Cassandra:
* Add ability to change protocol version * Remove config as a root path, use normal ACLs * Update docs
This commit is contained in:
parent
9a21d03689
commit
af73d965a4
|
@ -21,12 +21,6 @@ func Backend() *framework.Backend {
|
|||
b.Backend = &framework.Backend{
|
||||
Help: strings.TrimSpace(backendHelp),
|
||||
|
||||
PathsSpecial: &logical.Paths{
|
||||
Root: []string{
|
||||
"config/*",
|
||||
},
|
||||
},
|
||||
|
||||
Paths: []*framework.Path{
|
||||
pathConfigConnection(&b),
|
||||
pathRoles(&b),
|
||||
|
@ -60,6 +54,7 @@ type sessionConfig struct {
|
|||
Certificate string `json:"certificate" structs:"certificate"`
|
||||
PrivateKey string `json:"private_key" structs:"private_key"`
|
||||
IssuingCA string `json:"issuing_ca" structs:"issuing_ca"`
|
||||
ProtocolVersion int `json:"protocol_version" structs:"protocol_version"`
|
||||
}
|
||||
|
||||
// DB returns the database connection.
|
||||
|
|
|
@ -55,6 +55,11 @@ backend can be directly passed into this parameter.
|
|||
If both this and "pem_bundle" are specified, this will
|
||||
take precedence.`,
|
||||
},
|
||||
|
||||
"protocol_version": &framework.FieldSchema{
|
||||
Type: framework.TypeInt,
|
||||
Description: `The protocol version to use. Defaults to 2.`,
|
||||
},
|
||||
},
|
||||
|
||||
Callbacks: map[logical.Operation]framework.OperationFunc{
|
||||
|
@ -113,6 +118,7 @@ func (b *backend) pathConnectionWrite(
|
|||
Password: password,
|
||||
TLS: data.Get("tls").(bool),
|
||||
InsecureTLS: data.Get("insecure_tls").(bool),
|
||||
ProtocolVersion: data.Get("protocol_version").(int),
|
||||
}
|
||||
|
||||
if config.InsecureTLS {
|
||||
|
|
|
@ -39,6 +39,11 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
|
|||
Password: cfg.Password,
|
||||
}
|
||||
|
||||
clusterConfig.ProtoVersion = cfg.ProtocolVersion
|
||||
if clusterConfig.ProtoVersion == 0 {
|
||||
clusterConfig.ProtoVersion = 2
|
||||
}
|
||||
|
||||
if cfg.TLS {
|
||||
tlsConfig := &tls.Config{
|
||||
InsecureSkipVerify: cfg.InsecureTLS,
|
||||
|
|
|
@ -104,20 +104,28 @@ subpath for interactive help output.
|
|||
TLS works as follows:<br /><br />
|
||||
<ul>
|
||||
<li>
|
||||
• If `tls` is set to true, the connection will use TLS; this happens automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
|
||||
• If `tls` is set to true, the connection will use TLS; this happens
|
||||
automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
|
||||
</li>
|
||||
<li>
|
||||
• If `insecure_tls` is set to true, the connection will not perform verification of the server certificate; this also sets `tls` to true
|
||||
• If `insecure_tls` is set to true, the connection will not perform
|
||||
verification of the server certificate; this also sets `tls` to true
|
||||
</li>
|
||||
<li>
|
||||
• If only `issuing_ca` is set in `pem_json`, or the only certificate in `pem_bundle` is a CA certificate, the given CA certificate will be used for server certificate verification; otherwise the system CA certificates will be used
|
||||
• If only `issuing_ca` is set in `pem_json`, or the only certificate in
|
||||
`pem_bundle` is a CA certificate, the given CA certificate will be used
|
||||
for server certificate verification; otherwise the system CA
|
||||
certificates will be used
|
||||
</li>
|
||||
<li>
|
||||
• If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`, client auth will be turned on for the connection
|
||||
• If `certificate` and `private_key` are set in `pem_bundle` or
|
||||
`pem_json`, client auth will be turned on for the connection
|
||||
</li>
|
||||
</ul>
|
||||
`pem_bundle` should be a PEM-concatenated bundle of a private key + client certificate, an issuing CA certificate, or both. `pem_json` should contain the same information; for convenience, the JSON format is the same as that output by the issue command from the PKI backend.<br /><br />
|
||||
This is a root protected endpoint.
|
||||
`pem_bundle` should be a PEM-concatenated bundle of a private key + client
|
||||
certificate, an issuing CA certificate, or both. `pem_json` should contain
|
||||
the same information; for convenience, the JSON format is the same as that
|
||||
output by the issue command from the PKI backend.
|
||||
</dd>
|
||||
|
||||
<dt>Method</dt>
|
||||
|
@ -169,6 +177,11 @@ subpath for interactive help output.
|
|||
certificate. For convenience format is the same as the output of the
|
||||
`issue` command from the `pki` backend; see [the pki documentation](https://www.vaultproject.io/docs/secrets/pki/index.html).
|
||||
</li>
|
||||
<li>
|
||||
<span class="param">protocol_version</span>
|
||||
<span class="param-flags">optional</span>
|
||||
The CQL protocol version to use. Defaults to 2.
|
||||
</li>
|
||||
</ul>
|
||||
</dd>
|
||||
|
||||
|
@ -220,13 +233,6 @@ subpath for interactive help output.
|
|||
The lease value provided as a string duration
|
||||
with time suffix. Hour is the largest suffix.
|
||||
</li>
|
||||
<li>
|
||||
<span class="param">lease_grace_period</span>
|
||||
<span class="param-flags">optional</span>
|
||||
The lease grace period (time before revocation after the lease has
|
||||
expired) provided as a string duration with time suffix. Hour is the
|
||||
largest suffix.
|
||||
</li>
|
||||
</ul>
|
||||
</dd>
|
||||
|
||||
|
@ -264,7 +270,6 @@ subpath for interactive help output.
|
|||
"creation_cql": "CREATE USER...",
|
||||
"rollback_cql": "DROP USER...",
|
||||
"lease": "12h",
|
||||
"lease_grace_period": "1h"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue