AWS client object caches are by region. Some AWS API calls don't care
what region's client they use, but the existing getAnyRegionForAwsPartition
scheme was returning a random region, which in turn triggered maintaining many
more client objects than are necessary (e.g. 18 regions in the main AWS
partition). This can be an issue for heavy STS users bumping up against
STS rate limits, since 18 sets of creds are being cached and renewed per
STS role.
* Mark deprecated plugins as deprecated
* Add redaction capability to database plugins
* Add x509 client auth
* Update vendored files
* Add integration test for x509 client auth
* Remove redaction logic pending further discussion
* Update vendored files
* Minor updates from code review
* Updated docs with x509 client auth
* Roles are required
* Disable x509 test because it doesn't work in CircleCI
* Add timeouts for container lifetime
* Fix typos
* Update Oracle DB secrets docs to show support for Static Roles
* Add warning about username case sensitivity
* Remove warning about casing
* Fix typo
Co-Authored-By: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
* Seal migration after unsealing
* Refactor migration fields migrationInformation in core
* Perform seal migration as part of postUnseal
* Remove the sleep logic
* Use proper seal in the unseal function
* Fix migration from Auto to Shamir
* Fix the recovery config missing issue
* Address the non-ha migration case
* Fix the multi cluster case
* Avoid re-running seal migration
* Run the post migration code in new leaders
* Fix the issue of wrong recovery being set
* Address review feedback
* Add more complete testing coverage for seal migrations. (#8247)
* Add more complete testing coverage for seal migrations. Also remove VAULT_ACC gate from some tests that just depend on docker, cleanup dangling recovery config in storage after migration, and fix a call in adjustCoreForSealMigration that seems broken.
* Fix the issue of wrong recovery key being set
* Adapt tests to work with multiple cores.
* Add missing line to disable raft join.
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
* Fix all known issues
* Remove warning
* Review feedback.
* Revert my previous change that broke raft tests. We'll need to come back and at least comment
this once we better understand why it's needed.
* Don't allow migration between same types for now
* Disable auto to auto tests for now since it uses migration between same types which is not allowed
* Update vault/core.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Add migration logs
* Address review comments
* Add the recovery config check back
* Skip a few steps if migration is already done
* Return from waitForLeadership if migration fails
Co-authored-by: ncabatoff <nick.cabatoff@gmail.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* external_tests: ensure derived cores are stable before proceeding on tests
* testhelpers: add min duration tolerance when checking stability on derived core
* thread backend through requests so that the transit-key model has it on list responses
* add tests for transit-key menu and serializer handling of backend
* remove changes to preview-head
Co-authored-by: Noelle Daley <noelledaley@users.noreply.github.com>
* Core usage metrics v1 (merge to side-branch) (#8238)
* restructure menu layout per designs
* setup new routing that will set the stage for a metrics landing page
* fix formatting
* Revert "fix formatting"
This reverts commit e77cdec5e58cdcea49aa1b97f80238433c4f7d1e.
* fix formatting
* small styling changes
* change request routing to metrics
* rename route js file
* Core usage metrics v2 (#8263)
* restructure menu layout per designs
* setup new routing that will set the stage for a metrics landing page
* fix formatting
* Revert "fix formatting"
This reverts commit e77cdec5e58cdcea49aa1b97f80238433c4f7d1e.
* fix formatting
* small styling changes
* change request routing to metrics
* rename route js file
* setup selectable card component and api request
* add token and http request models to route and template
* add entities to route and template
* clean up
* add breadcrumbs and some clean up work
* remove unused selectable-card component
* refactor to a serializer
* move adapters, serializers, and models into metrics folder
* remove unused file
* address pr comments
* address pr comments
* Core Usage Metrics V3 (#8316)
* restructure menu layout per designs
* setup new routing that will set the stage for a metrics landing page
* fix formatting
* Revert "fix formatting"
This reverts commit e77cdec5e58cdcea49aa1b97f80238433c4f7d1e.
* fix formatting
* small styling changes
* change request routing to metrics
* rename route js file
* setup selectable card component and api request
* add token and http request models to route and template
* add entities to route and template
* clean up
* add breadcrumbs and some clean up work
* remove unused selectable-card component
* setup smaller http request bar chart
* refactor to a serializer
* move adapters, serializers, and models into metrics folder
* remove unused file
* setup change part of component
* fix broken model
* add conditional class
* setting up computed properties in new component
* small fixes
* setup components
* minor fixes
* rename
* clean up
* firefox fix
* remove shadow bars
* move out of metrics folders
* modify permissions to show difference between token entities and requests
* make tests
* fix class names and associated tests
* clean up
* fix text overflow in non-chrome browsers
* address pr comments, specifically class names and tests
* move into one component
* clean up component descriptions in comments
* small wording changes
* fix for accessibility
* address pr comments around component examples for storybook
* fix test
* fix failing test
* fix test
* Adding a new replication metric (WAL GC counter)
Adding a new line about the vault.replication.wal.gc metric
* Update website/pages/docs/internals/telemetry.mdx
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* database/influx: fix panic when trying to revoke user
Guard against other nil responses
* return an error if response is nil, which is unlikely but best safe than sorry
* refactor a deeply nested statement into a function
* Add specification about AWS IAM Unique Identifiers
We experienced an issue where IAM roles resources were re-provisioned with the same ARNs and no change had been made to our vault role configuration but users lost access with `-method=aws`. It wasn't immediately clear to us how IAM Unique Identifiers where being used to avoid the same situations outlined in the AWS documentation. We eventually concluded that re-provisioning the roles in our auth/aws/auth would fetch the new IAM Unique Identifiers.
I hope that this small amendment helps people avoid this problem in the future.
