Commit graph

526 commits

Author SHA1 Message Date
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys.
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
Jeff Mitchell 05b5ff69ed Address some feedback on ldap escaping help text 2016-02-19 13:47:26 -05:00
Jeff Mitchell c67871c36e Update LDAP documentation with a note on escaping 2016-02-19 13:16:18 -05:00
Jeff Mitchell 9f4273589f Remove root-protected references from transit docs 2016-02-18 12:45:18 -05:00
Jeff Mitchell 695a822545 Merge pull request #1075 from rajanadar/patch-14
adding full response for intermediate/generate
2016-02-18 10:16:53 -05:00
Jeff Mitchell c431c2204d Merge pull request #1074 from rajanadar/patch-13
added missing fields to read role
2016-02-18 10:16:14 -05:00
Eyal Lupu dd2c7a6bc8 Update index.html.md
typo in docs
2016-02-15 16:52:43 +00:00
Eyal Lupu c04b8ab287 Update index.html.md
Documentation: Zookeeper authentication and ACLs
2016-02-15 16:38:14 +00:00
Eyal Lupu 35074dff51 Update index.html.md
Zookeeper authentication and authorization documentations
2016-02-15 16:20:32 +00:00
Raja Nadar e7d20c0ef3 adding full response for intermediate/generate
1. adding superset of fields in response, so that folks can see all possible response fields.
2. also added the less important "warnings" field
2016-02-14 14:42:37 -08:00
Raja Nadar 2d918196ca added missing fields to read role
added the lease and token type field to the read role response.
2016-02-14 13:00:42 -08:00
Raja Nadar b0d05ebcb3 fixing response fields of /pki/issue
1. added the private_key_type field
2. changed "serial" to "serial_number"
3. added the warnings field
2016-02-14 12:41:43 -08:00
Jeff Minard 1985fa3313 Minor spelling fix 2016-02-13 08:41:16 -08:00
techraf 812736b475 Fixes typo 2016-02-12 22:34:07 +09:00
Jeff Mitchell aaed354aca Add note about client libraries to 0.5 upgrade page 2016-02-10 12:10:51 -05:00
Jeff Mitchell 69f7aca258 Add change of exit code for status to upgrade page 2016-02-10 08:01:54 -05:00
Vishal Nayak fff201014d Merge pull request #1021 from hashicorp/vault-seal-1006
Sealing vault in standby mode
2016-02-03 15:22:16 -05:00
Mukhtar Haji f27e691c6c Correct a small typo 2016-02-03 20:08:33 +00:00
vishalnayak eeea9710b6 Generalized the error message and updated doc 2016-02-03 15:06:18 -05:00
merri-j 3a996e11fd Add postgresql to bullet list of backends 2016-02-03 14:04:55 -05:00
Jeff Mitchell 159754acf2 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell 5ef8839e48 Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
Jeff Mitchell 6e6382d410 Some rewording based on feedback 2016-02-01 20:24:28 -05:00
Jeff Mitchell f9bced579b +list of 2016-02-01 20:17:06 -05:00
Jeff Mitchell 66494faa3f Add an install/upgrade section. Add general and 0.5 upgrade procedures. 2016-02-01 20:17:06 -05:00
Jeff Mitchell 1d385b4de3 Re-add upsert into transit. Defaults to off and a new endpoint /config
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
Jeff Mitchell ca5e4dd955 Merge pull request #980 from rajanadar/patch-8
fixing the return type of verify otp
2016-02-01 14:10:14 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a
concatenated PEM file.

Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell af73d965a4 Cassandra:
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
Jeff Mitchell 9a21d03689 Update documentation around default_lease_ttl and max_lease_ttl.
Fixes #1004
2016-02-01 09:44:42 -05:00
Jeff Mitchell d0eb0813b1 Add vault-java-drver to libraries 2016-01-29 21:02:54 -05:00
Jeff Mitchell df536a8f0a Fix token backend doc bug
Fixes #990
2016-01-29 21:01:08 -05:00
Devin Christensen 4112809fb5 Make the PostgreSQL backend more performant 2016-01-29 13:47:10 -07:00
Jeff Mitchell 5f178e1927 Update transit docs to no longer claim upsert functionality 2016-01-29 14:43:52 -05:00
Jeff Mitchell 68dc0e2dd3 Merge pull request #945 from quixoten/postgres_physical
Add support for PostgreSQL as a physical backend
2016-01-29 10:35:38 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell 63c6172c17 Add list documentationf for mysql 2016-01-28 15:06:52 -05:00
Jeff Mitchell 62e3ac83f8 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell 904e2b36b6 Update SSH documentation with list 2016-01-28 14:41:43 -05:00
Raja Nadar e4438d9705 fixed the return type of /ssh/lookup api 2016-01-28 01:04:35 -08:00
Raja Nadar b8fa5c6fd4 fix return type of post /ssh/creds
added sample json for both otp and dynamic credentials
2016-01-28 00:56:59 -08:00
Raja Nadar 7aabad7808 better description 2016-01-27 21:58:54 -08:00
Raja Nadar 67da86eeab fixing the return type of verify otp
it seems to be 200 on valid OTP and 204 on invalid OTP. (i think it should be an error.. 400 or 404)
but for the moment, fixing the docs to match the existing behavior.
2016-01-27 20:04:11 -08:00
Devin Christensen 737df30939 Improve naming
Hopefully this naming scheme will be more straightforward.
2016-01-27 17:15:48 -07:00
Jeff Mitchell b7a49922a9 Update etcd sync option to be a string.
Ping #921
2016-01-27 17:15:52 -05:00
Jeff Mitchell b0bd06f5a4 Merge pull request #921 from faradayio/hosted-etcd-support
Load-balanced etcd support
2016-01-27 17:09:43 -05:00
Hanno Hecker 0db33274b7 discover bind dn with anonymous binds 2016-01-27 17:06:27 +01:00
Hanno Hecker 22c22095d2 samaccountname as login example 2016-01-27 09:25:05 +01:00
Hanno Hecker c6acb340a8 docs for binddn/bindpass 2016-01-27 07:51:10 +01:00
Jeff Mitchell 1107a068b7 Merge pull request #972 from rajanadar/patch-7
added the delete api details to generic backend
2016-01-26 09:49:06 -05:00
Jeff Mitchell bc04e4eec2 Merge pull request #971 from rajanadar/patch-6
added the delete api details to cubbyhole
2016-01-26 09:48:47 -05:00
Jeff Mitchell 92d42aa6c7 Merge pull request #969 from rajanadar/patch-4
fixing the description of the /lookup/<token> api
2016-01-26 09:48:22 -05:00
Raja Nadar 741c23cb4a added the delete api details to generic backend
documentation was missing this api description
2016-01-25 23:56:33 -08:00
Raja Nadar 64c9eb969d added the delete api details to cubbyhole
cubbyhole delete api details were missing. added them.
2016-01-25 23:47:33 -08:00
Raja Nadar f02aa2c2c0 fixing an incorrect json response field name
changed a read-role api response field from 'revocation_cql' to 'rollback_cql'
didn't verify it using a real cassandra server test, but looked at the source code json schema definition here: 

https://github.com/hashicorp/vault/blob/master/builtin/logical/cassandra/path_roles.go
func pathRoles(b *backend) *framework.Path 

please feel free to discard the PR, if i am looking at the wrong source location or something.
2016-01-25 23:42:20 -08:00
Raja Nadar cf9b3c7c66 fixing the description of the /lookup/<token> api 2016-01-25 23:26:29 -08:00
Nicki Watt c57072d39a AWS secret backend - docs when using existing policy 2016-01-26 01:43:14 +00:00
Nicki Watt 35a0d28620 Docs for AWS backend when using an existing policy 2016-01-26 01:39:24 +00:00
Devin Christensen 93c64375e9 Merge 'upstream/master' into postgres_physical 2016-01-25 13:43:16 -07:00
Jeff Mitchell 05e337727f Document changes 2016-01-25 14:47:16 -05:00
Jeff Mitchell abd9fe1b73 Merge pull request #961 from rajanadar/patch-3
fixed login link,request params,add json response
2016-01-23 14:45:27 -05:00
Raja Nadar d3434f8f03 clarify default mountpoint 2016-01-23 11:02:00 -08:00
Devin Christensen 9d776351a3 Merge 'upstream/master' into postgres_physical 2016-01-22 20:56:07 -07:00
Raja Nadar 9b82736b9a fixed login link,request params,add json response
1. fix login link
2. added personal access token to request message
3. added a sample json response
2016-01-22 17:38:32 -08:00
Raja Nadar b0f33d4d19 mention that this is an unauthenticated endpoint 2016-01-22 17:10:16 -08:00
Raja Nadar dac5997e14 update sys-init.html.md
change response field from 'initialize' to 'initialized'
2016-01-22 16:45:59 -08:00
Devin Christensen c226b0be7d Update naming and pull DDL for upsert back out 2016-01-22 17:15:10 -07:00
Devin Christensen 32b712ddb1 Move the upsert definition back into the code 2016-01-22 09:47:02 -07:00
Devin Christensen bfbdc72e03 Remove options for column configuration 2016-01-22 08:41:31 -07:00
Jeff Mitchell 7b2407093b 0.7 -> 1.0 2016-01-22 10:07:32 -05:00
Jeff Mitchell 3955604d3e Address more list feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell 7d1d003ba0 Update documentation and use ParseBool for list query param checking 2016-01-22 10:07:32 -05:00
Jeff Mitchell be1b4c8a46 Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it. 2016-01-22 10:07:32 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell d621d7ebe7 Add C# library and do some reorg on the library page 2016-01-22 10:03:02 -05:00
Devin Christensen 512b1ddf6c Merge 'upstream/master' into postgres_physical 2016-01-21 13:04:27 -07:00
Dmitriy Gromov 4abca91d66 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov 0b5e35c8cd documenting the new aws/sts endpoint 2016-01-21 14:05:10 -05:00
Devin Christensen 06641570c7 Remove DDL statements from the code 2016-01-20 18:52:49 -07:00
Devin Christensen fc94487f55 Add support for PostgreSQL as a physical backend 2016-01-19 17:00:09 -07:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jorge Ferreira 306c63b1be /encryption key/master key/ 2016-01-19 15:42:50 +00:00
Jeff Mitchell 1001566a26 Keep ordering consistent in config doc, and put HA backends first 2016-01-14 13:55:53 -05:00
Seth Vargo e40c77ff27 Use HTTPS + www where appropriate 2016-01-14 13:42:47 -05:00
Jeff Mitchell d949043cac Merge pull request #914 from hashicorp/acl-rework
More granular ACL capabilities
2016-01-12 21:11:52 -05:00
Ziyi, LIU 5204da4edd Fix typo
Change "...implements is own login endpoint..." to "...implements its own login endpoint..."
2016-01-12 22:22:13 +08:00
Jeff Mitchell e815db8756 Update audit sys docs 2016-01-11 19:08:23 -05:00
Eric Kidd 69434fd13e etcd: Allow disabling sync for load balanced etcd
Some etcd configurations (such as that provided by compose.io) place the
etcd cluster behind multiple load balancers or proxies.  In this
configuration, calling Sync (or AutoSync) on the etcd client will
replace the load balancer addresses with the underlying etcd server
address.

