Commit graph

335 commits

Author SHA1 Message Date
Laura Bennett 648a71fa11 updates to the documents 2016-09-27 16:36:20 -04:00
Jeff Mitchell 0ff76e16d2 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Chris Hoffman 5c241d31e7 Renaming ttl_max -> max_ttl in mssql backend (#1905) 2016-09-20 12:39:02 -04:00
Raja Nadar d8b1ab05dd doc: change invalid otp response code to 400 (#1863)
invalid otp response code is 400 bad request.
2016-09-08 11:13:13 -04:00
Raja Nadar b06167c748 doc: fixing field name to security_token (#1850)
response field is security_token, not secret_token.
2016-09-03 22:40:57 -04:00
Andrew Backhouse 2f35789e71 Update index.html.md (#1819)
Corrected a minor spelling error.
2016-08-31 10:02:43 -04:00
Jeff Mitchell 93b5b2a2c0 Update website with POST STS path 2016-08-30 10:37:55 -04:00
Jeff Mitchell d9c46aadc2 update docs 2016-08-26 17:52:42 -04:00
Jeff Mitchell 2f5876dfe9 Use key derivation for convergent nonce. (#1794)
Use key derivation for convergent nonce.

Fixes #1792
2016-08-26 14:11:03 -04:00
Jeff Mitchell 606ba64e23 Remove context-as-nonce, add docs, and properly support datakey 2016-08-07 15:53:40 -04:00
Jeff Mitchell 21e39bfea6 Remove erroneous information about some endpoints being root-protected 2016-08-04 16:08:54 -04:00
Cameron Stokes 0b60375952 ~secret/aws: env variable and IAM role usage 2016-08-04 13:02:07 -07:00
Jeff Mitchell 1b0c9afc43 Update DB docs with new SQL specification options 2016-08-03 15:45:56 -04:00
Chris Hoffman c1c35880da Missing prefix on roles list 2016-07-29 11:31:26 -04:00
Laura Bennett 559b0a5006 Merge pull request #1635 from hashicorp/mysql-idle-conns
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
Laura Bennett 422dcc8f25 minor formatting edits 2016-07-20 14:42:52 -04:00
Jeff Mitchell f2b6569b0b Merge pull request #1604 from memory/mysql-displayname-2
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
Nathan J. Mehl ea294f1d27 use both role name and token display name to form mysql username 2016-07-20 10:17:00 -07:00
Laura Bennett dba466f50e update documentation for idle connections 2016-07-20 12:50:07 -04:00
Nathan J. Mehl 0483457ad2 respond to feedback from @vishalnayak
- split out usernameLength and displaynameLength truncation values,
  as they are different things

- fetch username and displayname lengths from the role, not from
  the request parameters

- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
Matt Hurne 11a3cb67d0 mongodb secret backend documentation: Remove verify_connection from example response to GET /mongodb/config/connection; add documentation for GET /mongodb/config/lease 2016-07-19 12:46:54 -04:00
Nathan J. Mehl 314a5ecec0 allow overriding the default truncation length for mysql usernames
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
Matt Hurne 8d5a7992c1 mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages 2016-07-07 23:09:45 -04:00
Matt Hurne a5f5b26e4b Update mongodb secret backend documentation to indicate that ttl and max_ttl lease config parameters are optional rather than required 2016-07-07 22:34:00 -04:00
Matt Hurne b1dd5bf449 mongodb secret backend documentation: Use single quotes around roles JSON to avoid needing to escape double quotes within the JSON 2016-07-07 22:31:35 -04:00
Matt Hurne cf17deb33b mongodb secret backend: Update documentation 2016-07-05 09:50:23 -04:00
Matt Hurne 292c2fad69 Merge branch 'master' into mongodb-secret-backend 2016-07-01 20:39:13 -04:00
Mark Paluch ab63c938c4 Address review feedback.
Switch ConnectTimeout to framework.TypeDurationSecond  with a default of 5. Remove own parsing code.
2016-07-01 22:26:08 +02:00
Mark Paluch 3859f7938a Support connect_timeout for Cassandra and align timeout.
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration.  Also align the timeout to 5 seconds which is the default for the Python and Java drivers.

