Cassandra:

* Add ability to change protocol version * Remove config as a root path, use normal ACLs * Update docs
2016-02-01 10:27:26 -05:00 · 2016-02-01 10:27:26 -05:00 · af73d965a4
parent 9a21d03689
commit af73d965a4
4 changed files with 45 additions and 34 deletions
--- a/builtin/logical/cassandra/backend.go
+++ b/builtin/logical/cassandra/backend.go
@ -21,12 +21,6 @@ func Backend() *framework.Backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),

-		PathsSpecial: &logical.Paths{
-			Root: []string{
-				"config/*",
-			},
-		},
-
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathRoles(&b),
@ -52,14 +46,15 @@ type backend struct {
 }

 type sessionConfig struct {
-	Hosts       string `json:"hosts" structs:"hosts"`
-	Username    string `json:"username" structs:"username"`
-	Password    string `json:"password" structs:"password"`
-	TLS         bool   `json:"tls" structs:"tls"`
-	InsecureTLS bool   `json:"insecure_tls" structs:"insecure_tls"`
-	Certificate string `json:"certificate" structs:"certificate"`
-	PrivateKey  string `json:"private_key" structs:"private_key"`
-	IssuingCA   string `json:"issuing_ca" structs:"issuing_ca"`
+	Hosts           string `json:"hosts" structs:"hosts"`
+	Username        string `json:"username" structs:"username"`
+	Password        string `json:"password" structs:"password"`
+	TLS             bool   `json:"tls" structs:"tls"`
+	InsecureTLS     bool   `json:"insecure_tls" structs:"insecure_tls"`
+	Certificate     string `json:"certificate" structs:"certificate"`
+	PrivateKey      string `json:"private_key" structs:"private_key"`
+	IssuingCA       string `json:"issuing_ca" structs:"issuing_ca"`
+	ProtocolVersion int    `json:"protocol_version" structs:"protocol_version"`
 }

 // DB returns the database connection.
--- a/builtin/logical/cassandra/path_config_connection.go
+++ b/builtin/logical/cassandra/path_config_connection.go
@ -55,10 +55,15 @@ backend can be directly passed into this parameter.
 If both this and "pem_bundle" are specified, this will
 take precedence.`,
 			},
+
+			"protocol_version": &framework.FieldSchema{
+				Type:        framework.TypeInt,
+				Description: `The protocol version to use. Defaults to 2.`,
+			},
 		},

 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.ReadOperation:  b.pathConnectionRead,
+			logical.ReadOperation:   b.pathConnectionRead,
 			logical.UpdateOperation: b.pathConnectionWrite,
 		},

@ -108,11 +113,12 @@ func (b *backend) pathConnectionWrite(
 	}

 	config := &sessionConfig{
-		Hosts:       hosts,
-		Username:    username,
-		Password:    password,
-		TLS:         data.Get("tls").(bool),
-		InsecureTLS: data.Get("insecure_tls").(bool),
+		Hosts:           hosts,
+		Username:        username,
+		Password:        password,
+		TLS:             data.Get("tls").(bool),
+		InsecureTLS:     data.Get("insecure_tls").(bool),
+		ProtocolVersion: data.Get("protocol_version").(int),
 	}

 	if config.InsecureTLS {
--- a/builtin/logical/cassandra/util.go
+++ b/builtin/logical/cassandra/util.go
@ -39,6 +39,11 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
 		Password: cfg.Password,
 	}

+	clusterConfig.ProtoVersion = cfg.ProtocolVersion
+	if clusterConfig.ProtoVersion == 0 {
+		clusterConfig.ProtoVersion = 2
+	}
+
 	if cfg.TLS {
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: cfg.InsecureTLS,
--- a/website/source/docs/secrets/cassandra/index.html.md
+++ b/website/source/docs/secrets/cassandra/index.html.md
@ -104,20 +104,28 @@ subpath for interactive help output.
    TLS works as follows:<br /><br />
    <ul>
      <li>
-        • If `tls` is set to true, the connection will use TLS; this happens automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
+        • If `tls` is set to true, the connection will use TLS; this happens
+        automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
      </li>
      <li>
-        • If `insecure_tls` is set to true, the connection will not perform verification of the server certificate; this also sets `tls` to true
+        • If `insecure_tls` is set to true, the connection will not perform
+        verification of the server certificate; this also sets `tls` to true
      </li>
      <li>
-        • If only `issuing_ca` is set in `pem_json`, or the only certificate in `pem_bundle` is a CA certificate, the given CA certificate will be used for server certificate verification; otherwise the system CA certificates will be used
+        • If only `issuing_ca` is set in `pem_json`, or the only certificate in
+        `pem_bundle` is a CA certificate, the given CA certificate will be used
+        for server certificate verification; otherwise the system CA
+        certificates will be used
      </li>
      <li>
-        • If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`, client auth will be turned on for the connection
+        • If `certificate` and `private_key` are set in `pem_bundle` or
+        `pem_json`, client auth will be turned on for the connection
      </li>
    </ul>
-    `pem_bundle` should be a PEM-concatenated bundle of a private key + client certificate, an issuing CA certificate, or both. `pem_json` should contain the same information; for convenience, the JSON format is the same as that output by the issue command from the PKI backend.<br /><br />
-    This is a root protected endpoint.
+    `pem_bundle` should be a PEM-concatenated bundle of a private key + client
+    certificate, an issuing CA certificate, or both. `pem_json` should contain
+    the same information; for convenience, the JSON format is the same as that
+    output by the issue command from the PKI backend.
  </dd>

  <dt>Method</dt>
@ -169,6 +177,11 @@ subpath for interactive help output.
        certificate. For convenience format is the same as the output of the
        `issue` command from the `pki` backend; see [the pki documentation](https://www.vaultproject.io/docs/secrets/pki/index.html).
      </li>
+      <li>
+        <span class="param">protocol_version</span>
+        <span class="param-flags">optional</span>
+        The CQL protocol version to use. Defaults to 2.
+      </li>
    </ul>
  </dd>

@ -220,13 +233,6 @@ subpath for interactive help output.
        The lease value provided as a string duration
        with time suffix. Hour is the largest suffix.
      </li>
-      <li>
-        <span class="param">lease_grace_period</span>
-        <span class="param-flags">optional</span>
-        The lease grace period (time before revocation after the lease has
-        expired) provided as a string duration with time suffix. Hour is the
-        largest suffix.
-      </li>
    </ul>
  </dd>

@ -264,7 +270,6 @@ subpath for interactive help output.
        "creation_cql": "CREATE USER...",
        "rollback_cql": "DROP USER...",
        "lease": "12h",
-        "lease_grace_period": "1h"
      }
    }
    ```