luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Changed the layout category menu (#4007) 

* Changed the layout category menu

* Fixed typos

* Fixed a typo, and removed the duplicated generate-root guide

* Fixed the redirect.txt
This commit is contained in:
Yoko 2018-02-22 16:24:01 -08:00 committed by GitHub
parent a2e816321e
commit 5389550cdc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 96 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
website/redirects.txt
View File

@ -69,7 +69,7 @@
/docs/http/sys-raw.html /api/system/raw.html
/docs/http/sys-health.html /api/system/health.html
/docs/guides/generate-root.html /guides/configuration/generate-root.html
/docs/guides/generate-root.html /guides/operations/generate-root.html
/docs/guides/index.html /guides/index.html
/docs/guides/production.html /guides/operations/production.html
/docs/guides/replication.html /guides/operations/replication.html
@ -84,12 +84,12 @@
/docs/guides/upgrading/upgrade-to-0.7.0.html /guides/upgrading/upgrade-to-0.7.0.html
/guides/production.html /guides/operations/production.html
/guides/replication.html /guides/operations/replication.html
/guides/policies.html /guides/configuration/policies.html
/guides/authentication.html /guides/configuration/authentication.html
/guides/lease.html /guides/configuration/lease.html
/guides/generate-root.html /guides/configuration/generate-root.html
/guides/rekeying-and-rotating.html /guides/configuration/rekeying-and-rotating.html
/guides/plugin-backends.html /guides/configuration/plugin-backends.html
/guides/policies.html /guides/identity/policies.html
/guides/authentication.html /guides/identity/authentication.html
/guides/lease.html /guides/identity/lease.html
/guides/generate-root.html /guides/operations/generate-root.html
/guides/rekeying-and-rotating.html /guides/operations/rekeying-and-rotating.html
/guides/plugin-backends.html /guides/operations/plugin-backends.html
/guides/static-secrets.html /guides/secret-mgmt/static-secrets.html
/guides/dynamic-secret.html /guides/secret-mgmt/dynamic-secret.html
/guides/cubbyhole.html /guides/secret-mgmt/cubbyhole.html
@ -98,6 +98,13 @@
/intro/getting-started/acl.html /intro/getting-started/policies.html
/intro/getting-started/secret-backends.html /intro/getting-started/secrets-engines.html
/guides/configuration/policies.html /guides/identity/policies.html
/guides/configuration/authentication.html /guides/identity/authentication.html
/guides/configuration/lease.html /guides/identity/lease.html
/guides/configuration/generate-root.html /guides/operations/generate-root.html
/guides/configuration/rekeying-and-rotating.html /guides/operations/rekeying-and-rotating.html
/guides/configuration/plugin-backends.html /guides/operations/plugin-backends.html
/docs/vault-enterprise/index.html /docs/enterprise/index.html
/docs/vault-enterprise/replication/index.html /docs/enterprise/replication/index.html
/docs/vault-enterprise/hsm/index.html /docs/enterprise/hsm/index.html

2
website/source/docs/commands/operator/generate-root.html.md
View File

@ -26,7 +26,7 @@ An unseal key may be provided directly on the command line as an argument to the
command. If key is specified as "-", the command will read from stdin. If a TTY
is available, the command will prompt for text.
Please see the [generate root guide](/guides/configuration/generate-root.html) for
Please see the [generate root guide](/guides/operations/generate-root.html) for
step-by-step instructions.
## Examples

2
website/source/docs/commands/operator/rekey.html.md
View File

@ -22,7 +22,7 @@ An unseal key may be provided directly on the command line as an argument to the
command. If key is specified as "-", the command will read from stdin. If a TTY
is available, the command will prompt for text.
Please see the [rotating and rekeying](/guides/configuration/rekeying-and-rotating.html) for
Please see the [rotating and rekeying](/guides/operations/rekeying-and-rotating.html) for
step-by-step instructions.
## Examples

