Rename "generic" secret backend to "kv" (#3292)

This commit is contained in:
Chris Hoffman 2017-09-15 09:02:29 -04:00 committed by GitHub
parent 267f871bbb
commit 1029ad3b33
48 changed files with 208 additions and 159 deletions

View file

@ -25,7 +25,7 @@ func TestRenewer_Renew(t *testing.T) {
defer pgDone()
t.Run("group", func(t *testing.T) {
t.Run("generic", func(t *testing.T) {
t.Run("kv", func(t *testing.T) {
t.Parallel()
if _, err := client.Logical().Write("secret/value", map[string]interface{}{

View file

@ -22,6 +22,46 @@ func TestMount(t *testing.T) {
},
}
args := []string{
"-address", addr,
"kv",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
client, err := c.Client()
if err != nil {
t.Fatalf("err: %s", err)
}
mounts, err := client.Sys().ListMounts()
if err != nil {
t.Fatalf("err: %s", err)
}
mount, ok := mounts["kv/"]
if !ok {
t.Fatal("should have kv mount")
}
if mount.Type != "kv" {
t.Fatal("should be kv type")
}
}
func TestMount_Generic(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &MountCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
"generic",
@ -42,7 +82,7 @@ func TestMount(t *testing.T) {
mount, ok := mounts["generic/"]
if !ok {
t.Fatal("should have generic mount")
t.Fatal("should have generic mount path")
}
if mount.Type != "generic" {
t.Fatal("should be generic type")

View file

@ -65,7 +65,7 @@ Usage: vault remount [options] from to
the data associated with the backend (such as configuration), will
be preserved.
Example: vault remount secret/ generic/
Example: vault remount secret/ kv/
General Options:
` + meta.GeneralOptionsUsage()

View file

@ -24,7 +24,7 @@ func TestRemount(t *testing.T) {
args := []string{
"-address", addr,
"secret/", "generic",
"secret/", "kv",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
@ -45,8 +45,8 @@ func TestRemount(t *testing.T) {
t.Fatal("should not have mount")
}
_, ok = mounts["generic/"]
_, ok = mounts["kv/"]
if !ok {
t.Fatal("should have generic")
t.Fatal("should have kv")
}
}

View file

@ -72,7 +72,7 @@ type ServerCommand struct {
}
func (c *ServerCommand) Run(args []string) int {
var dev, verifyOnly, devHA, devTransactional, devLeasedGeneric, devThreeNode bool
var dev, verifyOnly, devHA, devTransactional, devLeasedKV, devThreeNode bool
var configPath []string
var logLevel, devRootTokenID, devListenAddress, devPluginDir string
var devLatency, devLatencyJitter int
@ -87,7 +87,7 @@ func (c *ServerCommand) Run(args []string) int {
flags.BoolVar(&verifyOnly, "verify-only", false, "")
flags.BoolVar(&devHA, "dev-ha", false, "")
flags.BoolVar(&devTransactional, "dev-transactional", false, "")
flags.BoolVar(&devLeasedGeneric, "dev-leased-generic", false, "")
flags.BoolVar(&devLeasedKV, "dev-leased-kv", false, "")
flags.BoolVar(&devThreeNode, "dev-three-node", false, "")
flags.Usage = func() { c.Ui.Output(c.Help()) }
flags.Var((*sliceflag.StringFlag)(&configPath), "config", "config")
@ -141,7 +141,7 @@ func (c *ServerCommand) Run(args []string) int {
devListenAddress = os.Getenv("VAULT_DEV_LISTEN_ADDRESS")
}
if devHA || devTransactional || devLeasedGeneric || devThreeNode {
if devHA || devTransactional || devLeasedKV || devThreeNode {
dev = true
}
@ -264,8 +264,8 @@ func (c *ServerCommand) Run(args []string) int {
}
if dev {
coreConfig.DevToken = devRootTokenID
if devLeasedGeneric {
coreConfig.LogicalBackends["generic"] = vault.LeasedPassthroughBackendFactory
if devLeasedKV {
coreConfig.LogicalBackends["kv"] = vault.LeasedPassthroughBackendFactory
}
if devPluginDir != "" {
coreConfig.PluginDirectory = devPluginDir

View file

@ -157,8 +157,8 @@ func TestSysMounts_headerAuth(t *testing.T) {
"auth": nil,
"data": map[string]interface{}{
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -188,8 +188,8 @@ func TestSysMounts_headerAuth(t *testing.T) {
},
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),

