Rename "generic" secret backend to "kv" (#3292)
This commit is contained in:
parent
267f871bbb
commit
1029ad3b33
|
@ -25,7 +25,7 @@ func TestRenewer_Renew(t *testing.T) {
|
|||
defer pgDone()
|
||||
|
||||
t.Run("group", func(t *testing.T) {
|
||||
t.Run("generic", func(t *testing.T) {
|
||||
t.Run("kv", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
if _, err := client.Logical().Write("secret/value", map[string]interface{}{
|
||||
|
|
|
@ -22,6 +22,46 @@ func TestMount(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
args := []string{
|
||||
"-address", addr,
|
||||
"kv",
|
||||
}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
client, err := c.Client()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
mounts, err := client.Sys().ListMounts()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
mount, ok := mounts["kv/"]
|
||||
if !ok {
|
||||
t.Fatal("should have kv mount")
|
||||
}
|
||||
if mount.Type != "kv" {
|
||||
t.Fatal("should be kv type")
|
||||
}
|
||||
}
|
||||
|
||||
func TestMount_Generic(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
c := &MountCommand{
|
||||
Meta: meta.Meta{
|
||||
ClientToken: token,
|
||||
Ui: ui,
|
||||
},
|
||||
}
|
||||
|
||||
args := []string{
|
||||
"-address", addr,
|
||||
"generic",
|
||||
|
@ -42,7 +82,7 @@ func TestMount(t *testing.T) {
|
|||
|
||||
mount, ok := mounts["generic/"]
|
||||
if !ok {
|
||||
t.Fatal("should have generic mount")
|
||||
t.Fatal("should have generic mount path")
|
||||
}
|
||||
if mount.Type != "generic" {
|
||||
t.Fatal("should be generic type")
|
||||
|
|
|
@ -65,7 +65,7 @@ Usage: vault remount [options] from to
|
|||
the data associated with the backend (such as configuration), will
|
||||
be preserved.
|
||||
|
||||
Example: vault remount secret/ generic/
|
||||
Example: vault remount secret/ kv/
|
||||
|
||||
General Options:
|
||||
` + meta.GeneralOptionsUsage()
|
||||
|
|
|
@ -24,7 +24,7 @@ func TestRemount(t *testing.T) {
|
|||
|
||||
args := []string{
|
||||
"-address", addr,
|
||||
"secret/", "generic",
|
||||
"secret/", "kv",
|
||||
}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
|
@ -45,8 +45,8 @@ func TestRemount(t *testing.T) {
|
|||
t.Fatal("should not have mount")
|
||||
}
|
||||
|
||||
_, ok = mounts["generic/"]
|
||||
_, ok = mounts["kv/"]
|
||||
if !ok {
|
||||
t.Fatal("should have generic")
|
||||
t.Fatal("should have kv")
|
||||
}
|
||||
}
|
||||
|
|
|
@ -72,7 +72,7 @@ type ServerCommand struct {
|
|||
}
|
||||
|
||||
func (c *ServerCommand) Run(args []string) int {
|
||||
var dev, verifyOnly, devHA, devTransactional, devLeasedGeneric, devThreeNode bool
|
||||
var dev, verifyOnly, devHA, devTransactional, devLeasedKV, devThreeNode bool
|
||||
var configPath []string
|
||||
var logLevel, devRootTokenID, devListenAddress, devPluginDir string
|
||||
var devLatency, devLatencyJitter int
|
||||
|
@ -87,7 +87,7 @@ func (c *ServerCommand) Run(args []string) int {
|
|||
flags.BoolVar(&verifyOnly, "verify-only", false, "")
|
||||
flags.BoolVar(&devHA, "dev-ha", false, "")
|
||||
flags.BoolVar(&devTransactional, "dev-transactional", false, "")
|
||||
flags.BoolVar(&devLeasedGeneric, "dev-leased-generic", false, "")
|
||||
flags.BoolVar(&devLeasedKV, "dev-leased-kv", false, "")
|
||||
flags.BoolVar(&devThreeNode, "dev-three-node", false, "")
|
||||
flags.Usage = func() { c.Ui.Output(c.Help()) }
|
||||
flags.Var((*sliceflag.StringFlag)(&configPath), "config", "config")
|
||||
|
@ -141,7 +141,7 @@ func (c *ServerCommand) Run(args []string) int {
|
|||
devListenAddress = os.Getenv("VAULT_DEV_LISTEN_ADDRESS")
|
||||
}
|
||||
|
||||
if devHA || devTransactional || devLeasedGeneric || devThreeNode {
|
||||
if devHA || devTransactional || devLeasedKV || devThreeNode {
|
||||
dev = true
|
||||
}
|
||||
|
||||
|
@ -264,8 +264,8 @@ func (c *ServerCommand) Run(args []string) int {
|
|||
}
|
||||
if dev {
|
||||
coreConfig.DevToken = devRootTokenID
|
||||
if devLeasedGeneric {
|
||||
coreConfig.LogicalBackends["generic"] = vault.LeasedPassthroughBackendFactory
|
||||
if devLeasedKV {
|
||||
coreConfig.LogicalBackends["kv"] = vault.LeasedPassthroughBackendFactory
|
||||
}
|
||||
if devPluginDir != "" {
|
||||
coreConfig.PluginDirectory = devPluginDir
|
||||
|
|
|
@ -157,8 +157,8 @@ func TestSysMounts_headerAuth(t *testing.T) {
|
|||
"auth": nil,
|
||||
"data": map[string]interface{}{
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -188,8 +188,8 @@ func TestSysMounts_headerAuth(t *testing.T) {
|
|||
},
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
|
|
@ -27,8 +27,8 @@ func TestSysMounts(t *testing.T) {
|
|||
"auth": nil,
|
||||
"data": map[string]interface{}{
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -58,8 +58,8 @@ func TestSysMounts(t *testing.T) {
|
|||
},
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -111,7 +111,7 @@ func TestSysMount(t *testing.T) {
|
|||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"description": "foo",
|
||||
})
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
@ -129,7 +129,7 @@ func TestSysMount(t *testing.T) {
|
|||
"data": map[string]interface{}{
|
||||
"foo/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -138,8 +138,8 @@ func TestSysMount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -170,7 +170,7 @@ func TestSysMount(t *testing.T) {
|
|||
},
|
||||