10
website/source/docs/concepts/policies.html.md
View File

@ -113,8 +113,8 @@ path "secret/super-secret" {
capabilities = ["deny"]
}
# Policies can also specify allowed, disallowed, and required parameters. Here
# the key "secret/restricted" can only contain "foo" (any value) and "bar" (one
# Policies can also specify allowed, disallowed, and required parameters. Here
# the key "secret/restricted" can only contain "foo" (any value) and "bar" (one
# of "zip" or "zap").
path "secret/restricted" {
capabilities = ["create"]
@ -228,13 +228,13 @@ options are:
```ruby
# This requires the user to create "secret/foo" with a parameter named
# "bar" and "baz".
# "bar" and "baz".
path "secret/foo" {
capabilities = ["create"]
required_parameters = ["bar", "baz"]
}
```
* `allowed_parameters` - Whitelists a list of keys and values that are
permitted on the given path.
@ -438,7 +438,7 @@ $ curl \
For more information, please read:
- [Production Hardening](/guides/operations/production.html)
- [Generating a Root Token](/guides/configuration/generate-root.html)
- [Generating a Root Token](/guides/operations/generate-root.html)
## Managing Policies

2
website/source/docs/concepts/tokens.html.md
View File

@ -54,7 +54,7 @@ of version 0.6.1, there are only three ways to create root tokens:
expiration
2. By using another root token; a root token with an expiration cannot create a
root token that never expires
3. By using `vault generate-root` ([example](/guides/configuration/generate-root.html))
3. By using `vault generate-root` ([example](/guides/operations/generate-root.html))
with the permission of a quorum of unseal key holders
Root tokens are useful in development but should be extremely carefully guarded

158
website/source/guides/configuration/generate-root.html.md
View File

@ -1,158 +0,0 @@
---
layout: "guides"
page_title: "Generate Root Tokens using Unseal Keys - Guides"
sidebar_current: "guides-configuration-generate-root"
description: |-
Generate a new root token using a threshold of unseal keys.
---
# Generate Root Tokens Using Unseal Keys
It is generally considered a best practice to not persist
[root tokens][root-tokens]. Instead a root token should be generated using
Vault's `generate-root` command only when absolutely necessary. This guide
demonstrates regenerating a root token.
1. Unseal the vault using the existing quorum of unseal keys. You do not need to
be authenticated to generate a new root token, but the Vault must be unsealed
and a quorum of unseal keys must be available.
```shell
$ vault operator unseal
# ...
```
### Using OTP
In this method, an OTP is XORed with the generated token on final output.
1. Generate a one-time password (OTP) to use for XORing the resulting token:
```text
$ vault operator generate-root -generate-otp
mOXx7iVimjE6LXQ2Zna6NA==
```
Save this OTP because you will need it to get the decoded final root token.
1. Initialize a root token generation, providing the OTP code from the step
above:
```text
$ vault operator generate-root -init -otp=mOXx7iVimjE6LXQ2Zna6NA==
Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3e
Started true
Progress 0/5
Complete false
```
The nonce value should be distributed to all unseal key holders.
1. Each unseal key holder providers their unseal key:
```text
$ vault operator generate-root
Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
Unseal Key (will be hidden): ...
```
If there is a tty, Vault will prompt for the key and automatically
complete the nonce value. If there is no tty, or if the value is piped
from stdin, the user must specify the nonce value from the `-init`
operation.
```text
$ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
```
1. When the quorum of unseal keys are supplied, the final user will also get
the encoded root token.
```text
$ vault operator generate-root
Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
Unseal Key (will be hidden):
Nonce f67f4da3-4ae4-68fb-4716-91da6b609c3e
Started true
Progress 5/5
Complete true
Root Token IxJpyqxn3YafOGhqhvP6cQ==
```
1. Decode the encoded token using the OTP:
```text
$ vault operator generate-root \
-decode=IxJpyqxn3YafOGhqhvP6cQ== \
-otp=mOXx7iVimjE6LXQ2Zna6NA==
24bde68f-3df3-e137-cf4d-014fe9ebc43f
```
### Using PGP
1. Initialize a root token generation, providing the path to a GPG public key
or keybase username of a user to encrypted the resulting token.
```text
$ vault operator generate-root -init -pgp-key=keybase:sethvargo
Nonce e24dec5e-f1ea-2dfe-ecce-604022006976
Started true
Progress 0/5
Complete false
PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
```
The nonce value should be distributed to all unseal key holders.
1. Each unseal key holder providers their unseal key:
```text
$ vault operator generate-root
Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
Unseal Key (will be hidden): ...
```
If there is a tty, Vault will prompt for the key and automatically
complete the nonce value. If there is no tty, or if the value is piped
from stdin, the user must specify the nonce value from the `-init`
operation.
```text
$ echo $UNSEAL_KEY | vault generate-root -nonce=f67f4da3... -
```
1. When the quorum of unseal keys are supplied, the final user will also get
the encoded root token.
```text
$ vault operator generate-root
Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
Unseal Key (will be hidden):
Nonce e24dec5e-f1ea-2dfe-ecce-604022006976
Started true
Progress 1/1
Complete true
PGP Fingerprint e2f8e2974623ba2a0e933a59c921994f9c27e0ff
Root Token wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg...
```
1. Decrypt the encrypted token using associated private key:
```text
$ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | gpg --decrypt
d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
```
or via keybase:
```text
$ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | keybase pgp decrypt
d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
```
[root-tokens]: /docs/concepts/tokens.html#root-tokens

