Commit graph

9843 commits

Author SHA1 Message Date
Calvin Leung Huang 21dc5a72bf changelog++ 2019-01-07 09:41:34 -08:00
Pierre-Alain TORET f3143d6cc6 Allow to build on DragonFlyBSD (#5950) 2019-01-07 09:06:51 -08:00
Jeff Escalante a22275d4e0 remove extra analytics page call (#5997) 2019-01-07 11:18:55 -05:00
Thomas Kula 4265579aaa Fix small typo in azure.html.md (#6004) 2019-01-07 10:03:22 -05:00
Aric Walker c065b46f42 Remove duplicate "Users can" from policy md (#6002) 2019-01-07 07:02:28 -08:00
Chris Hoffman fd64a9364d
changelog++ 2019-01-04 16:32:04 -05:00
Chris Hoffman 84cfc445c3
changelog++ 2019-01-04 16:31:30 -05:00
Seth Vargo c3f1043c24 Reduce required permissions for the GCPCKMS auto-unsealer (#5999)
This changes the behavior of the GCPCKMS auto-unsealer setup to attempt
encryption instead of a key lookup. Key lookups are a different API
method not covered by roles/cloudkms.cryptoKeyEncrypterDecrypter. This
means users must grant an extended scope to their service account
(granting the ability to read key data) which only seems to be used to
validate the existence of the key.

Worse, the only roles that include this permission are overly verbose
(e.g. roles/viewer which gives readonly access to everything in the
project and roles/cloudkms.admin which gives full control over all key
operations). This leaves the user stuck between choosing to create a
custom IAM role (which isn't fun) or grant overly broad permissions.

By changing to an encrypt call, we get better verification of the unseal
permissions and users can reduce scope to a single role.
2019-01-04 16:29:31 -05:00
Jeff Mitchell 55d25b85ae changelog++ 2019-01-04 15:08:37 -05:00
Jeff Mitchell c8a029210b
Don't read AWS env vars (#5974)
* Don't read AWS env vars

Let AWS SDK env cred chain provider do it for us

Fixes #5965
2019-01-04 15:03:57 -05:00
Jeff Mitchell e11c7966fa
Change credential_types output to credential_type (#5975)
Fixes #5972
2019-01-04 14:49:53 -05:00
Jim Kalafut 347d481930
Add tests for OpenAPI operation ids (#5998) 2019-01-04 11:46:54 -08:00
Seth Vargo 1917bb406d Fix audit docs (#6000)
These appear to have been converted to (bad) HTML. This returns them to
their original markdown format.
2019-01-04 13:45:50 -06:00
Iain Gray ecdacbb90a Update DG to Vault 1.0 (#5855)
* Update DG to Vault 1.0

* as per comments  - chrishoffman

* Removed stray bracket and added quotes

* updated as per conversations with Dan
2019-01-03 10:10:37 -05:00
bjorndolk 4dbe61568a Physical postgres docker test (#5926)
* Docker support for postgres backend testing

* Bug in handling of postgres connection url for non docker testing

* Test should fail if it cannot retrieve pg version

* internal helperfunctions pascalCasing
2019-01-03 09:25:32 -05:00
Mike Wickett 46576acff3 website: add print styles for docs (#5958) 2019-01-03 09:24:10 -05:00
Graham Land 2e92372710 Docs: Add Auto Unseal Rekey example (#5952)
* Add KMS Rekey example

I've had customers looking for AWS KMS rekeying examples today - when using pgp keys.
This example would have clarified what they needed to do.

* Replaced KMS reference with Auto Unseal

``` bash
Rekey an Auto Unseal vault and encrypt the resulting recovery keys with PGP:
```
2019-01-03 09:23:43 -05:00
Chris Hoffman aa59563df5
changelog++ 2019-01-03 09:21:49 -05:00
Becca Petrin d7f31fe5e4
Merge pull request #5892 from jen20/jen20/dynamodb-capacity-doc
docs: Clarify the utility of DynamoDB capacities
2018-12-20 11:54:26 -08:00
Matthew Irish 0b2a63a6a3
UI secret navigation improvements (#5976)
* don't pass id when using createRecord

* add find nearest ancestor mixin

* re-throw the error if we've deleted something and encounter a 404

* use the with-nav-to-nearest-ancestor mixin

* add some comments

* add acceptance test to verify new behavior

* yield final transition in ec task
2018-12-20 13:46:37 -06:00
Pawel Gorczynski 953be252cd Extended info message regarding VAULT_ADDR env variable for Windows when running server -dev (#5970)
* Improved info message for Windows when running `server -dev`

Improvement for https://github.com/hashicorp/vault/issues/3405

* output updated to:

