plugin catalog is Vault's list of approved plugins. The catalog is stored in
|
2018-04-24 17:41:37 +00:00
|
|
|
Vault's barrier and can only be updated by a Vault user with sudo permissions.
|
2017-05-02 23:20:07 +00:00
|
|
|
Upon adding a new plugin, the plugin name, SHA256 sum of the executable, and the
|
2017-05-02 09:22:06 +00:00
|
|
|
command that should be used to run the plugin must be provided. The catalog will
|
|
|
|
make sure the executable referenced in the command exists in the plugin
|
|
|
|
directory. When added to the catalog the plugin is not automatically executed,
|
2017-06-06 13:49:49 +00:00
|
|
|
it instead becomes visible to backends and can be executed by them. For more
|
|
|
|
information on the plugin catalog please see the [Plugin Catalog API
|
|
|
|
docs](/api/system/plugins-catalog.html).
|
|
|
|
|
|
|
|
An example plugin submission looks like:
|
|
|
|
|
|
|
|
```
|
2018-03-16 13:05:01 +00:00
|
|
|
$ vault write sys/plugins/catalog/myplugin-database-plugin \
|
2018-10-04 16:51:54 +00:00
|
|
|
sha256=<expected SHA256 Hex value of the plugin binary> \
|
2017-06-06 13:49:49 +00:00
|
|
|
command="myplugin"
|
|
|
|
Success! Data written to: sys/plugins/catalog/myplugin-database-plugin
|
|
|
|
```
|
|
|
|
|
2017-05-02 08:59:36 +00:00
|
|
|
### Plugin Execution
|
2017-05-02 09:22:06 +00:00
|
|
|
When a backend wants to run a plugin, it first looks up the plugin, by name, in
|
|
|
|
the catalog. It then checks the executable's SHA256 sum against the one
|
2018-04-24 17:41:37 +00:00
|
|
|
configured in the plugin catalog. Finally Vault runs the command configured in
|
2017-05-02 09:22:06 +00:00
|
|
|
the catalog, sending along the JWT formatted response wrapping token and mlock
|
2018-03-16 13:05:01 +00:00
|
|
|
settings (like Vault, plugins support [the use of mlock when available](https://www.vaultproject.io/docs/configuration/index.html#disable_mlock)).
|
2017-05-02 08:59:36 +00:00
|
|
|
|
|
|
|
# Plugin Development
|
2017-08-08 16:39:19 +00:00
|
|
|
|
|
|
|
~> Advanced topic! Plugin development is a highly advanced topic in Vault, and
|
|
|
|
is not required knowledge for day-to-day usage. If you don't plan on writing any
|
|
|
|
plugins, we recommend not reading this section of the documentation.
|
|
|
|
|
2017-05-02 08:59:36 +00:00
|
|
|
Because Vault communicates to plugins over a RPC interface, you can build and
|
|
|
|
distribute a plugin for Vault without having to rebuild Vault itself. This makes
|
|
|
|
it easy for you to build a Vault plugin for your organization's internal use,
|
|
|
|
for a proprietary API that you don't want to open source, or to prototype
|
|
|
|
something before contributing it back to the main project.
|
|
|
|
|
|
|
|
In theory, because the plugin interface is HTTP, you could even develop a plugin
|
|
|
|
using a completely different programming language! (Disclaimer, you would also
|
|
|
|
have to re-implement the plugin API which is not a trivial amount of work.)
|
|
|
|
|
|
|
|
Developing a plugin is simple. The only knowledge necessary to write
|
|
|
|
a plugin is basic command-line skills and basic knowledge of the
|
|
|
|
[Go programming language](http://golang.org).
|
|
|
|
|
2017-05-18 18:06:44 +00:00
|
|
|
Your plugin implementation needs to satisfy the interface for the plugin
|
2017-05-02 08:59:36 +00:00
|
|
|
type you want to build. You can find these definitions in the docs for the
|
|
|
|
backend running the plugin.
|
|
|
|
|
|
|
|
```go
|
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2017-08-09 18:41:17 +00:00
|
|
|
"os"
|
2018-03-16 13:05:01 +00:00
|
|
|
|
2017-08-09 18:41:17 +00:00
|
|
|
"github.com/hashicorp/vault/helper/pluginutil"
|
2017-05-03 00:04:49 +00:00
|
|
|
"github.com/hashicorp/vault/plugins"
|
2017-05-02 08:59:36 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
2017-08-09 18:41:17 +00:00
|
|
|
apiClientMeta := &pluginutil.APIClientMeta{}
|
|
|
|
flags := apiClientMeta.FlagSet()
|
|
|
|
flags.Parse(os.Args)
|
2018-03-16 13:05:01 +00:00
|
|
|
|
2017-08-09 18:41:17 +00:00
|
|
|
plugins.Serve(New().(MyPlugin), apiClientMeta.GetTLSConfig())
|
2017-05-02 08:59:36 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
And that's basically it! You would just need to change MyPlugin to your actual
|
|
|
|
plugin.
|
2017-12-05 17:01:35 +00:00
|
|
|
|
2018-03-16 13:05:01 +00:00
|
|
|
[api_addr]: /docs/configuration/index.html#api_addr
|