35
website/source/guides/configuration/index.html.md
View File

@ -1,35 +0,0 @@
---
layout: "guides"
page_title: "Vault Configuration - Guides"
sidebar_current: "guides-configuration"
description: |-
Once a Vault instance has been installed, the next step is to configure auth
backends, secret backends, and manage keys. Vault configuration guides addresses
key concepts in configuring your Vault application.
---
# Vault Configuration
This guide walks you through Vault configuration topics.
- [Policies](/guides/configuration/policies.html) are used to instrument
Role-Based Access Control (RBAC) by specifying access privileges. Authoring of
policies is probably the first step the Vault administrator performs. This guide
walks you through creating example policies for `admin` and `provisioner` users.
- [AppRole Pull Authentication](/guides/configuration/authentication.html) guide
that introduces the steps to generate tokens for machines or apps by enabling
AppRole auth backend.
- [Token and Leases](/guides/configuration/lease.html) guide helps you
understand how tokens and leases work in Vault. The understanding of the
lease hierarchy and expiration mechanism helps you plan for break glass
procedures and more.
- [Root Token Generation](/guides/configuration/generate-root.html) guide
demonstrates the workflow of regenerating root tokens. It is considered to be a
best practice not to persist the initial **root** token. If a root token needs
to be regenerated, this guide helps you walk through the task.
- [Rekeying & Rotating](/guides/configuration/rekeying-and-rotating.html) guide
provides a high-level overview of Shamir's Secret Sharing Algorithm, and how to
perform _rekey_ and _rotate_ operations in Vault.
- [Building Plugin Backends](/guides/configuration/plugin-backends.html) guide
provides steps to build, register, and mount non-database external plugin
backends.

8
website/source/guides/configuration/authentication.html.md → website/source/guides/identity/authentication.html.md
View File