View file

@ -27,8 +27,8 @@ func TestSysMounts(t *testing.T) {
"auth": nil,
"data": map[string]interface{}{
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -58,8 +58,8 @@ func TestSysMounts(t *testing.T) {
},
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -111,7 +111,7 @@ func TestSysMount(t *testing.T) {
TestServerAuth(t, addr, token)
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
"type": "generic",
"type": "kv",
"description": "foo",
})
testResponseStatus(t, resp, 204)
@ -129,7 +129,7 @@ func TestSysMount(t *testing.T) {
"data": map[string]interface{}{
"foo/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -138,8 +138,8 @@ func TestSysMount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -170,7 +170,7 @@ func TestSysMount(t *testing.T) {
},
"foo/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -179,8 +179,8 @@ func TestSysMount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -232,7 +232,7 @@ func TestSysMount_put(t *testing.T) {
TestServerAuth(t, addr, token)
resp := testHttpPut(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
"type": "generic",
"type": "kv",
"description": "foo",
})
testResponseStatus(t, resp, 204)
@ -248,7 +248,7 @@ func TestSysRemount(t *testing.T) {
TestServerAuth(t, addr, token)
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
"type": "generic",
"type": "kv",
"description": "foo",
})
testResponseStatus(t, resp, 204)
@ -272,7 +272,7 @@ func TestSysRemount(t *testing.T) {
"data": map[string]interface{}{
"bar/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -281,8 +281,8 @@ func TestSysRemount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -313,7 +313,7 @@ func TestSysRemount(t *testing.T) {
},
"bar/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -322,8 +322,8 @@ func TestSysRemount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -375,7 +375,7 @@ func TestSysUnmount(t *testing.T) {
TestServerAuth(t, addr, token)
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
"type": "generic",
"type": "kv",
"description": "foo",
})
testResponseStatus(t, resp, 204)
@ -395,8 +395,8 @@ func TestSysUnmount(t *testing.T) {
"auth": nil,
"data": map[string]interface{}{
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -426,8 +426,8 @@ func TestSysUnmount(t *testing.T) {
},
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -479,7 +479,7 @@ func TestSysTuneMount(t *testing.T) {
TestServerAuth(t, addr, token)
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
"type": "generic",
"type": "kv",
"description": "foo",
})
testResponseStatus(t, resp, 204)
@ -497,7 +497,7 @@ func TestSysTuneMount(t *testing.T) {
"data": map[string]interface{}{
"foo/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -506,8 +506,8 @@ func TestSysTuneMount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -538,7 +538,7 @@ func TestSysTuneMount(t *testing.T) {
},
"foo/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -547,8 +547,8 @@ func TestSysTuneMount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -639,7 +639,7 @@ func TestSysTuneMount(t *testing.T) {
"data": map[string]interface{}{
"foo/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("259196400"),
"max_lease_ttl": json.Number("259200000"),
@ -648,8 +648,8 @@ func TestSysTuneMount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),
@ -680,7 +680,7 @@ func TestSysTuneMount(t *testing.T) {
},
"foo/": map[string]interface{}{
"description": "foo",
"type": "generic",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("259196400"),
"max_lease_ttl": json.Number("259200000"),
@ -689,8 +689,8 @@ func TestSysTuneMount(t *testing.T) {
"local": false,
},
"secret/": map[string]interface{}{
"description": "generic secret storage",
"type": "generic",
"description": "key/value secret storage",
"type": "kv",
"config": map[string]interface{}{
"default_lease_ttl": json.Number("0"),
"max_lease_ttl": json.Number("0"),

View file

@ -54,12 +54,12 @@ func TestSysMountConfig(t *testing.T) {
}
}
// testMount sets up a test mount of a generic backend w/ a random path; caller
// testMount sets up a test mount of a kv backend w/ a random path; caller
// is responsible for unmounting
func testMount(client *api.Client) (string, error) {
rand.Seed(time.Now().UTC().UnixNano())
randInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
path := fmt.Sprintf("testmount-%d", randInt)
err := client.Sys().Mount(path, &api.MountInput{Type: "generic"})
err := client.Sys().Mount(path, &api.MountInput{Type: "kv"})
return path, err
}

View file

@ -539,9 +539,9 @@ func NewCore(conf *CoreConfig) (*Core, error) {
for k, f := range conf.LogicalBackends {
logicalBackends[k] = f
}
_, ok := logicalBackends["generic"]
_, ok := logicalBackends["kv"]
if !ok {
logicalBackends["generic"] = PassthroughBackendFactory
logicalBackends["kv"] = PassthroughBackendFactory
}
logicalBackends["cubbyhole"] = CubbyholeBackendFactory
logicalBackends["system"] = func(config *logical.BackendConfig) (logical.Backend, error) {

View file

@ -33,7 +33,7 @@ func testCore_NewTestCore(t *testing.T, seal Seal) (*Core, *CoreConfig) {
Physical: inm,
DisableMlock: true,
LogicalBackends: map[string]logical.Factory{
"generic": LeasedPassthroughBackendFactory,
"kv": LeasedPassthroughBackendFactory,
},
Seal: seal,
}