This will cause the etcd client to bypass the load balancers, and may
cause the connection to fail completely if the etcd servers are
protected by a firewall.

This patch provides a "sync" option for the etcd backend, which defaults
to the current behavior, but which can be used to turn off of sync.
This corresponds to etcdctl's --no-sync option.
2016-01-11 13:56:58 -05:00
Eric Kidd ebabcd857a etcd: Document existing username and password options
These options were present in the source code, but not in the
documentation.  They're needed to connect to some hosted etcd services.
2016-01-11 11:30:51 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Paul Seiffert 3a0ea3bcaa Add documentation for the DynamoDB backend 2016-01-08 17:34:31 +01:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell d4bc51751e Fix typo in docs 2016-01-05 11:45:23 -05:00
Jeff Mitchell e54edd54ac Update documentation with policy fetching information. 2016-01-05 11:26:19 -05:00
kenjones-cisco 496e9962d0 Fixes mis-placed html tag 2015-12-31 10:37:01 -05:00
Jeff Mitchell a7a02b3043 Cert documentation fix.
Fixes #899
2015-12-30 16:44:24 -05:00
Jeff Mitchell 6cdb8aeb4f Merge branch 'master' into f-disable-tls 2015-12-29 12:59:02 -05:00
Jeff Mitchell 41d6e0e085 Merge pull request #882 from hashicorp/clarify-physical-support
Clarify stance on physical backend support
2015-12-29 11:40:23 -06:00
bashtoni 8248d15a5b Doc grammar fix 2015-12-22 21:27:08 +00:00
Jeff Mitchell dca0e72f10 Clarify stance on physical backend support 2015-12-22 10:50:31 -05:00
kenjones c02013f631 add missing html tag 2015-12-20 14:20:30 -05:00
Jeff Mitchell 8bba9497ac Some copyediting/simplifying of the Consul page 2015-12-18 10:07:40 -05:00
kenjones 0d74de9da4 Update secret backend Consul documentation
Adds information on the steps to get a management token for use by
Vault when communicating with Consul as a secret backend.
2015-12-18 09:44:31 -05:00
Jeff Mitchell 1261791e6f Update etcd config docs with new options in 0.4.
Ping #780
2015-12-17 10:34:41 -05:00
Terry Corley d6884b85e1 Change API endpoint path for app-id
The /login path was confusing because its not relative and not consistent with other documentation. Other documentation (e.g., username and password at https://www.vaultproject.io/docs/auth/userpass.html) uses relative path.
2015-12-15 12:45:04 -06:00
Jeff Mitchell db7a2083bf Allow setting the advertise address via an environment variable.
Fixes #581
2015-12-14 21:22:55 -05:00
Jeff Mitchell ff9745bb00 Update Changelog and documentation with separate-HA-backend info. 2015-12-14 21:04:58 -05:00
Jeff Mitchell 7dca03eb3f Update documentation with Consul backend token_type parameter.
Fixes #854
2015-12-14 20:54:13 -05:00
Johan Haals fce85c12e2 Add vault-java to libraries
vault-java implements the basic HTTP API, more endpoints are in the
pipeline
2015-12-14 19:04:05 +01:00
Jeff Mitchell e25b3ad344 Update documentation to be consistent with return codes
Fixes #831
2015-12-10 10:26:40 -05:00
Jeff Mitchell 448efd56fa Merge branch 'master' into pki-csrs 2015-12-08 10:57:53 -05:00
Jeff Mitchell 902b7b0589 Add a warning about consistency of IAM credentials as a stop-gap.
Ping #687
2015-12-08 10:56:34 -05:00
Jeff Mitchell eee8386ea9 Add info about cert backend not checking CRL revocation. 2015-12-05 15:12:43 -05:00
Jeff Mitchell bf0909a892 Tab -> space doc fix 2015-12-05 15:04:54 -05:00
Jeff Mitchell 1dbfcc3b45 Merge branch 'master' into pki-csrs 2015-12-03 15:23:08 -05:00
Jeff Mitchell 3bdbd66f7d Remove datacenter from Consul configuration, as it cannot actually do
anything