@ -1,7 +1,7 @@
---
layout: "guides"
page_title: "AppRole Pull Authentication - Guides"
sidebar_current: "guides-configuration-authentication"
sidebar_current: "guides-identity-authentication"
description: |-
Authentication is a process in Vault by which user or machine-supplied
information is verified to create a token with pre-configured policy.
@ -123,7 +123,7 @@ path "secret/mysql/*" {
```
If you are not familiar with policies, complete the
[policies](/guides/configuration/policies.html) guide.
[policies](/guides/operations/policies.html) guide.
## Steps
@ -235,7 +235,7 @@ $ vault write auth/approle/role/<ROLE_NAME> [parameters]
> specify `token_num_uses` and `token_ttl`. You may never want the app token to
> expire. In such a case, specify the `period` so that the token generated by
> this AppRole is a periodic token. To learn more about periodic token, refer to
> the [Tokens and Leases](/guides/configuration/lease.html#step4) guide.
> the [Tokens and Leases](/guides/identity/lease.html#step4) guide.
**Example:**
@ -304,7 +304,7 @@ $ curl --header "X-Vault-Token: ..." --request POST \
> specify `token_num_uses` and `token_ttl`. You may never want the app token to
> expire. In such a case, specify the `period` so that the token generated by
> this AppRole is a periodic token. To learn more about periodic token, refer to
> the [Tokens and Leases](/guides/configuration/lease.html#step4) guide.
> the [Tokens and Leases](/guides/identity/lease.html#step4) guide.
**NOTE:** To attach multiple policies, pass the policy names as a comma

25
website/source/guides/identity/index.html.md Normal file
View File

@ -0,0 +1,25 @@
---
layout: "guides"
page_title: "Identity and Access Management - Guides"
sidebar_current: "guides-identity"
description: |-
Once a Vault instance has been installed, the next step is to configure auth
backends, secret backends, and manage keys. Vault configuration guides addresses
key concepts in configuring your Vault application.
---
# Identity and Access Management
This guide walks you through Identity and Access Management topics.
- [Policies](/guides/identity/policies.html) are used to instrument
Role-Based Access Control (RBAC) by specifying access privileges. Authoring of
policies is probably the first step the Vault administrator performs. This guide
walks you through creating example policies for `admin` and `provisioner` users.
- [AppRole Pull Authentication](/guides/identity/authentication.html) guide
that introduces the steps to generate tokens for machines or apps by enabling
AppRole auth backend.
- [Token and Leases](/guides/identity/lease.html) guide helps you
understand how tokens and leases work in Vault. The understanding of the
lease hierarchy and expiration mechanism helps you plan for break glass
procedures and more.

8
website/source/guides/configuration/lease.html.md → website/source/guides/identity/lease.html.md
View File

@ -1,7 +1,7 @@
---
layout: "guides"
page_title: "Tokens and Leases - Guides"
sidebar_current: "guides-configuration-lease"
sidebar_current: "guides-identity-lease"
description: |-
Tokens are the core method for authentication within Vault. For every
authentication token and dynamic secret, Vault creates a lease
@ -131,7 +131,7 @@ path "sys/mounts/database/tune" {
```
If you are not familiar with policies, complete the
[policies](/guides/configuration/policies.html) guide.
[policies](/guides/identity/policies.html) guide.
## Steps
@ -625,7 +625,7 @@ are talking about long-running apps need to be able to renew its token
indefinitely.
-> For more details about AppRole, read the [AppRole Pull
-Authentication](/guides/configuration/authentication.html) guide.
-Authentication](/guides/identity/authentication.html) guide.
To create AppRole periodic tokens, create your AppRole role with
`period` specified.
@ -803,5 +803,5 @@ renewable true
## Next steps
Now you have learned the lifecycle of tokens and leases, read [AppRole Pull
Authentication](/guides/configuration/authentication.html) guide to learn how to generate
Authentication](/guides/identity/authentication.html) guide to learn how to generate
tokens for apps or machines.

4
website/source/guides/configuration/policies.html.md → website/source/guides/identity/policies.html.md
View File

@ -1,7 +1,7 @@
---
layout: "guides"
page_title: "Policies - Guides"
sidebar_current: "guides-configuration-policies"
sidebar_current: "guides-identity-policies"
description: |-
Policies in Vault control what a user can access.
---
@ -584,5 +584,5 @@ $ curl --request POST --header "X-Vault-Token: ..." --data '{"path":"sys/auth/ap
## Next steps
In this guide, you learned how to write policies based on given policy
requirements. Next, [AppRole Pull Authentication](/guides/configuration/authentication.html)
requirements. Next, [AppRole Pull Authentication](/guides/identity/authentication.html)
guide demonstrates how to associate policies to a role.

