Cassandra:

* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
This commit is contained in:
Jeff Mitchell 2016-02-01 10:27:26 -05:00
parent 9a21d03689
commit af73d965a4
4 changed files with 45 additions and 34 deletions

View file

@ -21,12 +21,6 @@ func Backend() *framework.Backend {
b.Backend = &framework.Backend{
Help: strings.TrimSpace(backendHelp),
PathsSpecial: &logical.Paths{
Root: []string{
"config/*",
},
},
Paths: []*framework.Path{
pathConfigConnection(&b),
pathRoles(&b),
@ -60,6 +54,7 @@ type sessionConfig struct {
Certificate string `json:"certificate" structs:"certificate"`
PrivateKey string `json:"private_key" structs:"private_key"`
IssuingCA string `json:"issuing_ca" structs:"issuing_ca"`
ProtocolVersion int `json:"protocol_version" structs:"protocol_version"`
}
// DB returns the database connection.

View file

@ -55,6 +55,11 @@ backend can be directly passed into this parameter.
If both this and "pem_bundle" are specified, this will
take precedence.`,
},
"protocol_version": &framework.FieldSchema{
Type: framework.TypeInt,
Description: `The protocol version to use. Defaults to 2.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
@ -113,6 +118,7 @@ func (b *backend) pathConnectionWrite(
Password: password,
TLS: data.Get("tls").(bool),
InsecureTLS: data.Get("insecure_tls").(bool),
ProtocolVersion: data.Get("protocol_version").(int),
}
if config.InsecureTLS {

View file

@ -39,6 +39,11 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
Password: cfg.Password,
}
clusterConfig.ProtoVersion = cfg.ProtocolVersion
if clusterConfig.ProtoVersion == 0 {
clusterConfig.ProtoVersion = 2
}
if cfg.TLS {
tlsConfig := &tls.Config{
InsecureSkipVerify: cfg.InsecureTLS,

View file

@ -104,20 +104,28 @@ subpath for interactive help output.
TLS works as follows:<br /><br />
<ul>
<li>
• If `tls` is set to true, the connection will use TLS; this happens automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
• If `tls` is set to true, the connection will use TLS; this happens
automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
</li>
<li>
• If `insecure_tls` is set to true, the connection will not perform verification of the server certificate; this also sets `tls` to true
• If `insecure_tls` is set to true, the connection will not perform
verification of the server certificate; this also sets `tls` to true
</li>
<li>
• If only `issuing_ca` is set in `pem_json`, or the only certificate in `pem_bundle` is a CA certificate, the given CA certificate will be used for server certificate verification; otherwise the system CA certificates will be used
• If only `issuing_ca` is set in `pem_json`, or the only certificate in
`pem_bundle` is a CA certificate, the given CA certificate will be used
for server certificate verification; otherwise the system CA
certificates will be used
</li>
<li>
• If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`, client auth will be turned on for the connection
• If `certificate` and `private_key` are set in `pem_bundle` or
`pem_json`, client auth will be turned on for the connection
</li>
</ul>
`pem_bundle` should be a PEM-concatenated bundle of a private key + client certificate, an issuing CA certificate, or both. `pem_json` should contain the same information; for convenience, the JSON format is the same as that output by the issue command from the PKI backend.<br /><br />
This is a root protected endpoint.
`pem_bundle` should be a PEM-concatenated bundle of a private key + client
certificate, an issuing CA certificate, or both. `pem_json` should contain
the same information; for convenience, the JSON format is the same as that
output by the issue command from the PKI backend.
</dd>
<dt>Method</dt>
@ -169,6 +177,11 @@ subpath for interactive help output.
certificate. For convenience format is the same as the output of the
`issue` command from the `pki` backend; see [the pki documentation](https://www.vaultproject.io/docs/secrets/pki/index.html).
</li>
<li>
<span class="param">protocol_version</span>
<span class="param-flags">optional</span>
The CQL protocol version to use. Defaults to 2.
</li>
</ul>
</dd>
@ -220,13 +233,6 @@ subpath for interactive help output.
The lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">lease_grace_period</span>
<span class="param-flags">optional</span>
The lease grace period (time before revocation after the lease has
expired) provided as a string duration with time suffix. Hour is the
largest suffix.
</li>
</ul>
</dd>
@ -264,7 +270,6 @@ subpath for interactive help output.
"creation_cql": "CREATE USER...",
"rollback_cql": "DROP USER...",
"lease": "12h",
"lease_grace_period": "1h"
}
}
```