"foo/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -179,8 +179,8 @@ func TestSysMount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -232,7 +232,7 @@ func TestSysMount_put(t *testing.T) {
|
|||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"description": "foo",
|
||||
})
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
@ -248,7 +248,7 @@ func TestSysRemount(t *testing.T) {
|
|||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"description": "foo",
|
||||
})
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
@ -272,7 +272,7 @@ func TestSysRemount(t *testing.T) {
|
|||
"data": map[string]interface{}{
|
||||
"bar/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -281,8 +281,8 @@ func TestSysRemount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -313,7 +313,7 @@ func TestSysRemount(t *testing.T) {
|
|||
},
|
||||
"bar/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -322,8 +322,8 @@ func TestSysRemount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -375,7 +375,7 @@ func TestSysUnmount(t *testing.T) {
|
|||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"description": "foo",
|
||||
})
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
@ -395,8 +395,8 @@ func TestSysUnmount(t *testing.T) {
|
|||
"auth": nil,
|
||||
"data": map[string]interface{}{
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -426,8 +426,8 @@ func TestSysUnmount(t *testing.T) {
|
|||
},
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -479,7 +479,7 @@ func TestSysTuneMount(t *testing.T) {
|
|||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"description": "foo",
|
||||
})
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
@ -497,7 +497,7 @@ func TestSysTuneMount(t *testing.T) {
|
|||
"data": map[string]interface{}{
|
||||
"foo/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -506,8 +506,8 @@ func TestSysTuneMount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -538,7 +538,7 @@ func TestSysTuneMount(t *testing.T) {
|
|||
},
|
||||
"foo/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -547,8 +547,8 @@ func TestSysTuneMount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -639,7 +639,7 @@ func TestSysTuneMount(t *testing.T) {
|
|||
"data": map[string]interface{}{
|
||||
"foo/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("259196400"),
|
||||
"max_lease_ttl": json.Number("259200000"),
|
||||
|
@ -648,8 +648,8 @@ func TestSysTuneMount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
@ -680,7 +680,7 @@ func TestSysTuneMount(t *testing.T) {
|
|||
},
|
||||
"foo/": map[string]interface{}{
|
||||
"description": "foo",
|
||||
"type": "generic",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("259196400"),
|
||||
"max_lease_ttl": json.Number("259200000"),
|
||||
|
@ -689,8 +689,8 @@ func TestSysTuneMount(t *testing.T) {
|
|||
"local": false,
|
||||
},
|
||||
"secret/": map[string]interface{}{
|
||||
"description": "generic secret storage",
|
||||
"type": "generic",
|
||||
"description": "key/value secret storage",
|
||||
"type": "kv",
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": json.Number("0"),
|
||||
"max_lease_ttl": json.Number("0"),
|
||||
|
|
|
@ -54,12 +54,12 @@ func TestSysMountConfig(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// testMount sets up a test mount of a generic backend w/ a random path; caller
|
||||
// testMount sets up a test mount of a kv backend w/ a random path; caller
|
||||
// is responsible for unmounting
|
||||
func testMount(client *api.Client) (string, error) {
|
||||
rand.Seed(time.Now().UTC().UnixNano())
|
||||
randInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
|
||||
path := fmt.Sprintf("testmount-%d", randInt)
|
||||
err := client.Sys().Mount(path, &api.MountInput{Type: "generic"})
|
||||
err := client.Sys().Mount(path, &api.MountInput{Type: "kv"})
|
||||
return path, err
|
||||
}
|
||||
|
|
|
@ -539,9 +539,9 @@ func NewCore(conf *CoreConfig) (*Core, error) {
|
|||
for k, f := range conf.LogicalBackends {
|
||||
logicalBackends[k] = f
|
||||
}
|
||||
_, ok := logicalBackends["generic"]
|
||||
_, ok := logicalBackends["kv"]
|
||||
if !ok {
|
||||
logicalBackends["generic"] = PassthroughBackendFactory
|
||||
logicalBackends["kv"] = PassthroughBackendFactory
|
||||
}
|
||||
logicalBackends["cubbyhole"] = CubbyholeBackendFactory
|
||||
logicalBackends["system"] = func(config *logical.BackendConfig) (logical.Backend, error) {
|
||||
|
|
|
@ -33,7 +33,7 @@ func testCore_NewTestCore(t *testing.T, seal Seal) (*Core, *CoreConfig) {
|
|||
Physical: inm,
|
||||
DisableMlock: true,
|
||||
LogicalBackends: map[string]logical.Factory{
|
||||
"generic": LeasedPassthroughBackendFactory,
|
||||
"kv": LeasedPassthroughBackendFactory,
|
||||
},
|
||||
Seal: seal,
|
||||
}
|
||||
|
|
|
@ -46,7 +46,7 @@ func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, erro
|
|||
|
||||
// CubbyholeBackend is used for storing secrets directly into the physical
|
||||
// backend. The secrets are encrypted in the durable storage.
|
||||
// This differs from generic in that every token has its own private
|
||||
// This differs from kv in that every token has its own private
|
||||
// storage view. The view is removed when the token expires.
|
||||
type CubbyholeBackend struct {
|
||||
*framework.Backend
|
||||
|
@ -185,7 +185,7 @@ The secrets are encrypted/decrypted by Vault: they are never stored
|
|||
unencrypted in the backend and the backend never has an opportunity to
|
||||
see the unencrypted value.