View file

@ -46,7 +46,7 @@ func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, erro
// CubbyholeBackend is used for storing secrets directly into the physical
// backend. The secrets are encrypted in the durable storage.
// This differs from generic in that every token has its own private
// This differs from kv in that every token has its own private
// storage view. The view is removed when the token expires.
type CubbyholeBackend struct {
*framework.Backend
@ -185,7 +185,7 @@ The secrets are encrypted/decrypted by Vault: they are never stored
unencrypted in the backend and the backend never has an opportunity to
see the unencrypted value.
This backend differs from the 'generic' backend in that it is namespaced
This backend differs from the 'kv' backend in that it is namespaced
per-token. Tokens can only read and write their own values, with no
sharing possible (per-token cubbyholes). This can be useful for implementing
certain authentication workflows, as well as "scratch" areas for individual

View file

@ -53,7 +53,7 @@ func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) (
b.Backend.Secrets = []*framework.Secret{
&framework.Secret{
Type: "generic",
Type: "kv",
Renew: b.handleRead,
Revoke: b.handleRevoke,
@ -116,7 +116,7 @@ func (b *PassthroughBackend) handleRead(
var resp *logical.Response
if b.generateLeases {
// Generate the response
resp = b.Secret("generic").Response(rawData, nil)
resp = b.Secret("kv").Response(rawData, nil)
resp.Secret.Renewable = false
} else {
resp = &logical.Response{
@ -207,7 +207,7 @@ func (b *PassthroughBackend) handleList(
}
const passthroughHelp = `
The generic backend reads and writes arbitrary secrets to the backend.
The kv backend reads and writes arbitrary secrets to the backend.
The secrets are encrypted/decrypted by Vault: they are never stored
unencrypted in the backend and the backend never has an opportunity to
see the unencrypted value.

View file

@ -197,10 +197,10 @@ func TestPassthroughBackend_List(t *testing.T) {
func TestPassthroughBackend_Revoke(t *testing.T) {
test := func(b logical.Backend) {
req := logical.TestRequest(t, logical.RevokeOperation, "generic")
req := logical.TestRequest(t, logical.RevokeOperation, "kv")
req.Secret = &logical.Secret{
InternalData: map[string]interface{}{
"secret_type": "generic",
"secret_type": "kv",
},
}

View file

@ -117,8 +117,8 @@ func TestSystemBackend_mounts(t *testing.T) {
// copy what's given
exp := map[string]interface{}{
"secret/": map[string]interface{}{
"type": "generic",
"description": "generic secret storage",
"type": "kv",
"description": "key/value secret storage",
"accessor": resp.Data["secret/"].(map[string]interface{})["accessor"],
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
@ -159,7 +159,7 @@ func TestSystemBackend_mount(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
req.Data["type"] = "generic"
req.Data["type"] = "kv"
resp, err := b.HandleRequest(req)
if err != nil {
@ -174,7 +174,7 @@ func TestSystemBackend_mount_force_no_cache(t *testing.T) {
core, b, _ := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
req.Data["type"] = "generic"
req.Data["type"] = "kv"
req.Data["config"] = map[string]interface{}{
"force_no_cache": true,
}
@ -423,7 +423,7 @@ func TestSystemBackend_leases(t *testing.T) {
t.Fatalf("err: %v", err)
}
if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) {
t.Fatal("generic leases are not renewable")
t.Fatal("kv leases are not renewable")
}
// Invalid lease

View file

@ -65,6 +65,10 @@ var (
"system",
"token",
}
// mountAliases maps old backend names to new backend names, allowing us
// to move/rename backends but maintain backwards compatibility
mountAliases = map[string]string{"generic": "kv"}
)
func (c *Core) generateMountAccessor(entryType string) (string, error) {
@ -760,6 +764,9 @@ func (c *Core) unloadMounts() error {
// newLogicalBackend is used to create and configure a new logical backend by name
func (c *Core) newLogicalBackend(t string, sysView logical.SystemView, view logical.Storage, conf map[string]string) (logical.Backend, error) {
if alias, ok := mountAliases[t]; ok {
t = alias
}
f, ok := c.logicalBackends[t]
if !ok {
return nil, fmt.Errorf("unknown backend type: %s", t)
@ -801,19 +808,19 @@ func (c *Core) defaultMountTable() *MountTable {
if err != nil {
panic(fmt.Sprintf("could not create default secret mount UUID: %v", err))
}
mountAccessor, err := c.generateMountAccessor("generic")
mountAccessor, err := c.generateMountAccessor("kv")
if err != nil {
panic(fmt.Sprintf("could not generate default secret mount accessor: %v", err))
}
genericMount := &MountEntry{
kvMount := &MountEntry{
Table: mountTableType,
Path: "secret/",
Type: "generic",
Description: "generic secret storage",
Type: "kv",
Description: "key/value secret storage",
UUID: mountUUID,
Accessor: mountAccessor,
}
table.Entries = append(table.Entries, genericMount)
table.Entries = append(table.Entries, kvMount)
table.Entries = append(table.Entries, c.requiredMountTable().Entries...)
return table
}