Fixes #816
2015-12-03 15:16:37 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell b6c49ddf01 Remove token display names from input options as there isn't a viable
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Armon Dadgar 60ad2e0bbd website: updating documentation 2015-11-25 12:23:56 -08:00
Jeff Mitchell d461929c1d Documentation update 2015-11-20 13:13:57 -05:00
Jeff Mitchell 22a6d6fa22 Merge branch 'master' into pki-csrs 2015-11-20 12:48:38 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell af3d6ced8e Update validator function for URIs. Change example of entering a CA to a
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell 71f9ea8561 Make it clear that generating/setting a CA cert will overwrite what's
there.
2015-11-19 09:51:18 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell c461652b40 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell ea676ad4cc Add tests for intermediate signing and CRL, and fix a couple things
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell 45e7e61d71 Update audit documentation around what hash is used 2015-11-18 10:42:42 -05:00
Jeff Mitchell 1a45696208 Add no-default-policy flag and API parameter to allow exclusion of the
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell 10913e2e6b Update cert documentation to note requiring sudo access. 2015-11-06 16:09:42 -05:00
Jeff Mitchell ffa879d6e2 Update S3 docs 2015-11-06 09:26:09 -05:00
Jeff Mitchell 08dbc70c9f Switch etcd default port to 2379, in line with 2.x.
Fixes #753
2015-11-05 09:47:50 -05:00
Sander van Harmelen 4ad533a5ba Add a line to the documentation to describe the new feature 2015-11-04 15:36:24 +01:00
Jeff Mitchell a4322afedb Merge pull request #746 from hashicorp/issue-677
Add a PermitPool to physical and consul/inmem
2015-11-03 15:26:58 -05:00
Jeff Mitchell 7f44a1b812 Add configuration parameter for max parallel connections to Consul 2015-11-03 15:26:07 -05:00
Jeff Mitchell 73e3aa1d64 Add create-orphan to documentation 2015-11-03 15:15:33 -05:00
Jeff Mitchell d3f7546602 Fix trailing whitespace complaints 2015-11-03 10:52:20 -05:00
Jeff Mitchell f0a25ed581 Clarify that CRLs are not fetched by Vault 2015-11-03 10:52:20 -05:00
Jeff Mitchell 154fc24777 Address first round of feedback from review 2015-11-03 10:52:20 -05:00
Jeff Mitchell 59cc61cc79 Add documentation for CRLs and some minor cleanup. 2015-11-03 10:52:20 -05:00
Jeff Mitchell e2d4a5fe0f Documentation update around path/key name encryption.
Make it clear that path/key names in generic are not encrypted.

Fixes #697
2015-10-29 11:21:40 -04:00
Jeff Mitchell c1d8b97342 Add reset support to the unseal command.
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell 57290b6d92 Minor format fix in environment documentation 2015-10-28 09:56:28 -04:00
Jason Antman c7ff26b650 add documentation for GitHub Auth Backend 'ttl' and 'max_ttl' parameters 2015-10-23 09:30:48 -04:00
Jason Antman b27e80d090 add GitHub Enterprise base_url to docs
In https://github.com/hashicorp/vault/issues/716 @jefferai confirmed that the GitHub Auth Backend supports GitHub enterprise using an undocumented ``base_url`` parameter. This adds that parameter to the relevant documentation page.
2015-10-23 09:18:07 -04:00
Jeff Mitchell 0168ce491b Update token documentation to better explain token durations 2015-10-22 13:02:37 -04:00
Jeff Mitchell 189b72c3ba Document the renew-self call 2015-10-21 10:53:20 -04:00