|
||||
|
||||
This backend differs from the 'generic' backend in that it is namespaced
|
||||
This backend differs from the 'kv' backend in that it is namespaced
|
||||
per-token. Tokens can only read and write their own values, with no
|
||||
sharing possible (per-token cubbyholes). This can be useful for implementing
|
||||
certain authentication workflows, as well as "scratch" areas for individual
|
||||
|
|
|
@ -53,7 +53,7 @@ func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) (
|
|||
|
||||
b.Backend.Secrets = []*framework.Secret{
|
||||
&framework.Secret{
|
||||
Type: "generic",
|
||||
Type: "kv",
|
||||
|
||||
Renew: b.handleRead,
|
||||
Revoke: b.handleRevoke,
|
||||
|
@ -116,7 +116,7 @@ func (b *PassthroughBackend) handleRead(
|
|||
var resp *logical.Response
|
||||
if b.generateLeases {
|
||||
// Generate the response
|
||||
resp = b.Secret("generic").Response(rawData, nil)
|
||||
resp = b.Secret("kv").Response(rawData, nil)
|
||||
resp.Secret.Renewable = false
|
||||
} else {
|
||||
resp = &logical.Response{
|
||||
|
@ -207,7 +207,7 @@ func (b *PassthroughBackend) handleList(
|
|||
}
|
||||
|
||||
const passthroughHelp = `
|
||||
The generic backend reads and writes arbitrary secrets to the backend.
|
||||
The kv backend reads and writes arbitrary secrets to the backend.
|
||||
The secrets are encrypted/decrypted by Vault: they are never stored
|
||||
unencrypted in the backend and the backend never has an opportunity to
|
||||
see the unencrypted value.
|
||||
|
|
|
@ -197,10 +197,10 @@ func TestPassthroughBackend_List(t *testing.T) {
|
|||
|
||||
func TestPassthroughBackend_Revoke(t *testing.T) {
|
||||
test := func(b logical.Backend) {
|
||||
req := logical.TestRequest(t, logical.RevokeOperation, "generic")
|
||||
req := logical.TestRequest(t, logical.RevokeOperation, "kv")
|
||||
req.Secret = &logical.Secret{
|
||||
InternalData: map[string]interface{}{
|
||||
"secret_type": "generic",
|
||||
"secret_type": "kv",
|
||||
},
|
||||
}
|
||||
|
||||
|
|
|
@ -117,8 +117,8 @@ func TestSystemBackend_mounts(t *testing.T) {
|
|||
// copy what's given
|
||||
exp := map[string]interface{}{
|
||||
"secret/": map[string]interface{}{
|
||||
"type": "generic",
|
||||
"description": "generic secret storage",
|
||||
"type": "kv",
|
||||
"description": "key/value secret storage",
|
||||
"accessor": resp.Data["secret/"].(map[string]interface{})["accessor"],
|
||||
"config": map[string]interface{}{
|
||||
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
|
||||
|
@ -159,7 +159,7 @@ func TestSystemBackend_mount(t *testing.T) {
|
|||
b := testSystemBackend(t)
|
||||
|
||||
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
|
||||
req.Data["type"] = "generic"
|
||||
req.Data["type"] = "kv"
|
||||
|
||||
resp, err := b.HandleRequest(req)
|
||||
if err != nil {
|
||||
|
@ -174,7 +174,7 @@ func TestSystemBackend_mount_force_no_cache(t *testing.T) {
|
|||
core, b, _ := testCoreSystemBackend(t)
|
||||
|
||||
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
|
||||
req.Data["type"] = "generic"
|
||||
req.Data["type"] = "kv"
|
||||
req.Data["config"] = map[string]interface{}{
|
||||
"force_no_cache": true,
|
||||
}
|
||||
|
@ -423,7 +423,7 @@ func TestSystemBackend_leases(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) {
|
||||
t.Fatal("generic leases are not renewable")
|
||||
t.Fatal("kv leases are not renewable")
|
||||
}
|
||||
|
||||
// Invalid lease
|
||||
|
|
|
@ -65,6 +65,10 @@ var (
|
|||
"system",
|
||||
"token",
|
||||
}
|
||||
|
||||
// mountAliases maps old backend names to new backend names, allowing us
|
||||
// to move/rename backends but maintain backwards compatibility
|
||||
mountAliases = map[string]string{"generic": "kv"}
|
||||
)
|
||||
|
||||
func (c *Core) generateMountAccessor(entryType string) (string, error) {
|
||||
|
@ -760,6 +764,9 @@ func (c *Core) unloadMounts() error {
|
|||
|
||||
// newLogicalBackend is used to create and configure a new logical backend by name
|
||||
func (c *Core) newLogicalBackend(t string, sysView logical.SystemView, view logical.Storage, conf map[string]string) (logical.Backend, error) {
|
||||
if alias, ok := mountAliases[t]; ok {
|
||||
t = alias
|
||||
}
|
||||
f, ok := c.logicalBackends[t]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("unknown backend type: %s", t)
|
||||
|
@ -801,19 +808,19 @@ func (c *Core) defaultMountTable() *MountTable {
|
|||
if err != nil {
|
||||
panic(fmt.Sprintf("could not create default secret mount UUID: %v", err))
|
||||
}
|
||||
mountAccessor, err := c.generateMountAccessor("generic")
|
||||
mountAccessor, err := c.generateMountAccessor("kv")
|
||||
if err != nil {
|
||||
panic(fmt.Sprintf("could not generate default secret mount accessor: %v", err))
|
||||
}
|
||||
genericMount := &MountEntry{
|
||||
kvMount := &MountEntry{
|
||||
Table: mountTableType,
|
||||
Path: "secret/",
|
||||
Type: "generic",
|
||||
Description: "generic secret storage",
|
||||
Type: "kv",
|
||||
Description: "key/value secret storage",
|
||||
UUID: mountUUID,
|
||||
Accessor: mountAccessor,
|
||||
}
|
||||
table.Entries = append(table.Entries, genericMount)
|
||||
table.Entries = append(table.Entries, kvMount)
|
||||
table.Entries = append(table.Entries, c.requiredMountTable().Entries...)
