From af73d965a4c1e0bbac6c3a368734e4c48d0a2be2 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 1 Feb 2016 10:27:26 -0500 Subject: [PATCH] Cassandra: * Add ability to change protocol version * Remove config as a root path, use normal ACLs * Update docs --- builtin/logical/cassandra/backend.go | 23 +++++-------- .../cassandra/path_config_connection.go | 18 ++++++---- builtin/logical/cassandra/util.go | 5 +++ .../docs/secrets/cassandra/index.html.md | 33 +++++++++++-------- 4 files changed, 45 insertions(+), 34 deletions(-) diff --git a/builtin/logical/cassandra/backend.go b/builtin/logical/cassandra/backend.go index efbb46c07..755082c08 100644 --- a/builtin/logical/cassandra/backend.go +++ b/builtin/logical/cassandra/backend.go @@ -21,12 +21,6 @@ func Backend() *framework.Backend { b.Backend = &framework.Backend{ Help: strings.TrimSpace(backendHelp), - PathsSpecial: &logical.Paths{ - Root: []string{ - "config/*", - }, - }, - Paths: []*framework.Path{ pathConfigConnection(&b), pathRoles(&b), @@ -52,14 +46,15 @@ type backend struct { } type sessionConfig struct { - Hosts string `json:"hosts" structs:"hosts"` - Username string `json:"username" structs:"username"` - Password string `json:"password" structs:"password"` - TLS bool `json:"tls" structs:"tls"` - InsecureTLS bool `json:"insecure_tls" structs:"insecure_tls"` - Certificate string `json:"certificate" structs:"certificate"` - PrivateKey string `json:"private_key" structs:"private_key"` - IssuingCA string `json:"issuing_ca" structs:"issuing_ca"` + Hosts string `json:"hosts" structs:"hosts"` + Username string `json:"username" structs:"username"` + Password string `json:"password" structs:"password"` + TLS bool `json:"tls" structs:"tls"` + InsecureTLS bool `json:"insecure_tls" structs:"insecure_tls"` + Certificate string `json:"certificate" structs:"certificate"` + PrivateKey string `json:"private_key" structs:"private_key"` + IssuingCA string `json:"issuing_ca" structs:"issuing_ca"` + ProtocolVersion int `json:"protocol_version" structs:"protocol_version"` } // DB returns the database connection. diff --git a/builtin/logical/cassandra/path_config_connection.go b/builtin/logical/cassandra/path_config_connection.go index b4ebd7076..6b34d6bae 100644 --- a/builtin/logical/cassandra/path_config_connection.go +++ b/builtin/logical/cassandra/path_config_connection.go @@ -55,10 +55,15 @@ backend can be directly passed into this parameter. If both this and "pem_bundle" are specified, this will take precedence.`, }, + + "protocol_version": &framework.FieldSchema{ + Type: framework.TypeInt, + Description: `The protocol version to use. Defaults to 2.`, + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ - logical.ReadOperation: b.pathConnectionRead, + logical.ReadOperation: b.pathConnectionRead, logical.UpdateOperation: b.pathConnectionWrite, }, @@ -108,11 +113,12 @@ func (b *backend) pathConnectionWrite( } config := &sessionConfig{ - Hosts: hosts, - Username: username, - Password: password, - TLS: data.Get("tls").(bool), - InsecureTLS: data.Get("insecure_tls").(bool), + Hosts: hosts, + Username: username, + Password: password, + TLS: data.Get("tls").(bool), + InsecureTLS: data.Get("insecure_tls").(bool), + ProtocolVersion: data.Get("protocol_version").(int), } if config.InsecureTLS { diff --git a/builtin/logical/cassandra/util.go b/builtin/logical/cassandra/util.go index 394bfafd5..193de6661 100644 --- a/builtin/logical/cassandra/util.go +++ b/builtin/logical/cassandra/util.go @@ -39,6 +39,11 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error Password: cfg.Password, } + clusterConfig.ProtoVersion = cfg.ProtocolVersion + if clusterConfig.ProtoVersion == 0 { + clusterConfig.ProtoVersion = 2 + } + if cfg.TLS { tlsConfig := &tls.Config{ InsecureSkipVerify: cfg.InsecureTLS, diff --git a/website/source/docs/secrets/cassandra/index.html.md b/website/source/docs/secrets/cassandra/index.html.md index a638d8bd8..8d0f903b4 100644 --- a/website/source/docs/secrets/cassandra/index.html.md +++ b/website/source/docs/secrets/cassandra/index.html.md @@ -104,20 +104,28 @@ subpath for interactive help output. TLS works as follows:

- `pem_bundle` should be a PEM-concatenated bundle of a private key + client certificate, an issuing CA certificate, or both. `pem_json` should contain the same information; for convenience, the JSON format is the same as that output by the issue command from the PKI backend.

- This is a root protected endpoint. + `pem_bundle` should be a PEM-concatenated bundle of a private key + client + certificate, an issuing CA certificate, or both. `pem_json` should contain + the same information; for convenience, the JSON format is the same as that + output by the issue command from the PKI backend.
Method
@@ -169,6 +177,11 @@ subpath for interactive help output. certificate. For convenience format is the same as the output of the `issue` command from the `pki` backend; see [the pki documentation](https://www.vaultproject.io/docs/secrets/pki/index.html). +
  • + protocol_version + optional + The CQL protocol version to use. Defaults to 2. +
  • @@ -220,13 +233,6 @@ subpath for interactive help output. The lease value provided as a string duration with time suffix. Hour is the largest suffix. -
  • - lease_grace_period - optional - The lease grace period (time before revocation after the lease has - expired) provided as a string duration with time suffix. Hour is the - largest suffix. -
  • @@ -264,7 +270,6 @@ subpath for interactive help output. "creation_cql": "CREATE USER...", "rollback_cql": "DROP USER...", "lease": "12h", - "lease_grace_period": "1h" } } ```