View file

@ -47,7 +47,7 @@ func TestCore_Mount(t *testing.T) {
me := &MountEntry{
Table: mountTableType,
Path: "foo",
Type: "generic",
Type: "kv",
}
err := c.mount(me)
if err != nil {
@ -95,16 +95,16 @@ func TestCore_Mount_Local(t *testing.T) {
&MountEntry{
Table: mountTableType,
Path: "noop/",
Type: "generic",
Type: "kv",
UUID: "abcd",
Accessor: "generic-abcd",
Accessor: "kv-abcd",
},
&MountEntry{
Table: mountTableType,
Path: "noop2/",
Type: "generic",
Type: "kv",
UUID: "bcde",
Accessor: "generic-bcde",
Accessor: "kv-bcde",
},
},
}
@ -164,7 +164,7 @@ func TestCore_Mount_Local(t *testing.T) {
compEntries := c.mounts.Entries[:0]
// Filter out required mounts
for _, v := range c.mounts.Entries {
if v.Type == "generic" {
if v.Type == "kv" {
compEntries = append(compEntries, v)
}
}
@ -609,7 +609,7 @@ func verifyDefaultTable(t *testing.T, table *MountTable) {
if entry.Path != "secret/" {
t.Fatalf("bad: %v", entry)
}
if entry.Type != "generic" {
if entry.Type != "kv" {
t.Fatalf("bad: %v", entry)
}
case 2:

View file

@ -27,7 +27,7 @@ func (c *Core) HandleRequest(req *logical.Request) (resp *logical.Response, err
}
// Allowing writing to a path ending in / makes it extremely difficult to
// understand user intent for the filesystem-like backends (generic,
// understand user intent for the filesystem-like backends (kv,
// cubbyhole) -- did they want a key named foo/ or did they want to write
// to a directory foo/ with no (or forgotten) key, or...? It also affects
// lookup, because paths ending in / are considered prefixes by some
@ -252,12 +252,12 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
resp.Secret.TTL = maxTTL
}
// Generic mounts should return the TTL but not register
// KV mounts should return the TTL but not register
// for a lease as this provides a massive slowdown
registerLease := true
matchingBackend := c.router.MatchingBackend(req.Path)
if matchingBackend == nil {
c.logger.Error("core: unable to retrieve generic backend from router")
c.logger.Error("core: unable to retrieve kv backend from router")
retErr = multierror.Append(retErr, ErrInternalError)
return nil, auth, retErr
}

View file

@ -12,14 +12,14 @@ import (
func TestRequestHandling_Wrapping(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
core.logicalBackends["generic"] = PassthroughBackendFactory
core.logicalBackends["kv"] = PassthroughBackendFactory
meUUID, _ := uuid.GenerateUUID()
err := core.mount(&MountEntry{
Table: mountTableType,
UUID: meUUID,
Path: "wraptest",
Type: "generic",
Type: "kv",
})
if err != nil {
t.Fatalf("err: %v", err)

View file

@ -22,7 +22,7 @@ type Router struct {
// storagePrefix maps the prefix used for storage (ala the BarrierView)
// to the backend. This is used to map a key back into the backend that owns it.
// For example, logical/uuid1/foobar -> secrets/ (generic backend) + foobar
// For example, logical/uuid1/foobar -> secrets/ (kv backend) + foobar
storagePrefix *radix.Tree
}

View file

@ -158,7 +158,7 @@ func testCoreConfig(t testing.T, physicalBackend physical.Backend, logger log.Lo
for backendName, backendFactory := range noopBackends {
logicalBackends[backendName] = backendFactory
}
logicalBackends["generic"] = LeasedPassthroughBackendFactory
logicalBackends["kv"] = LeasedPassthroughBackendFactory
for backendName, backendFactory := range testLogicalBackends {
logicalBackends[backendName] = backendFactory
}

View file

@ -36,6 +36,7 @@
# - Items are case-sensitive (please use all lowercase)
#
/api/secret/generic/index.html /api/secret/kv/index.html
/api/system/renew.html /api/system/leases.html
/api/system/revoke.html /api/system/leases.html
/api/system/revoke-force.html /api/system/leases.html
@ -81,6 +82,7 @@
/docs/guides/upgrading/upgrade-to-0.6.4.html /guides/upgrading/upgrade-to-0.6.4.html
/docs/guides/upgrading/upgrade-to-0.7.0.html /guides/upgrading/upgrade-to-0.7.0.html
/docs/secrets/custom.html /docs/plugin/index.html
/docs/secrets/generic/index.html /docs/secrets/kv/index.html
/intro/getting-started/acl.html /intro/getting-started/policies.html
/docs/vault-enterprise/index.html /docs/enterprise/index.html