2
website/source/guides/generate-root.html.md → website/source/guides/operations/generate-root.html.md
View File

@ -1,7 +1,7 @@
---
layout: "guides"
page_title: "Generate Root Tokens using Unseal Keys - Guides"
sidebar_current: "guides-generate-root"
sidebar_current: "guides-operations-generate-root"
description: |-
Generate a new root token using a threshold of unseal keys.
---

10
website/source/guides/operations/index.html.md
View File

@ -21,3 +21,13 @@ and focus on defense in depth.
walks you through the commands to activate the Vault servers in replication mode.
Please note that [Vault Replication](/docs/vault-enterprise/replication/index.html)
is a Vault Enterprise feature.
- [Root Token Generation](/guides/operations/generate-root.html) guide
demonstrates the workflow of regenerating root tokens. It is considered to be a
best practice not to persist the initial **root** token. If a root token needs
to be regenerated, this guide helps you walk through the task.
- [Rekeying & Rotating](/guides/operations/rekeying-and-rotating.html) guide
provides a high-level overview of Shamir's Secret Sharing Algorithm, and how to
perform _rekey_ and _rotate_ operations in Vault.
- [Building Plugin Backends](/guides/operations/plugin-backends.html) guide
provides steps to build, register, and mount non-database external plugin
backends.

2
website/source/guides/configuration/plugin-backends.html.md → website/source/guides/operations/plugin-backends.html.md
View File

@ -1,7 +1,7 @@
---
layout: "guides"
page_title: "Plugin Backends - Guides"
sidebar_current: "guides-configuration-plugin-backends"
sidebar_current: "guides-operations-plugin-backends"
description: |-
Learn how to build, register, and mount a custom plugin backend.
---

2
website/source/guides/operations/production.html.md
View File

@ -81,7 +81,7 @@ and practical.
code](https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration/),
and using version control to manage policies. Once setup, the root token
should be revoked to eliminate the risk of exposure. Root tokens can be
[generated when needed](/guides/configuration/generate-root.html), and should be
[generated when needed](/guides/operations/generate-root.html), and should be
revoked as soon as possible.
* **Enable Auditing**. Vault supports several auditing backends. Enabling

2
website/source/guides/configuration/rekeying-and-rotating.html.md → website/source/guides/operations/rekeying-and-rotating.html.md
View File

@ -1,7 +1,7 @@
---
layout: "guides"
page_title: "Rekeying & Rotating Vault - Guides"
sidebar_current: "guides-configuration-rekeying-and-rotating"
sidebar_current: "guides-operations-rekeying-and-rotating"
description: |-
Vault supports generating new unseal keys as well as rotating the underlying
encryption keys. This guide covers rekeying and rotating Vault's encryption

4
website/source/guides/secret-mgmt/cubbyhole.html.md
View File

@ -539,7 +539,7 @@ Also, refer to [Cubbyhole Secret Backend HTTP API](/api/secret/cubbyhole/index.h
## Next steps
The use of [AppRole Pull Authentication](/guides/configuration/authentication.html) is a good
The use of [AppRole Pull Authentication](/guides/identity/authentication.html) is a good
use case to leverage the response wrapping. Go through the guide if you have not
done so. To better understand the lifecycle of Vault tokens, proceed to [Tokens
and Leases](/guides/configuration/lease.html) guide.
and Leases](/guides/identity/lease.html) guide.