|
||||
return table
|
||||
}
|
||||
|
|
|
@ -47,7 +47,7 @@ func TestCore_Mount(t *testing.T) {
|
|||
me := &MountEntry{
|
||||
Table: mountTableType,
|
||||
Path: "foo",
|
||||
Type: "generic",
|
||||
Type: "kv",
|
||||
}
|
||||
err := c.mount(me)
|
||||
if err != nil {
|
||||
|
@ -95,16 +95,16 @@ func TestCore_Mount_Local(t *testing.T) {
|
|||
&MountEntry{
|
||||
Table: mountTableType,
|
||||
Path: "noop/",
|
||||
Type: "generic",
|
||||
Type: "kv",
|
||||
UUID: "abcd",
|
||||
Accessor: "generic-abcd",
|
||||
Accessor: "kv-abcd",
|
||||
},
|
||||
&MountEntry{
|
||||
Table: mountTableType,
|
||||
Path: "noop2/",
|
||||
Type: "generic",
|
||||
Type: "kv",
|
||||
UUID: "bcde",
|
||||
Accessor: "generic-bcde",
|
||||
Accessor: "kv-bcde",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -164,7 +164,7 @@ func TestCore_Mount_Local(t *testing.T) {
|
|||
compEntries := c.mounts.Entries[:0]
|
||||
// Filter out required mounts
|
||||
for _, v := range c.mounts.Entries {
|
||||
if v.Type == "generic" {
|
||||
if v.Type == "kv" {
|
||||
compEntries = append(compEntries, v)
|
||||
}
|
||||
}
|
||||
|
@ -609,7 +609,7 @@ func verifyDefaultTable(t *testing.T, table *MountTable) {
|
|||
if entry.Path != "secret/" {
|
||||
t.Fatalf("bad: %v", entry)
|
||||
}
|
||||
if entry.Type != "generic" {
|
||||
if entry.Type != "kv" {
|
||||
t.Fatalf("bad: %v", entry)
|
||||
}
|
||||
case 2:
|
||||
|
|
|
@ -27,7 +27,7 @@ func (c *Core) HandleRequest(req *logical.Request) (resp *logical.Response, err
|
|||
}
|
||||
|
||||
// Allowing writing to a path ending in / makes it extremely difficult to
|
||||
// understand user intent for the filesystem-like backends (generic,
|
||||
// understand user intent for the filesystem-like backends (kv,
|
||||
// cubbyhole) -- did they want a key named foo/ or did they want to write
|
||||
// to a directory foo/ with no (or forgotten) key, or...? It also affects
|
||||
// lookup, because paths ending in / are considered prefixes by some
|
||||
|
@ -252,12 +252,12 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
|
|||
resp.Secret.TTL = maxTTL
|
||||
}
|
||||
|
||||
// Generic mounts should return the TTL but not register
|
||||
// KV mounts should return the TTL but not register
|
||||
// for a lease as this provides a massive slowdown
|
||||
registerLease := true
|
||||
matchingBackend := c.router.MatchingBackend(req.Path)
|
||||
if matchingBackend == nil {
|
||||
c.logger.Error("core: unable to retrieve generic backend from router")
|
||||
c.logger.Error("core: unable to retrieve kv backend from router")
|
||||
retErr = multierror.Append(retErr, ErrInternalError)
|
||||
return nil, auth, retErr
|
||||
}
|
||||
|
|
|
@ -12,14 +12,14 @@ import (
|
|||
func TestRequestHandling_Wrapping(t *testing.T) {
|
||||
core, _, root := TestCoreUnsealed(t)
|
||||
|
||||
core.logicalBackends["generic"] = PassthroughBackendFactory
|
||||
core.logicalBackends["kv"] = PassthroughBackendFactory
|
||||
|
||||
meUUID, _ := uuid.GenerateUUID()
|
||||
err := core.mount(&MountEntry{
|
||||
Table: mountTableType,
|
||||
UUID: meUUID,
|
||||
Path: "wraptest",
|
||||
Type: "generic",
|
||||
Type: "kv",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
|
@ -22,7 +22,7 @@ type Router struct {
|
|||
|
||||
// storagePrefix maps the prefix used for storage (ala the BarrierView)
|
||||
// to the backend. This is used to map a key back into the backend that owns it.
|
||||
// For example, logical/uuid1/foobar -> secrets/ (generic backend) + foobar
|
||||
// For example, logical/uuid1/foobar -> secrets/ (kv backend) + foobar
|
||||
storagePrefix *radix.Tree
|
||||
}
|
||||
|
||||
|
|
|
@ -158,7 +158,7 @@ func testCoreConfig(t testing.T, physicalBackend physical.Backend, logger log.Lo
|
|||
for backendName, backendFactory := range noopBackends {
|
||||
logicalBackends[backendName] = backendFactory
|
||||
}
|
||||
logicalBackends["generic"] = LeasedPassthroughBackendFactory
|
||||
logicalBackends["kv"] = LeasedPassthroughBackendFactory
|
||||
for backendName, backendFactory := range testLogicalBackends {
|
||||
logicalBackends[backendName] = backendFactory
|
||||
}
|
||||
|
|
|
@ -36,6 +36,7 @@
|
|||
# - Items are case-sensitive (please use all lowercase)
|
||||
#
|
||||
|
||||
/api/secret/generic/index.html /api/secret/kv/index.html
|
||||
/api/system/renew.html /api/system/leases.html
|
||||
/api/system/revoke.html /api/system/leases.html
|
||||
/api/system/revoke-force.html /api/system/leases.html
|
||||
|
@ -81,6 +82,7 @@
|
|||
/docs/guides/upgrading/upgrade-to-0.6.4.html /guides/upgrading/upgrade-to-0.6.4.html
|
||||
/docs/guides/upgrading/upgrade-to-0.7.0.html /guides/upgrading/upgrade-to-0.7.0.html
|
||||
/docs/secrets/custom.html /docs/plugin/index.html
|
||||
/docs/secrets/generic/index.html /docs/secrets/kv/index.html
|
||||
/intro/getting-started/acl.html /intro/getting-started/policies.html
|
||||
|
||||
/docs/vault-enterprise/index.html /docs/enterprise/index.html
|
||||
|
|
|
@ -52,7 +52,7 @@ via the `X-Vault-Token` header for future requests.
|
|||
## Reading, Writing, and Listing Secrets
|
||||
|
||||
Different backends implement different APIs according to their functionality.