Fixes #1538
2016-07-01 21:22:37 +02:00
Matt Hurne 350b69670c Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl' 2016-06-30 09:57:43 -04:00
Matt Hurne 5e8c912048 Add mongodb secret backend 2016-06-29 08:33:06 -04:00
Jeff Mitchell 07f53eebc2 Update PKI docs with key_usge info 2016-06-23 11:07:17 -04:00
vishalnayak 8b490e44a1 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
Jeff Mitchell 2e7704ea7e Add convergent encryption option to transit.
Fixes #1537
2016-06-20 13:17:48 -04:00
Mark Paluch ea4c58f17b Fix RabbitMQ documentation
Change parameter `uri` to `connection_uri` in code example.
2016-06-19 17:45:30 +02:00
vishalnayak 4a078f8726 RabbitMQ docs++ 2016-06-14 10:22:30 -04:00
Jeff Mitchell 04a03bcb54 Add updated wrapping information 2016-06-14 05:59:50 +00:00
Jeff Mitchell 351f536913 Don't check parsability of a ttl key on write.
On read we already ignore bad values, so we shouldn't be restricting
this on write; doing so alters expected data-in-data-out behavior. In
addition, don't issue a warning if a given `ttl` value can't be parsed,
as this can quickly get annoying if it's on purpose.

The documentation has been updated/clarified to make it clear that this
is optional behavior that doesn't affect the status of the key as POD
and the `lease_duration` returned will otherwise default to the
system/mount defaults.

Fixes #1505
2016-06-08 20:14:36 -04:00
Laura Bennett fc8c73584b url fix 2016-06-08 14:53:33 -04:00
Laura Bennett 08cd10d541 Updates for pki/certs list functionality 2016-06-08 14:37:57 -04:00
Vishal Nayak ab543414f6 Merge pull request #788 from doubledutch/master
RabbitMQ Secret Backend
2016-06-08 10:02:24 -04:00
vishalnayak 315f9c868c Provide option to disable host key checking 2016-06-01 11:08:24 -04:00
vishalnayak 30fa7f304b Allow * to be set for allowed_users 2016-05-30 03:12:43 -04:00
vishalnayak 971b2cb7b7 Do not allow any username to login if allowed_users is not set 2016-05-30 03:01:47 -04:00
Kevin Pike 111ef09a18 Update rabbitmq lease docs 2016-05-20 23:28:41 -07:00
Jeff Mitchell caf77109ba Add cubbyhole wrapping documentation 2016-05-19 13:33:51 -04:00
Jeff Mitchell a13807e759 Merge pull request #1318 from steve-jansen/aws-logical-assume-role
Add sts:AssumeRole support to the AWS secret backend
2016-05-19 12:17:27 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Jeff Mitchell d899f9d411 Don't revoke CA certificates with leases. 2016-05-09 19:53:28 -04:00
Steve Jansen 597d59962c Adds sts:AssumeRole support to the AWS secret backend
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens.  For example, STS federated tokens cannot
invoke IAM APIs, such as  Terraform scripts containing
`aws_iam_*` resources.
2016-05-05 23:32:41 -04:00
Sean Chittenden f6bec6e017 Wordsmith the docs around the list command.
Prompted by: feedback from conference attendees at PGConf '16
2016-04-20 18:13:58 -04:00
Kevin Pike 0bea2498a8 Remove example parameters 2016-04-08 09:49:10 -07:00
Kevin Pike a86e5e3cd9 Support verify_connection flag 2016-04-08 09:44:15 -07:00
Kevin Pike fc61a7695b Fix RabbitMQ documentation
PostgreSQL -> RabbitMQ
2016-04-08 09:30:20 -07:00
Kevin Pike 23492e9572 Fix RabbitMQ URLs 2016-04-08 09:29:00 -07:00
Kevin Pike e3db8c999e Merge branch 'master' of github.com:doubledutch/vault 2016-04-08 09:25:28 -07:00
Jeff Mitchell ebfc8c3fb1 Merge pull request #1293 from gliptak/patch-2
Correct typo in base64 parameters
2016-04-05 09:38:00 -04:00
Gábor Lipták ce2dd5d869 Correct typo in base64 parameters 2016-04-05 09:20:43 -04:00
Gábor Lipták a8edba907f Update transit read key output 2016-04-05 09:16:47 -04:00
Jeff Mitchell d72e462686 Merge pull request #1290 from steve-jansen/patch-2
Adds note on GH-1102 fix to secret/aws doc
2016-04-05 08:37:39 -04:00
Steve Jansen d2b3d924ca Adds note on GH-1102 fix to secret/aws doc
Add note related to #1102, which leads to a non-obvious AWS error message on 0.5.0 or earlier.
2016-04-04 21:30:41 -04:00
Steve Jansen 89c7f312e4 Fix typo in iam permission for STS 2016-04-04 21:20:26 -04:00
Vishal Nayak 05b4c7102f Revert "Change mysql connection to match new" 2016-03-23 15:18:09 -04:00
Chris Mague e27bcaf9a4 Change mysql connection to match new
Documentation update to reflect mysql config connection from the old to the newer format
2016-03-23 12:09:06 -07:00
Cem Ezberci 7ad97279d5 Fix a typo 2016-03-19 21:24:17 -07:00
Jeff Mitchell b4a4f211da Some generic docs updates 2016-03-18 09:57:21 -04:00
Jeff Mitchell 4211ed2845 Add exclude_cn_from_sans to PKI docs 2016-03-17 16:58:06 -04:00
Matt Hurne 4ee6b04405 AWS permissions documentation fixes: add missing permissions needed to attach and detach managed policies to IAM users, add missing comma, remove extraneous comma 2016-03-14 09:39:32 -04:00
Vishal Nayak 343e6f1671 Merge pull request #998 from chrishoffman/mssql
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
Chris Hoffman 8c3539df35 Docs updates 2016-03-10 21:15:25 -05:00
Chris Hoffman 5af33afd90 Adding verify_connection to config, docs updates, misc cleanup 2016-03-09 23:08:05 -05:00
AndrewBrown-JustEat c3a2238037 Minor documentation change 2016-03-09 14:50:23 +00:00
Jeff Mitchell 123d7b71d4 Add a necessary IAM permission to the example 2016-03-08 21:29:34 -05:00
Jeff Mitchell 5c55c34d6b Update cubbyhole text to be more explicit.
Fixes #1165
2016-03-03 10:58:58 -05:00
Chris Hoffman 0b4a8f5b94 Adding mssql secret backend 2016-03-03 09:19:17 -05:00
vishalnayak fd585ecf8a removed datatype and corrected a sentense 2016-03-01 11:21:29 -05:00
vishalnayak 724823b8f7 zeroaddress documentation fix 2016-03-01 10:57:00 -05:00
Jeff Mitchell 8ca847c9b3 Be more explicit about buffer type 2016-02-24 22:05:39 -05:00
Jeff Mitchell 151eaf9ec0 Add documentation for pki/tidy 2016-02-24 21:31:29 -05:00
Matt Hurne f4d8852259 Add note that STS credentials can only be generated for user inline policies in AWS secret backend documentation 2016-02-23 09:06:52 -05:00
vishalnayak c9899a5300 postgres: connection_url fix 2016-02-22 11:22:49 -05:00
Kevin Pike 264c9cc40e Merge branch 'master' into rabbitmq 2016-02-21 14:55:06 -08:00
Kevin Pike c755065415 Add RabbitMQ secret backend 2016-02-21 14:52:57 -08:00
vishalnayak a43bd9131b changelog++ 2016-02-19 16:52:19 -05:00
vishalnayak 38b55bd8b1 Don't deprecate value field yet 2016-02-19 16:07:06 -05:00
vishalnayak 380b662c3d mysql: provide allow_verification option to disable connection_url check 2016-02-19 16:07:05 -05:00
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys.
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
Jeff Mitchell 9f4273589f Remove root-protected references from transit docs 2016-02-18 12:45:18 -05:00
Jeff Mitchell 695a822545 Merge pull request #1075 from rajanadar/patch-14
adding full response for intermediate/generate
2016-02-18 10:16:53 -05:00
Jeff Mitchell c431c2204d Merge pull request #1074 from rajanadar/patch-13
added missing fields to read role
2016-02-18 10:16:14 -05:00
Raja Nadar e7d20c0ef3 adding full response for intermediate/generate
1. adding superset of fields in response, so that folks can see all possible response fields.
2. also added the less important "warnings" field
2016-02-14 14:42:37 -08:00
Raja Nadar 2d918196ca added missing fields to read role
added the lease and token type field to the read role response.
2016-02-14 13:00:42 -08:00
Raja Nadar b0d05ebcb3 fixing response fields of /pki/issue
1. added the private_key_type field
2. changed "serial" to "serial_number"
3. added the warnings field
2016-02-14 12:41:43 -08:00
techraf 812736b475 Fixes typo 2016-02-12 22:34:07 +09:00
Jeff Mitchell 159754acf2 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell 5ef8839e48 Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
Jeff Mitchell 1d385b4de3 Re-add upsert into transit. Defaults to off and a new endpoint /config
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
Jeff Mitchell ca5e4dd955 Merge pull request #980 from rajanadar/patch-8
fixing the return type of verify otp
2016-02-01 14:10:14 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a
concatenated PEM file.

Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell af73d965a4 Cassandra:
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
Jeff Mitchell 5f178e1927 Update transit docs to no longer claim upsert functionality 2016-01-29 14:43:52 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell 63c6172c17 Add list documentationf for mysql 2016-01-28 15:06:52 -05:00
Jeff Mitchell 62e3ac83f8 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell 904e2b36b6 Update SSH documentation with list 2016-01-28 14:41:43 -05:00
Raja Nadar e4438d9705 fixed the return type of /ssh/lookup api 2016-01-28 01:04:35 -08:00
Raja Nadar b8fa5c6fd4 fix return type of post /ssh/creds
added sample json for both otp and dynamic credentials
2016-01-28 00:56:59 -08:00
Raja Nadar 7aabad7808 better description 2016-01-27 21:58:54 -08:00
Raja Nadar 67da86eeab fixing the return type of verify otp
it seems to be 200 on valid OTP and 204 on invalid OTP. (i think it should be an error.. 400 or 404)
but for the moment, fixing the docs to match the existing behavior.
2016-01-27 20:04:11 -08:00
Jeff Mitchell 1107a068b7 Merge pull request #972 from rajanadar/patch-7
added the delete api details to generic backend
2016-01-26 09:49:06 -05:00
Jeff Mitchell bc04e4eec2 Merge pull request #971 from rajanadar/patch-6
added the delete api details to cubbyhole
2016-01-26 09:48:47 -05:00
Raja Nadar 741c23cb4a added the delete api details to generic backend
documentation was missing this api description
2016-01-25 23:56:33 -08:00
Raja Nadar 64c9eb969d added the delete api details to cubbyhole
cubbyhole delete api details were missing. added them.
2016-01-25 23:47:33 -08:00
Raja Nadar f02aa2c2c0 fixing an incorrect json response field name
changed a read-role api response field from 'revocation_cql' to 'rollback_cql'
didn't verify it using a real cassandra server test, but looked at the source code json schema definition here: 