View file

@ -52,7 +52,7 @@ via the `X-Vault-Token` header for future requests.
## Reading, Writing, and Listing Secrets
Different backends implement different APIs according to their functionality.
The examples below are created with the `generic` backend, which acts like a
The examples below are created with the `kv` backend, which acts like a
Key/Value store. Read the documentation for a particular backend for detailed
information on its API; this simply provides a general overview.
@ -64,7 +64,7 @@ following URL:
```
This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
is mounted by default on a fresh Vault install and is of type `generic`.
is mounted by default on a fresh Vault install and is of type `kv`.
Here is an example of reading a secret using cURL:
@ -76,7 +76,7 @@ $ curl \
```
You can list secrets as well. To do this, either issue a GET with the query
parameter `list=true`, or you can use the LIST HTTP verb. For the `generic`
parameter `list=true`, or you can use the LIST HTTP verb. For the `kv`
backend, listing is allowed on directories only, and returns the keys in the
given directory:

View file

@ -1,18 +1,18 @@
---
layout: "api"
page_title: "Generic Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-generic"
page_title: "Key/Value Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-kv"
description: |-
This is the API documentation for the Vault Generic secret backend.
This is the API documentation for the Vault Key/Value secret backend.
---
# Generic Secret Backend HTTP API
# Key/Value Secret Backend HTTP API
This is the API documentation for the Vault Generic secret backend. For general
information about the usage and operation of the Generic backend, please see
the [Vault Generic backend documentation](/docs/secrets/generic/index.html).
This is the API documentation for the Vault Key/Value secret backend. For general
information about the usage and operation of the Key/Value backend, please see
the [Vault Key/Value backend documentation](/docs/secrets/kv/index.html).
This documentation assumes the Generic backend is mounted at the `/secret`
This documentation assumes the Key/Value backend is mounted at the `/secret`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
@ -54,7 +54,7 @@ $ curl \
_Note_: the `lease_duration` field (which on the CLI shows as
`refresh_interval`) is advisory. No lease is created. This is a way for writers
to indicate how often a given value shold be re-read by the client. See the
[Vault Generic backend documentation](/docs/secrets/generic/index.html) for
[Vault Key/Value backend documentation](/docs/secrets/kv/index.html) for
more details.
## List Secrets
@ -122,8 +122,8 @@ policy granting the `update` capability.
- `:key` `(string: "")`  Specifies a key, paired with an associated value, to
be held at the given location. Multiple key/value pairs can be specified, and
all will be returned on a read operation. A key called `ttl` will trigger
some special behavior; see the [Vault Generic backend
documentation](/docs/secrets/generic/index.html) for details.
some special behavior; see the [Vault Key/Value backend
documentation](/docs/secrets/kv/index.html) for details.
### Sample Payload

View file

@ -45,7 +45,7 @@ the paths it supports.
$ vault path-help secret
## DESCRIPTION
The generic backend reads and writes arbitrary secrets to the backend.
The key/value backend reads and writes arbitrary secrets to the backend.
The secrets are encrypted/decrypted by Vault: they are never stored
unencrypted in the backend and the backend never has an opportunity to
see the unencrypted value.

View file

@ -34,7 +34,7 @@ Revocation can happen manually via the API, via the `vault revoke` cli command,
or automatically by Vault. When a lease is expired, Vault will automatically
revoke that lease.
**Note**: The [Generic Backend](/docs/secrets/generic/index.html) which stores
**Note**: The [Key/Value Backend](/docs/secrets/kv/index.html) which stores
arbitrary secrets does not issue leases.
## Lease IDs

View file

@ -160,7 +160,7 @@ Validation is best performed by the following steps:
what you expect, it is possible that the data contained inside was read and
then put into a new response-wrapping token. (This is especially likely if
the path starts with `cubbyhole` or `sys/wrapping/wrap`.) Particular care
should be taken with `generic` KV mounts: exact matches on the path are best
should be taken with `kv` mounts: exact matches on the path are best
there. For example, if you expect a secret to come from `secret/foo` and
the interceptor provides a token with `secret/bar` as the path, simply
checking for a prefix of `secret/` is not enough.

View file

@ -50,7 +50,7 @@ encryption keys for `transit`, etc).
If a user action would modify underlying shared state, the secondary forwards the request
to the primary to be handled; this is transparent to the client. In practice, most
high-volume workloads (reads in the `generic` backend, encryption/decryption operations
high-volume workloads (reads in the `kv` backend, encryption/decryption operations
in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale
relatively horizontally with the number of secondaries rather than vertically as
in the past.