|
||||
The examples below are created with the `generic` backend, which acts like a
|
||||
The examples below are created with the `kv` backend, which acts like a
|
||||
Key/Value store. Read the documentation for a particular backend for detailed
|
||||
information on its API; this simply provides a general overview.
|
||||
|
||||
|
@ -64,7 +64,7 @@ following URL:
|
|||
```
|
||||
|
||||
This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
|
||||
is mounted by default on a fresh Vault install and is of type `generic`.
|
||||
is mounted by default on a fresh Vault install and is of type `kv`.
|
||||
|
||||
Here is an example of reading a secret using cURL:
|
||||
|
||||
|
@ -76,7 +76,7 @@ $ curl \
|
|||
```
|
||||
|
||||
You can list secrets as well. To do this, either issue a GET with the query
|
||||
parameter `list=true`, or you can use the LIST HTTP verb. For the `generic`
|
||||
parameter `list=true`, or you can use the LIST HTTP verb. For the `kv`
|
||||
backend, listing is allowed on directories only, and returns the keys in the
|
||||
given directory:
|
||||
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
---
|
||||
layout: "api"
|
||||
page_title: "Generic Secret Backend - HTTP API"
|
||||
sidebar_current: "docs-http-secret-generic"
|
||||
page_title: "Key/Value Secret Backend - HTTP API"
|
||||
sidebar_current: "docs-http-secret-kv"
|
||||
description: |-
|
||||
This is the API documentation for the Vault Generic secret backend.
|
||||
This is the API documentation for the Vault Key/Value secret backend.
|
||||
---
|
||||
|
||||
# Generic Secret Backend HTTP API
|
||||
# Key/Value Secret Backend HTTP API
|
||||
|
||||
This is the API documentation for the Vault Generic secret backend. For general
|
||||
information about the usage and operation of the Generic backend, please see
|
||||
the [Vault Generic backend documentation](/docs/secrets/generic/index.html).
|
||||
This is the API documentation for the Vault Key/Value secret backend. For general
|
||||
information about the usage and operation of the Key/Value backend, please see
|
||||
the [Vault Key/Value backend documentation](/docs/secrets/kv/index.html).
|
||||
|
||||
This documentation assumes the Generic backend is mounted at the `/secret`
|
||||
This documentation assumes the Key/Value backend is mounted at the `/secret`
|
||||
path in Vault. Since it is possible to mount secret backends at any location,
|
||||
please update your API calls accordingly.
|
||||
|
||||
|
@ -54,7 +54,7 @@ $ curl \
|
|||
_Note_: the `lease_duration` field (which on the CLI shows as
|
||||
`refresh_interval`) is advisory. No lease is created. This is a way for writers
|
||||
to indicate how often a given value shold be re-read by the client. See the
|
||||
[Vault Generic backend documentation](/docs/secrets/generic/index.html) for
|
||||
[Vault Key/Value backend documentation](/docs/secrets/kv/index.html) for
|
||||
more details.
|
||||
|
||||
## List Secrets
|
||||
|
@ -122,8 +122,8 @@ policy granting the `update` capability.
|
|||
- `:key` `(string: "")` – Specifies a key, paired with an associated value, to
|
||||
be held at the given location. Multiple key/value pairs can be specified, and
|
||||
all will be returned on a read operation. A key called `ttl` will trigger
|
||||
some special behavior; see the [Vault Generic backend
|
||||
documentation](/docs/secrets/generic/index.html) for details.
|
||||
some special behavior; see the [Vault Key/Value backend
|
||||
documentation](/docs/secrets/kv/index.html) for details.
|
||||
|
||||
### Sample Payload
|
||||
|
|
@ -45,7 +45,7 @@ the paths it supports.
|
|||
$ vault path-help secret
|
||||
## DESCRIPTION
|
||||
|
||||
The generic backend reads and writes arbitrary secrets to the backend.
|
||||
The key/value backend reads and writes arbitrary secrets to the backend.
|
||||
The secrets are encrypted/decrypted by Vault: they are never stored
|
||||
unencrypted in the backend and the backend never has an opportunity to
|
||||
see the unencrypted value.
|
||||
|
|
|
@ -34,7 +34,7 @@ Revocation can happen manually via the API, via the `vault revoke` cli command,
|
|||
or automatically by Vault. When a lease is expired, Vault will automatically
|
||||
revoke that lease.
|
||||
|
||||
**Note**: The [Generic Backend](/docs/secrets/generic/index.html) which stores
|
||||
**Note**: The [Key/Value Backend](/docs/secrets/kv/index.html) which stores
|
||||
arbitrary secrets does not issue leases.
|
||||
|
||||
## Lease IDs
|
||||
|
|
|
@ -160,7 +160,7 @@ Validation is best performed by the following steps:
|
|||
what you expect, it is possible that the data contained inside was read and
|
||||
then put into a new response-wrapping token. (This is especially likely if
|
||||
the path starts with `cubbyhole` or `sys/wrapping/wrap`.) Particular care
|
||||
should be taken with `generic` KV mounts: exact matches on the path are best
|
||||
should be taken with `kv` mounts: exact matches on the path are best
|
||||
there. For example, if you expect a secret to come from `secret/foo` and
|
||||
the interceptor provides a token with `secret/bar` as the path, simply
|
||||
checking for a prefix of `secret/` is not enough.
|
||||
|
|
|
@ -50,7 +50,7 @@ encryption keys for `transit`, etc).
|
|||
|
||||
If a user action would modify underlying shared state, the secondary forwards the request
|
||||
to the primary to be handled; this is transparent to the client. In practice, most
|
||||
high-volume workloads (reads in the `generic` backend, encryption/decryption operations
|
||||
high-volume workloads (reads in the `kv` backend, encryption/decryption operations
|
||||
in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale
|
||||
relatively horizontally with the number of secondaries rather than vertically as
|
||||
in the past.
|
||||
|
|
|
@ -34,7 +34,7 @@ clarify what is being discussed:
|
|||
in. Much like a bank vault, the barrier must be "unsealed" before anything inside can be accessed.