8
website/source/guides/secret-mgmt/dynamic-secrets.html.md
View File

@ -124,7 +124,7 @@ path "auth/token/create" {
```
If you are not familiar with policies, complete the
[policies](/guides/configuration/policies.html) guide.
[policies](/guides/identity/policies.html) guide.
## Steps
@ -338,7 +338,7 @@ token_policies [apps default]
Use the returned token to perform the remaining.
**NOTE:** [AppRole Pull Authentication](/guides/configuration/authentication.html) guide
**NOTE:** [AppRole Pull Authentication](/guides/identity/authentication.html) guide
demonstrates more sophisticated way of generating a token for your apps.
```shell
@ -412,7 +412,7 @@ $ curl --header "X-Vault-Token: ..." --request POST \
Be sure to use the returned token to perform the remaining.
**NOTE:** [AppRole Pull Authentication](/guides/configuration/authentication.html) guide
**NOTE:** [AppRole Pull Authentication](/guides/identity/authentication.html) guide
demonstrates more sophisticated way of generating a token for your apps.
```shell
@ -498,5 +498,5 @@ user name exists.
This guide discussed how to generate credentials on--dataemand so that the access
credentials no longer need to be written to disk. Next, learn about the
[Tokens and Leases](/guides/configuration/lease.html) so that you can control the lifecycle of
[Tokens and Leases](/guides/identity/lease.html) so that you can control the lifecycle of
those credentials.

4
website/source/guides/secret-mgmt/static-secrets.html.md
View File

@ -94,7 +94,7 @@ path "auth/token/create" {
```
If you are not familiar with policies, complete the
[policies](/guides/configuration/policies.html) guide.
[policies](/guides/identity/policies.html) guide.
## Steps
@ -545,5 +545,5 @@ $ cat mongodb.txt
This guide introduced the CLI commands and API endpoints to read and write
secrets in key/value backend. To keep it simple, the `devops` persona generated a
token for `apps`. Read [AppRole Pull
Authentication](/guides/configuration/authentication.html) guide to learn about
Authentication](/guides/identity/authentication.html) guide to learn about
programmatically generate a token for apps.

34
website/source/layouts/guides.erb
View File

@ -16,29 +16,29 @@
<li<%= sidebar_current("guides-operations-replication") %>>
<a href="/guides/operations/replication.html">Replication Setup &amp; Guidance</a>
</li>
<li<%= sidebar_current("guides-operations-generate-root") %>>
<a href="/guides/operations/generate-root.html">Root Token Generation</a>
</li>
<li<%= sidebar_current("guides-operations-rekeying-and-rotating") %>>
<a href="/guides/operations/rekeying-and-rotating.html">Rekeying &amp; Rotating</a>
</li>
<li<%= sidebar_current("guides-operations-plugin-backends") %>>
<a href="/guides/operations/plugin-backends.html">Building Plugin Backends</a>
</li>
</ul>
</li>
<li<%= sidebar_current("guides-configuration")%>>
<a href="/guides/configuration/index.html">Vault Configuration</a>
<li<%= sidebar_current("guides-identity")%>>
<a href="/guides/identity/index.html">Identity and Access Management</a>
<ul class="nav">
<li<%= sidebar_current("guides-configuration-policies") %>>
<a href="/guides/configuration/policies.html">Policies</a>
<li<%= sidebar_current("guides-identity-policies") %>>
<a href="/guides/identity/policies.html">Policies</a>
</li>
<li<%= sidebar_current("guides-configuration-authentication") %>>
<a href="/guides/configuration/authentication.html">AppRole Pull Authentication</a>
<li<%= sidebar_current("guides-identity-authentication") %>>
<a href="/guides/identity/authentication.html">AppRole Pull Authentication</a>
</li>
<li<%= sidebar_current("guides-configuration-lease") %>>
<a href="/guides/configuration/lease.html">Tokens and Leases</a>
</li>
<li<%= sidebar_current("guides-configuration-generate-root") %>>
<a href="/guides/configuration/generate-root.html">Root Token Generation</a>
</li>
<li<%= sidebar_current("guides-configuration-rekeying-and-rotating") %>>
<a href="/guides/configuration/rekeying-and-rotating.html">Rekeying &amp; Rotating</a>
</li>
<li<%= sidebar_current("guides-configuration-plugin-backends") %>>
<a href="/guides/configuration/plugin-backends.html">Building Plugin Backends</a>
<li<%= sidebar_current("guides-identity-lease") %>>
<a href="/guides/identity/lease.html">Tokens and Leases</a>
</li>
</ul>
</li>