View file

@ -34,7 +34,7 @@ clarify what is being discussed:
in. Much like a bank vault, the barrier must be "unsealed" before anything inside can be accessed.
* **Secret Backend** - A secret backend is responsible for managing secrets. Simple secret backends
like the "generic" backend simply return the same secret when queried. Some backends support
like the "kv" backend simply return the same secret when queried. Some backends support
using policies to dynamically generate a secret each time they are queried. This allows for
unique secrets to be used which allows Vault to do fine-grained revocation and policy updates.
As an example, a MySQL backend could be configured with a "web" policy. When the "web" secret

View file

@ -128,12 +128,12 @@ These metrics relate to supported authentication backends.
| `vault.rollback.attempt.auth-token-` | This measures the number of rollback operations attempted for authentication tokens backend | Number of operations | Summary |
| `vault.rollback.attempt.auth-ldap-` | This measures the number of rollback operations attempted for the LDAP authentication backend | Number of operations | Summary |
| `vault.rollback.attempt.cubbyhole-` | This measures the number of rollback operations attempted for the cubbyhole authentication backend | Number of operations | Summary |
| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the generic secret backend | Number of operations | Summary |
| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the kv secret backend | Number of operations | Summary |
| `vault.rollback.attempt.sys-` | This measures the number of rollback operations attempted for the sys backend | Number of operations | Summary |
| `vault.route.rollback.auth-ldap-` | This measures the number of rollback operations for the LDAP authentication backend | Number of operations | Summary |
| `vault.route.rollback.auth-token-` | This measures the number of rollback operations for the authentication tokens backend | Number of operations | Summary |
| `vault.route.rollback.cubbyhole-` | This measures the number of rollback operations for the cubbyhole authentication backend | Number of operations | Summary |
| `vault.route.rollback.secret-` | This measures the number of rollback operations for the generic secret backend | Number of operations | Summary |
| `vault.route.rollback.secret-` | This measures the number of rollback operations for the kv secret backend | Number of operations | Summary |
| `vault.route.rollback.sys-` | This measures the number of rollback operations for the sys backend | Number of operations | Summary |
### Storage Backend Metrics

View file

@ -21,7 +21,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the aws backend is to mount it.
Unlike the `generic` backend, the `aws` backend is not mounted by default.
Unlike the `kv` backend, the `aws` backend is not mounted by default.
```text
$ vault mount aws

View file

@ -31,7 +31,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the Cassandra backend is to mount it.
Unlike the `generic` backend, the `cassandra` backend is not mounted by default.
Unlike the `kv` backend, the `cassandra` backend is not mounted by default.
```text
$ vault mount cassandra

View file

@ -20,7 +20,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the consul backend is to mount it.
Unlike the `generic` backend, the `consul` backend is not mounted by default.
Unlike the `kv` backend, the `consul` backend is not mounted by default.
```
$ vault mount consul

View file

@ -14,13 +14,13 @@ The `cubbyhole` secret backend is used to store arbitrary secrets within
the configured physical storage for Vault. It is mounted at the `cubbyhole/`
prefix by default and cannot be mounted elsewhere or removed.
This backend differs from the `generic` backend in that the `generic` backend's
This backend differs from the `kv` backend in that the `kv` backend's
values are accessible to any token with read privileges on that path. In
`cubbyhole`, paths are scoped per token; no token can access another token's
cubbyhole, whether to read, write, list, or for any other operation. When the
token expires, its cubbyhole is destroyed.
Also unlike the `generic` backend, because the cubbyhole's lifetime is linked
Also unlike the `kv` backend, because the cubbyhole's lifetime is linked
to that of an authentication token, there is no concept of a TTL or refresh
interval for values contained in the token's cubbyhole.

View file

@ -11,7 +11,7 @@ description: |-
Secret backends are the components in Vault which store and generate
secrets.
Some secret backends, such as "generic", simply store and read
Some secret backends, such as "kv", simply store and read
secrets verbatim. Other secret backends, such as "aws", create _dynamic
secrets_: secrets that are made on demand.
@ -21,7 +21,7 @@ in Vault. They behave very similarly to a virtual filesystem:
any read/write/delete is sent to the secret backend, and the secret
backend can choose to react to that operation however it sees fit.
For example, the "generic" backend passes through any operation back
For example, the "kv" backend passes through any operation back
to the configured storage backend for Vault. A "read" turns into a
"read" of the storage backend at the same path, a "write" turns into
a write, etc. This is a lot like a normal filesystem.

View file

@ -1,22 +1,22 @@
---
layout: "docs"
page_title: "Generic Secret Backend"
sidebar_current: "docs-secrets-generic"
page_title: "Key/Value Secret Backend"
sidebar_current: "docs-secrets-kv"
description: |-
The generic secret backend can store arbitrary secrets.
The key/value secret backend can store arbitrary secrets.
---
# Generic Secret Backend
# Key/Value Secret Backend
Name: `generic`
Name: `kv`
The generic secret backend is used to store arbitrary secrets within
The key/value secret backend is used to store arbitrary secrets within
the configured physical storage for Vault. If you followed along with
the getting started guide, you interacted with a generic secret backend
the getting started guide, you interacted with a key/value secret backend
via the `secret/` prefix that Vault mounts by default. You can mount as many
of these backends at different mount points as you like.
Writing to a key in the `generic` backend will replace the old value;
Writing to a key in the `kv` backend will replace the old value;
sub-fields are not merged together.
This backend honors the distinction between the `create` and `update`
@ -28,7 +28,7 @@ secret's path.
## Quick Start
The generic backend allows for writing keys with arbitrary values. When data is
The kv backend allows for writing keys with arbitrary values. When data is
returned, the `lease_duration` field (in the API JSON) or `refresh_interval`
field (on the CLI) gives a hint as to how often a reader should look for a new
value. This comes from the value of the `default_lease_ttl` set on the mount,
@ -44,7 +44,7 @@ if it fits your input data.
The backend _never_ removes data on its own; the `ttl` key is merely advisory.
As an example, we can write a new key "foo" to the generic backend mounted at
As an example, we can write a new key "foo" to the kv backend mounted at
"secret/" by default:
```
@ -72,6 +72,6 @@ seconds (one hour) as specified.
## API
The Generic secret backend has a full HTTP API. Please see the
[Generic secret backend API](/api/secret/generic/index.html) for more
The Key/Value secret backend has a full HTTP API. Please see the
[Key/Value secret backend API](/api/secret/kv/index.html) for more
details.