|
||||
|
||||
* **Secret Backend** - A secret backend is responsible for managing secrets. Simple secret backends
|
||||
like the "generic" backend simply return the same secret when queried. Some backends support
|
||||
like the "kv" backend simply return the same secret when queried. Some backends support
|
||||
using policies to dynamically generate a secret each time they are queried. This allows for
|
||||
unique secrets to be used which allows Vault to do fine-grained revocation and policy updates.
|
||||
As an example, a MySQL backend could be configured with a "web" policy. When the "web" secret
|
||||
|
|
|
@ -128,12 +128,12 @@ These metrics relate to supported authentication backends.
|
|||
| `vault.rollback.attempt.auth-token-` | This measures the number of rollback operations attempted for authentication tokens backend | Number of operations | Summary |
|
||||
| `vault.rollback.attempt.auth-ldap-` | This measures the number of rollback operations attempted for the LDAP authentication backend | Number of operations | Summary |
|
||||
| `vault.rollback.attempt.cubbyhole-` | This measures the number of rollback operations attempted for the cubbyhole authentication backend | Number of operations | Summary |
|
||||
| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the generic secret backend | Number of operations | Summary |
|
||||
| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the kv secret backend | Number of operations | Summary |
|
||||
| `vault.rollback.attempt.sys-` | This measures the number of rollback operations attempted for the sys backend | Number of operations | Summary |
|
||||
| `vault.route.rollback.auth-ldap-` | This measures the number of rollback operations for the LDAP authentication backend | Number of operations | Summary |
|
||||
| `vault.route.rollback.auth-token-` | This measures the number of rollback operations for the authentication tokens backend | Number of operations | Summary |
|
||||
| `vault.route.rollback.cubbyhole-` | This measures the number of rollback operations for the cubbyhole authentication backend | Number of operations | Summary |
|
||||
| `vault.route.rollback.secret-` | This measures the number of rollback operations for the generic secret backend | Number of operations | Summary |
|
||||
| `vault.route.rollback.secret-` | This measures the number of rollback operations for the kv secret backend | Number of operations | Summary |
|
||||
| `vault.route.rollback.sys-` | This measures the number of rollback operations for the sys backend | Number of operations | Summary |
|
||||
|
||||
### Storage Backend Metrics
|
||||
|
|
|
@ -21,7 +21,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the aws backend is to mount it.
|
||||
Unlike the `generic` backend, the `aws` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `aws` backend is not mounted by default.
|
||||
|
||||
```text
|
||||
$ vault mount aws
|
||||
|
|
|
@ -31,7 +31,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the Cassandra backend is to mount it.
|
||||
Unlike the `generic` backend, the `cassandra` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `cassandra` backend is not mounted by default.
|
||||
|
||||
```text
|
||||
$ vault mount cassandra
|
||||
|
|
|
@ -20,7 +20,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the consul backend is to mount it.
|
||||
Unlike the `generic` backend, the `consul` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `consul` backend is not mounted by default.
|
||||
|
||||
```
|
||||
$ vault mount consul
|
||||
|
|
|
@ -14,13 +14,13 @@ The `cubbyhole` secret backend is used to store arbitrary secrets within
|
|||
the configured physical storage for Vault. It is mounted at the `cubbyhole/`
|
||||
prefix by default and cannot be mounted elsewhere or removed.
|
||||
|
||||
This backend differs from the `generic` backend in that the `generic` backend's
|
||||
This backend differs from the `kv` backend in that the `kv` backend's
|
||||
values are accessible to any token with read privileges on that path. In
|
||||
`cubbyhole`, paths are scoped per token; no token can access another token's
|
||||
cubbyhole, whether to read, write, list, or for any other operation. When the
|
||||
token expires, its cubbyhole is destroyed.
|
||||
|
||||
Also unlike the `generic` backend, because the cubbyhole's lifetime is linked
|
||||
Also unlike the `kv` backend, because the cubbyhole's lifetime is linked
|
||||
to that of an authentication token, there is no concept of a TTL or refresh
|
||||
interval for values contained in the token's cubbyhole.
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ description: |-
|
|||
Secret backends are the components in Vault which store and generate
|
||||
secrets.
|
||||
|
||||
Some secret backends, such as "generic", simply store and read
|
||||
Some secret backends, such as "kv", simply store and read
|
||||
secrets verbatim. Other secret backends, such as "aws", create _dynamic
|
||||
secrets_: secrets that are made on demand.
|
||||
|
||||
|
@ -21,7 +21,7 @@ in Vault. They behave very similarly to a virtual filesystem:
|
|||
any read/write/delete is sent to the secret backend, and the secret
|
||||
backend can choose to react to that operation however it sees fit.
|
||||
|
||||
For example, the "generic" backend passes through any operation back
|
||||
For example, the "kv" backend passes through any operation back
|
||||
to the configured storage backend for Vault. A "read" turns into a
|
||||
"read" of the storage backend at the same path, a "write" turns into
|
||||
a write, etc. This is a lot like a normal filesystem.
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
---
|
||||
layout: "docs"
|
||||
page_title: "Generic Secret Backend"
|
||||
sidebar_current: "docs-secrets-generic"
|
||||
page_title: "Key/Value Secret Backend"
|
||||
sidebar_current: "docs-secrets-kv"
|
||||
description: |-
|
||||
The generic secret backend can store arbitrary secrets.
|
||||
The key/value secret backend can store arbitrary secrets.
|
||||
---
|
||||
|
||||
# Generic Secret Backend
|
||||
# Key/Value Secret Backend
|
||||
|
||||
Name: `generic`
|
||||
Name: `kv`
|
||||
|
||||
The generic secret backend is used to store arbitrary secrets within
|
||||
The key/value secret backend is used to store arbitrary secrets within
|
||||
the configured physical storage for Vault. If you followed along with
|
||||
the getting started guide, you interacted with a generic secret backend
|
||||
the getting started guide, you interacted with a key/value secret backend
|
||||
via the `secret/` prefix that Vault mounts by default. You can mount as many
|
||||
of these backends at different mount points as you like.
|
||||
|
||||
Writing to a key in the `generic` backend will replace the old value;
|
||||
Writing to a key in the `kv` backend will replace the old value;
|
||||
sub-fields are not merged together.