https://github.com/hashicorp/vault/blob/master/builtin/logical/cassandra/path_roles.go
func pathRoles(b *backend) *framework.Path 

please feel free to discard the PR, if i am looking at the wrong source location or something.
2016-01-25 23:42:20 -08:00
Nicki Watt c57072d39a AWS secret backend - docs when using existing policy 2016-01-26 01:43:14 +00:00
Nicki Watt 35a0d28620 Docs for AWS backend when using an existing policy 2016-01-26 01:39:24 +00:00
Jeff Mitchell 05e337727f Document changes 2016-01-25 14:47:16 -05:00
Jeff Mitchell 7d1d003ba0 Update documentation and use ParseBool for list query param checking 2016-01-22 10:07:32 -05:00
Jeff Mitchell be1b4c8a46 Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it. 2016-01-22 10:07:32 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Dmitriy Gromov 4abca91d66 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov 0b5e35c8cd documenting the new aws/sts endpoint 2016-01-21 14:05:10 -05:00
Seth Vargo e40c77ff27 Use HTTPS + www where appropriate 2016-01-14 13:42:47 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
kenjones-cisco 496e9962d0 Fixes mis-placed html tag 2015-12-31 10:37:01 -05:00
kenjones c02013f631 add missing html tag 2015-12-20 14:20:30 -05:00
Jeff Mitchell 8bba9497ac Some copyediting/simplifying of the Consul page 2015-12-18 10:07:40 -05:00
kenjones 0d74de9da4 Update secret backend Consul documentation
Adds information on the steps to get a management token for use by
Vault when communicating with Consul as a secret backend.
2015-12-18 09:44:31 -05:00
Jeff Mitchell 7dca03eb3f Update documentation with Consul backend token_type parameter.
Fixes #854
2015-12-14 20:54:13 -05:00
Jeff Mitchell 448efd56fa Merge branch 'master' into pki-csrs 2015-12-08 10:57:53 -05:00
Jeff Mitchell 902b7b0589 Add a warning about consistency of IAM credentials as a stop-gap.
Ping #687
2015-12-08 10:56:34 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell b6c49ddf01 Remove token display names from input options as there isn't a viable
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Jeff Mitchell d461929c1d Documentation update 2015-11-20 13:13:57 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell af3d6ced8e Update validator function for URIs. Change example of entering a CA to a
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell 71f9ea8561 Make it clear that generating/setting a CA cert will overwrite what's
there.
2015-11-19 09:51:18 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell c461652b40 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell ea676ad4cc Add tests for intermediate signing and CRL, and fix a couple things
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell e2d4a5fe0f Documentation update around path/key name encryption.
Make it clear that path/key names in generic are not encrypted.

Fixes #697
2015-10-29 11:21:40 -04:00
Seth Vargo 50f720bc06 Remove tabs from terminal output
This also standardizes on the indentation we use for multi-line commands as
well as prefixes all commands with a $ to indicate a shell.
2015-10-12 12:10:22 -04:00
vishalnayak 644a655920 mysql: made max_open_connections configurable 2015-10-01 21:15:56 -04:00
vishalnayak 2051101c43 postgresql: Configurable max open connections to the database 2015-10-01 20:11:24 -04:00
Colin Rymer e2b157aa79 Remove redundant wording for SSH OTP introduction. 2015-09-30 10:58:44 -04:00
Jeff Mitchell af27a99bb7 Remove JWT for the 0.3 release; it needs a lot of rework. 2015-09-24 16:23:44 -04:00
Dominic Luechinger 89511e6977 Fixes docs for new JWT secret backend 2015-09-24 16:47:17 +02:00
Spencer Herzberg 54c62fe5aa docs: pg username not prefixed with vault-
due to
05fa4a4a48,
vault no longer prefixes the username with `vault-`
2015-09-22 10:14:47 -05:00
Jeff Mitchell a5f52f43b1 Minor doc update to SSH 2015-09-21 16:26:07 -04:00