View file

@ -35,7 +35,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the mongodb backend is to mount it.
Unlike the `generic` backend, the `mongodb` backend is not mounted by default.
Unlike the `kv` backend, the `mongodb` backend is not mounted by default.
```
$ vault mount mongodb

View file

@ -34,7 +34,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the mssql backend is to mount it.
Unlike the `generic` backend, the `mssql` backend is not mounted by default.
Unlike the `kv` backend, the `mssql` backend is not mounted by default.
```
$ vault mount mssql

View file

@ -34,7 +34,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the mysql backend is to mount it.
Unlike the `generic` backend, the `mysql` backend is not mounted by default.
Unlike the `kv` backend, the `mysql` backend is not mounted by default.
```
$ vault mount mysql

View file

@ -127,7 +127,7 @@ endpoint.
#### Mount the backend
The first step to using the PKI backend is to mount it. Unlike the `generic`
The first step to using the PKI backend is to mount it. Unlike the `kv`
backend, the `pki` backend is not mounted by default.
```text

View file

@ -35,7 +35,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the PostgreSQL backend is to mount it.
Unlike the `generic` backend, the `postgresql` backend is not mounted by default.
Unlike the `kv` backend, the `postgresql` backend is not mounted by default.
```text
$ vault mount postgresql

View file

@ -31,7 +31,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the RabbitMQ backend is to mount it. Unlike the
`generic` backend, the `rabbitmq` backend is not mounted by default.
`kv` backend, the `rabbitmq` backend is not mounted by default.
```text
$ vault mount rabbitmq

View file

@ -20,7 +20,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the TOTP backend is to mount it.
Unlike the `generic` backend, the `totp` backend is not mounted by default.
Unlike the `kv` backend, the `totp` backend is not mounted by default.
```text
$ vault mount totp

View file

@ -63,7 +63,7 @@ on every path, use `vault path-help` after mounting the backend.
## Quick Start
The first step to using the transit backend is to mount it. Unlike the `generic`
The first step to using the transit backend is to mount it. Unlike the `kv`
backend, the `transit` backend is not mounted by default.
```

View file

@ -73,7 +73,7 @@ $ vault mounts
Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description
cubbyhole/ cubbyhole cubbyhole_80ef4e30 n/a n/a n/a false local per-token private secret storage
mock/ plugin plugin_10fc2cce mock-plugin system system false replicated
secret/ generic generic_ef2a14ec n/a system system false replicated generic secret storage
secret/ kv kv_ef2a14ec n/a system system false replicated key/value secret storage
sys/ system system_e3a4cccd n/a n/a n/a false replicated system endpoints used for control, policy and debugging
```
@ -95,7 +95,7 @@ Successfully unmounted 'mock' if it was mounted
$ vault mounts
Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description
cubbyhole/ cubbyhole cubbyhole_80ef4e30 n/a n/a n/a false local per-token private secret storage
secret/ generic generic_ef2a14ec n/a system system false replicated generic secret storage
secret/ kv kv_ef2a14ec n/a system system false replicated key/value secret storage
sys/ system system_e3a4cccd n/a n/a n/a false replicated system endpoints used for control, policy and debugging
```

View file

@ -9,7 +9,7 @@ description: |-
# Built-in Help
You've now worked with `vault write` and `vault read` for multiple
paths: the generic secret backend with `secret/` and dynamic AWS
paths: the kv secret backend with `secret/` and dynamic AWS
credentials with the AWS backend provider at `aws/`. In both cases, the
structure and usage of each backend differed, for example the AWS
backend has special paths like `aws/config`.
@ -109,7 +109,7 @@ There is also a description of what that path does.
Go ahead and explore more paths! Mount other backends, traverse their
help systems and learn about what they do. For example, learn about the
generic `secret/` path.
kv `secret/` path.
## Next