|
||||
|
||||
This backend honors the distinction between the `create` and `update`
|
||||
|
@ -28,7 +28,7 @@ secret's path.
|
|||
|
||||
## Quick Start
|
||||
|
||||
The generic backend allows for writing keys with arbitrary values. When data is
|
||||
The kv backend allows for writing keys with arbitrary values. When data is
|
||||
returned, the `lease_duration` field (in the API JSON) or `refresh_interval`
|
||||
field (on the CLI) gives a hint as to how often a reader should look for a new
|
||||
value. This comes from the value of the `default_lease_ttl` set on the mount,
|
||||
|
@ -44,7 +44,7 @@ if it fits your input data.
|
|||
|
||||
The backend _never_ removes data on its own; the `ttl` key is merely advisory.
|
||||
|
||||
As an example, we can write a new key "foo" to the generic backend mounted at
|
||||
As an example, we can write a new key "foo" to the kv backend mounted at
|
||||
"secret/" by default:
|
||||
|
||||
```
|
||||
|
@ -72,6 +72,6 @@ seconds (one hour) as specified.
|
|||
|
||||
## API
|
||||
|
||||
The Generic secret backend has a full HTTP API. Please see the
|
||||
[Generic secret backend API](/api/secret/generic/index.html) for more
|
||||
The Key/Value secret backend has a full HTTP API. Please see the
|
||||
[Key/Value secret backend API](/api/secret/kv/index.html) for more
|
||||
details.
|
|
@ -35,7 +35,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the mongodb backend is to mount it.
|
||||
Unlike the `generic` backend, the `mongodb` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `mongodb` backend is not mounted by default.
|
||||
|
||||
```
|
||||
$ vault mount mongodb
|
||||
|
|
|
@ -34,7 +34,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the mssql backend is to mount it.
|
||||
Unlike the `generic` backend, the `mssql` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `mssql` backend is not mounted by default.
|
||||
|
||||
```
|
||||
$ vault mount mssql
|
||||
|
|
|
@ -34,7 +34,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the mysql backend is to mount it.
|
||||
Unlike the `generic` backend, the `mysql` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `mysql` backend is not mounted by default.
|
||||
|
||||
```
|
||||
$ vault mount mysql
|
||||
|
|
|
@ -127,7 +127,7 @@ endpoint.
|
|||
|
||||
#### Mount the backend
|
||||
|
||||
The first step to using the PKI backend is to mount it. Unlike the `generic`
|
||||
The first step to using the PKI backend is to mount it. Unlike the `kv`
|
||||
backend, the `pki` backend is not mounted by default.
|
||||
|
||||
```text
|
||||
|
|
|
@ -35,7 +35,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the PostgreSQL backend is to mount it.
|
||||
Unlike the `generic` backend, the `postgresql` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `postgresql` backend is not mounted by default.
|
||||
|
||||
```text
|
||||
$ vault mount postgresql
|
||||
|
|
|
@ -31,7 +31,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the RabbitMQ backend is to mount it. Unlike the
|
||||
`generic` backend, the `rabbitmq` backend is not mounted by default.
|
||||
`kv` backend, the `rabbitmq` backend is not mounted by default.
|
||||
|
||||
```text
|
||||
$ vault mount rabbitmq
|
||||
|
|
|
@ -20,7 +20,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
## Quick Start
|
||||
|
||||
The first step to using the TOTP backend is to mount it.
|
||||
Unlike the `generic` backend, the `totp` backend is not mounted by default.
|
||||
Unlike the `kv` backend, the `totp` backend is not mounted by default.
|
||||
|
||||
```text
|
||||
$ vault mount totp
|
||||
|
|
|
@ -63,7 +63,7 @@ on every path, use `vault path-help` after mounting the backend.
|
|||
|
||||
## Quick Start
|
||||
|
||||
The first step to using the transit backend is to mount it. Unlike the `generic`
|
||||
The first step to using the transit backend is to mount it. Unlike the `kv`
|
||||
backend, the `transit` backend is not mounted by default.
|
||||
|
||||
```
|
||||
|
|
|
@ -73,7 +73,7 @@ $ vault mounts
|
|||
Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description
|
||||
cubbyhole/ cubbyhole cubbyhole_80ef4e30 n/a n/a n/a false local per-token private secret storage
|
||||
mock/ plugin plugin_10fc2cce mock-plugin system system false replicated
|
||||
secret/ generic generic_ef2a14ec n/a system system false replicated generic secret storage
|
||||
secret/ kv kv_ef2a14ec n/a system system false replicated key/value secret storage
|
||||
sys/ system system_e3a4cccd n/a n/a n/a false replicated system endpoints used for control, policy and debugging
|
||||
```
|
||||
|
||||
|
@ -95,7 +95,7 @@ Successfully unmounted 'mock' if it was mounted
|
|||
$ vault mounts
|
||||
Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description
|
||||
cubbyhole/ cubbyhole cubbyhole_80ef4e30 n/a n/a n/a false local per-token private secret storage
|
||||
secret/ generic generic_ef2a14ec n/a system system false replicated generic secret storage
|
||||
secret/ kv kv_ef2a14ec n/a system system false replicated key/value secret storage
|
||||
sys/ system system_e3a4cccd n/a n/a n/a false replicated system endpoints used for control, policy and debugging
|
||||
```
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: |-
|
|||
# Built-in Help
|
||||
|
||||
You've now worked with `vault write` and `vault read` for multiple
|
||||
paths: the generic secret backend with `secret/` and dynamic AWS
|
||||
paths: the kv secret backend with `secret/` and dynamic AWS
|
||||
credentials with the AWS backend provider at `aws/`. In both cases, the
|
||||
structure and usage of each backend differed, for example the AWS
|
||||
backend has special paths like `aws/config`.
|
||||
|
@ -109,7 +109,7 @@ There is also a description of what that path does.
|
|||
|
||||
Go ahead and explore more paths! Mount other backends, traverse their
|
||||
help systems and learn about what they do. For example, learn about the
|
||||
generic `secret/` path.