You may need to set the following environment variable:
PowerShell:
    $env:VAULT_ADDR="http://127.0.0.1:8200"
cmd.exe:
    set VAULT_ADDR=http://127.0.0.1:8200
2018-12-20 10:27:21 -08:00
Noelle Daley d74589989c
fix policies sidebar title (#5980) 2018-12-20 09:34:03 -08:00
Becca Petrin d108843a0a
Merge pull request #5947 from hmalphettes/master
Docs: JWT API - List Roles: fix the path
2018-12-20 09:15:57 -08:00
Becca Petrin f4ea0e001f
Merge pull request #5940 from hashicorp/je.website-local-run-docs
Improve local development instruction
2018-12-20 09:11:13 -08:00
Brian Kassouf 325c3acbb5
Update operator_rekey.go (#5983) 2018-12-20 09:05:50 -08:00
Jim Kalafut 2547d7fb6a
Simplify base62.Random (#5982)
Also move existing base62 encode/decode operations to their only points
of use.
2018-12-20 07:40:01 -08:00
R.B. Boyer 0ebb30938c website: fix simple typo (#5979) 2018-12-19 14:46:54 -08:00
Clint 004ca032e8
add MSSQL storage docs to sidebar (#5978) 2018-12-19 14:06:42 -06:00
Matthew Irish 3f91ad5ca6
UI - fix perf standby feature display (#5971)
* add performanceStandbyCount to license model

* use count to determine if perf standby is an active feature

* rename test file and add tests for new perf standby behavior

* Update ui/app/templates/components/license-info.hbs

* update display language
2018-12-18 11:01:12 -06:00
Graham Land c1fa76e9e2 Docs: Add example for Vault init Auto Unseal with PGP Keys (#5951)
* Add example for AWS KMS AutoUnseal with PGP Keys

A customer could not figure how to get this working today. 
This example would have helped them. We don't mention KMS anywhere in this section.

* Changed reference from AWS KMS to Auto Unseal

``` bash
Initialize Auto Unseal, but encrypt the recovery keys with pgp keys:
```
2018-12-18 11:42:10 -05:00
Janosch Maier b95fbbafe9 Docs: Fix project resource name in gcp roleset documentation (#5966)
The resource name when referring to a GCP project needs to have a "s". This PR adds the missing letter in the documentation.
2018-12-17 16:22:02 -08:00
vishalnayak 689163e7ed Upgrade guide for 0.11.6 2018-12-14 12:22:50 -05:00
Jeff Mitchell dfb139412e
Cut version 1.0.1 2018-12-14 11:05:50 -05:00
Jeff Mitchell 434397ea7f Attempt to fix dockerfile again 2018-12-14 11:05:42 -05:00
Jeff Mitchell c4e9703ad6 Changes in Go don't like the old import path 2018-12-14 10:56:03 -05:00
Jeff Mitchell 8e229fed4a Prep for release 2018-12-14 10:42:59 -05:00
Jeff Mitchell 7cafbb51bf Update plugins 2018-12-14 10:42:11 -05:00
Jeff Mitchell 8521e77d2b changelog++ 2018-12-14 09:38:17 -05:00
Jeff Mitchell 85227877fa changelog++ 2018-12-14 09:22:55 -05:00
Jeff Mitchell cb1a686e3b
Strip empty strings from database revocation stmts (#5955)
* Strip empty strings from database revocation stmts

It's technically valid to give empty strings as statements to run on
most databases. However, in the case of revocation statements, it's not
only generally inadvisable but can lead to lack of revocations when you
expect them. This strips empty strings from the array of revocation
statements.

It also makes two other changes:

* Return statements on read as empty but valid arrays rather than nulls,
so that typing information is inferred (this is more in line with the
rest of Vault these days)

* Changes field data for TypeStringSlice and TypeCommaStringSlice such
that a client-supplied value of `""` doesn't turn into `[]string{""}`
but rather `[]string{}`.

The latter and the explicit revocation statement changes are related,
and defense in depth.
2018-12-14 09:12:26 -05:00
Matthew Irish 4e06fd698e update help output examples and mention openapi fragment support (#5954) 2018-12-14 09:12:03 -05:00
Jeff Mitchell 5e8ee27ca4 Bump dockerfile Go version 2018-12-14 09:10:32 -05:00
Brian Kassouf e385b2a78d
changelog++ 2018-12-13 16:46:41 -08:00
Brian Kassouf 75e25711a0
Default seal type to Shamir on older seal configs (#5956) 2018-12-13 16:44:56 -08:00
Jeff Mitchell d9d47bb252 Update Consul ACL example
Fixes #5831
2018-12-13 17:18:28 -05:00
Hugues Malphettes 726d79d854
Merge branch 'master' into master 2018-12-14 05:21:41 +08:00
Jeff Mitchell 1d847b3acc Add sidebar link for approle autoauth docs 2018-12-13 09:51:47 -05:00
Matthew Irish 8710b5122c
changelog++ 2018-12-12 16:55:30 -06:00
Matthew Irish e4d3d2610c
add an auth-config adapter for jwt so that configs can be saved properly (#5936)
* add an auth-config adapter for jwt so that configs can be saved properly

* unskip some tests and add a test for jwt config

* linting
2018-12-12 16:53:45 -06:00
Hugues Malphettes 6ea6844ef9
JWT API - List Roles: fix the path
With vault-1.0.0 and vault-0.11.4 a different path is needed to list the jwt registered roles:

```
$ vault list auth/jwt/roles
No value found at auth/jwt/roles/

$ vault list auth/jwt/role
Keys
----
myrole
```
I hope this helps!
2018-12-13 06:27:30 +08:00