View file

@ -10,11 +10,11 @@ description: |-
Previously, we saw how to read and write arbitrary secrets to Vault. To
do this, we used the `secret/` prefix. This prefix specifies which
backend to use. By default, Vault mounts a backend called _generic_ to
`secret/`. The generic backend reads and writes raw data to the backend
backend to use. By default, Vault mounts a backend called _kv_ to
`secret/`. The kv backend reads and writes raw data to the backend
storage.
Vault supports other backends in addition to the _generic_ backend, and this feature
Vault supports other backends in addition to the _kv_ backend, and this feature
in particular is what makes Vault unique. For example, the _aws_ backend
generates AWS access keys dynamically, on demand. Another example --
this type of backend does not yet exist -- is a backend that
@ -23,7 +23,7 @@ reads and writes data directly to an
As Vault matures, more and more backends will be added.
To represent backends, Vault behaves much like a filesystem: backends
are mounted at specific paths. For example, the _generic_ backend is
are mounted at specific paths. For example, the _kv_ backend is
mounted at the `secret/` prefix.
On this page, we'll learn about the mount system and the operations
@ -32,7 +32,7 @@ for the next page, where we'll create dynamic secrets.
## Mount a Backend
To start, let's mount another _generic_ backend. Just like a normal
To start, let's mount another _kv_ backend. Just like a normal
filesystem, Vault can mount a backend multiple times at different
mount points. This is useful if you want different policies
(covered later) or configurations for different paths.
@ -40,32 +40,32 @@ mount points. This is useful if you want different policies
To mount the backend:
```
$ vault mount generic
Successfully mounted 'generic' at 'generic'!
$ vault mount kv
Successfully mounted 'kv' at 'kv'!
```
By default, the mount point will be the same name as the backend. This
is because 99% of the time, you don't want to customize this mount point.
In this example, we mounted the _generic_ backend at `generic/`.
In this example, we mounted the _kv_ backend at `kv/`.
You can inspect mounts using `vault mounts`:
```
$ vault mounts
Path Type Description
generic/ generic
secret/ generic generic secret storage
kv/ kv
secret/ kv key/value secret storage
sys/ system system endpoints used for control, policy and debugging
```
You can see the `generic/` path we just mounted, as well as the built-in
You can see the `kv/` path we just mounted, as well as the built-in
secret path. You can also see the `sys/` path. We won't cover this in
this guide, but this mount point is used to interact with the Vault core
system.
Spend some time reading and writing secrets to the new mount point to
convince yourself it works. As a bonus, write to the `secret/` endpoint
and observe that those values are unavailable via the `generic/` path: they share the
and observe that those values are unavailable via the `kv/` path: they share the
same backend, but do not share any data. In addition to this, backends
(of the same type or otherwise) _cannot_ access the data of other backends;
they can only access data within their mount point.
@ -78,8 +78,8 @@ and its data is deleted. If either of these operations fail, the backend
remains mounted.
```
$ vault unmount generic/
Successfully unmounted 'generic/' if it was mounted
$ vault unmount kv/
Successfully unmounted 'kv/' if it was mounted
```
In addition to unmounting, you can remount a backend. Remounting a
@ -95,7 +95,7 @@ Now that you've mounted and unmounted a backend, you might wonder:
Vault behaves a lot like a [virtual filesystem](https://en.wikipedia.org/wiki/Virtual_file_system).
The read/write/delete operations are forwarded to the backend, and the
backend can choose to react to these operations however it wishes.
For example, the _generic_ backend simply passes this through to the
For example, the _kv_ backend simply passes this through to the
storage backend (after encrypting data first).
However, the _aws_ backend (which you'll see soon), will read/write IAM

View file

@ -50,8 +50,8 @@
</ul>
</li>
<li<%= sidebar_current("docs-http-secret-generic") %>>
<a href="/api/secret/generic/index.html">Generic</a>
<li<%= sidebar_current("docs-http-secret-kv") %>>
<a href="/api/secret/kv/index.html">Key/Value</a>
</li>
<li<%= sidebar_current("docs-http-secret-identity") %>>
<a href="/api/secret/identity/index.html">Identity</a>

View file

@ -213,8 +213,8 @@
</ul>
</li>
<li<%= sidebar_current("docs-secrets-generic") %>>
<a href="/docs/secrets/generic/index.html">Generic</a>
<li<%= sidebar_current("docs-secrets-kv") %>>
<a href="/docs/secrets/kv/index.html">Key/Value</a>
</li>
<li<%= sidebar_current("docs-secrets-identity") %>>