|
||||
kv `secret/` path.
|
||||
|
||||
## Next
|
||||
|
||||
|
|
|
@ -10,11 +10,11 @@ description: |-
|
|||
|
||||
Previously, we saw how to read and write arbitrary secrets to Vault. To
|
||||
do this, we used the `secret/` prefix. This prefix specifies which
|
||||
backend to use. By default, Vault mounts a backend called _generic_ to
|
||||
`secret/`. The generic backend reads and writes raw data to the backend
|
||||
backend to use. By default, Vault mounts a backend called _kv_ to
|
||||
`secret/`. The kv backend reads and writes raw data to the backend
|
||||
storage.
|
||||
|
||||
Vault supports other backends in addition to the _generic_ backend, and this feature
|
||||
Vault supports other backends in addition to the _kv_ backend, and this feature
|
||||
in particular is what makes Vault unique. For example, the _aws_ backend
|
||||
generates AWS access keys dynamically, on demand. Another example --
|
||||
this type of backend does not yet exist -- is a backend that
|
||||
|
@ -23,7 +23,7 @@ reads and writes data directly to an
|
|||
As Vault matures, more and more backends will be added.
|
||||
|
||||
To represent backends, Vault behaves much like a filesystem: backends
|
||||
are mounted at specific paths. For example, the _generic_ backend is
|
||||
are mounted at specific paths. For example, the _kv_ backend is
|
||||
mounted at the `secret/` prefix.
|
||||
|
||||
On this page, we'll learn about the mount system and the operations
|
||||
|
@ -32,7 +32,7 @@ for the next page, where we'll create dynamic secrets.
|
|||
|
||||
## Mount a Backend
|
||||
|
||||
To start, let's mount another _generic_ backend. Just like a normal
|
||||
To start, let's mount another _kv_ backend. Just like a normal
|
||||
filesystem, Vault can mount a backend multiple times at different
|
||||
mount points. This is useful if you want different policies
|
||||
(covered later) or configurations for different paths.
|
||||
|
@ -40,32 +40,32 @@ mount points. This is useful if you want different policies
|
|||
To mount the backend:
|
||||
|
||||
```
|
||||
$ vault mount generic
|
||||
Successfully mounted 'generic' at 'generic'!
|
||||
$ vault mount kv
|
||||
Successfully mounted 'kv' at 'kv'!
|
||||
```
|
||||
|
||||
By default, the mount point will be the same name as the backend. This
|
||||
is because 99% of the time, you don't want to customize this mount point.
|
||||
In this example, we mounted the _generic_ backend at `generic/`.
|
||||
In this example, we mounted the _kv_ backend at `kv/`.
|
||||
|
||||
You can inspect mounts using `vault mounts`:
|
||||
|
||||
```
|
||||
$ vault mounts
|
||||
Path Type Description
|
||||
generic/ generic
|
||||
secret/ generic generic secret storage
|
||||
kv/ kv
|
||||
secret/ kv key/value secret storage
|
||||
sys/ system system endpoints used for control, policy and debugging
|
||||
```
|
||||
|
||||
You can see the `generic/` path we just mounted, as well as the built-in
|
||||
You can see the `kv/` path we just mounted, as well as the built-in
|
||||
secret path. You can also see the `sys/` path. We won't cover this in
|
||||
this guide, but this mount point is used to interact with the Vault core
|
||||
system.
|
||||
|
||||
Spend some time reading and writing secrets to the new mount point to
|
||||
convince yourself it works. As a bonus, write to the `secret/` endpoint
|
||||
and observe that those values are unavailable via the `generic/` path: they share the
|
||||
and observe that those values are unavailable via the `kv/` path: they share the
|
||||
same backend, but do not share any data. In addition to this, backends
|
||||
(of the same type or otherwise) _cannot_ access the data of other backends;
|
||||
they can only access data within their mount point.
|
||||
|
@ -78,8 +78,8 @@ and its data is deleted. If either of these operations fail, the backend
|
|||
remains mounted.
|
||||
|
||||
```
|
||||
$ vault unmount generic/
|
||||
Successfully unmounted 'generic/' if it was mounted
|
||||
$ vault unmount kv/
|
||||
Successfully unmounted 'kv/' if it was mounted
|
||||
```
|
||||
|
||||
In addition to unmounting, you can remount a backend. Remounting a
|
||||
|
@ -95,7 +95,7 @@ Now that you've mounted and unmounted a backend, you might wonder:
|
|||
Vault behaves a lot like a [virtual filesystem](https://en.wikipedia.org/wiki/Virtual_file_system).
|
||||
The read/write/delete operations are forwarded to the backend, and the
|
||||
backend can choose to react to these operations however it wishes.
|
||||
For example, the _generic_ backend simply passes this through to the
|
||||
For example, the _kv_ backend simply passes this through to the
|
||||
storage backend (after encrypting data first).
|
||||
|
||||
However, the _aws_ backend (which you'll see soon), will read/write IAM
|
||||
|
|
|
@ -50,8 +50,8 @@
|
|||
</ul>
|
||||
</li>
|
||||
|
||||
<li<%= sidebar_current("docs-http-secret-generic") %>>
|
||||
<a href="/api/secret/generic/index.html">Generic</a>
|
||||
<li<%= sidebar_current("docs-http-secret-kv") %>>
|
||||
<a href="/api/secret/kv/index.html">Key/Value</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-http-secret-identity") %>>
|
||||
<a href="/api/secret/identity/index.html">Identity</a>
|
||||
|
|
|
@ -213,8 +213,8 @@
|
|||
</ul>
|
||||
</li>
|
||||
|
||||
<li<%= sidebar_current("docs-secrets-generic") %>>
|
||||
<a href="/docs/secrets/generic/index.html">Generic</a>
|
||||
<li<%= sidebar_current("docs-secrets-kv") %>>
|
||||
<a href="/docs/secrets/kv/index.html">Key/Value</a>
|
||||
</li>
|
||||
|
||||
<li<%= sidebar_current("docs-secrets-identity") %>>
|
||||
|
|
Loading…
Reference in a new issue