Commit Graph

8494 Commits

Author SHA1 Message Date
Jeff Mitchell 441eec9ce5 changelog++ 2018-06-19 23:02:41 -04:00
Calvin Leung Huang ac4be8d44d Do not fail login if no policies are mapped to the user or group (#4798)
* Do not fail login if no policies are mapped to the user or group

* Remove debug line

* Remove restriction in radius
2018-06-19 23:00:22 -04:00
Jeff Mitchell f4a2641246 changelog++ 2018-06-19 22:58:03 -04:00
Becca Petrin 73cbbe2a9f Add bound cidrs to tokens in AppRole (#4680) 2018-06-19 22:57:11 -04:00
Chris Hoffman cfc7d4c6c2
changelog++ 2018-06-19 20:59:44 -04:00
Chris Hoffman 52f9f7412c
correct delete path for tidy operations (#4799) 2018-06-19 20:58:12 -04:00
Becca Petrin d9ac83569b
clarify aws role tag doc (#4797) 2018-06-19 15:59:57 -07:00
Vishal Nayak b10c2a87fa Refactor and rewrite the test (#4796) 2018-06-19 16:59:03 -04:00
Jeff Mitchell 50a65d1b51 changelog++ 2018-06-19 12:58:44 -04:00
Vishal Nayak 0d8f424ab4
disallow token use if entity is invalid (#4791) 2018-06-19 12:57:19 -04:00
Jeff Mitchell 961d24d89a Update ad plugin 2018-06-19 12:16:20 -04:00
Becca Petrin 71977637d4
Update Active Directory secret engine docs (#4788)
* active directory rotate root docs

* update doc
2018-06-19 09:11:46 -07:00
Calvin Leung Huang 418513bbd9 Be explicit about trailing slash on paths for list capability (#4793) 2018-06-19 12:10:39 -04:00
Jeff Mitchell d37f75efd8 changelog++ 2018-06-19 12:09:57 -04:00
Jeff Mitchell cffb1183a8
Database updates (#4787)
* Database updates

* Add create/update distinction for connection config
* Add create/update distinction for role config
* Add db name and revocation statements to leases to give revocation a
shot at working if the role has been deleted

Fixes #3544
Fixes #4782

* Add create/update info to docs
2018-06-19 11:24:28 -04:00
Ryan Loomba c558fc5f3d fix typo in Vault Encryption as a Service Guide (#4789) 2018-06-18 17:32:43 -07:00
Laura Uva 4cae4abbab Add example of min_wrapping_ttl and max_wrapping_ttl (#4753) 2018-06-18 19:59:21 -04:00
Jeff Mitchell bef7db5711 Bump Kube auth dep 2018-06-18 12:24:41 -04:00
Jeff Mitchell fccf7204b8 Bump plugins and changelog 2018-06-18 11:54:23 -04:00
vishalnayak 67783875fc changelog++ 2018-06-18 09:31:40 -04:00
Vishal Nayak 69eff9c354
return 404 when role does exist on update operations (#4778) 2018-06-18 09:29:05 -04:00
Jeff Mitchell 13d4a21dd9 changelog++ 2018-06-16 18:23:10 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Mike Fortuno dc568f1376 Update policies.html.md (#4780)
Policy file name was incorrect, causing instructions to be unclear.
2018-06-15 15:49:09 -07:00
Mr Talbot 5551a63221 pki: add ext_key_usage to mirror key_usage and add to sign-verbatim (#4777)
* pki: add ext_key_usage parameter to role

* pki: add key_usage and ext_key_usage parameter to sign-verbatim

* pki: cleanup code as per comments
2018-06-15 18:20:43 -04:00
Jeff Mitchell 762f08eac2 Mention delegating change password privs in ad docs 2018-06-15 17:01:47 -04:00
Jeff Mitchell 164c7225f1 Remove msa info from AD page 2018-06-15 16:55:28 -04:00
Jeff Mitchell 3fc71999c6 changelog++ 2018-06-15 15:35:43 -04:00
Jeff Mitchell ebe3f09f82
Add `kv rollback` (#4774)
* Add `kv rollback`

Like `kv patch` this is more of a helper than anything else; it provides
a single command to fetch the current version (for CAS), read the
version you want to roll back to, and set it as the new version (using
CAS for safety).
2018-06-15 15:34:17 -04:00
Jeff Mitchell f82404022a changelog++ 2018-06-15 15:33:45 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Jeff Mitchell 734b46ea5b
Add a hidden combine-logs flag (#4766)
This can be used when errors are happening early on to avoid them being
swallowed by logGate.

This also does a bit of cleanup of format env var checking --
helper/logging internally looks for this so it was totally unnecessary
since moving to hclog.
2018-06-15 14:47:37 -04:00
Matthew Irish 96277531eb
UI - auth method edit (#4770)
* add configuration tab for ldap, okta, radius auth methods
* add tests to assert that configuration tabs show on supported auth methods
2018-06-15 12:53:21 -05:00
Becca Petrin e285915915
update go-ldap (#4776) 2018-06-15 10:13:57 -07:00
Nándor István Krácser d4303bc53e docs: kv 2 is used by default in the dev server only (#4773) 2018-06-15 09:09:27 -04:00
Wim 3e1930e7c3 Use %q in error output for better visibility (#4771) 2018-06-14 18:19:22 -04:00
madalynrose 090e19beb4
Update CHANGELOG.md 2018-06-14 15:07:26 -04:00
madalynrose 9fb8be5a72
Masked input (#4759)
* create masked-input component
2018-06-14 14:52:00 -04:00
Jeff Mitchell 75eb0f862e
Revert some of commit 050ab805a7565c5b0cadb0176023031ee5f0d17b. (#4768)
If we have a panic defer functions are run but unlocks aren't. Since we
can't really trust plugins and storage, this backs out the changes for
those parts of the request path.
2018-06-14 13:44:13 -04:00
Jeff Mitchell 43d9ae5c0a
Update index.html.md
Fixes #4763
2018-06-14 10:19:38 -04:00
Jeff Mitchell d054d76bbb changelog++ 2018-06-14 09:55:54 -04:00
Michael Russell 063221b44a Allow vault ssh to accept ssh commands in any ssh compatible format (#4710)
* Allow vault ssh to accept ssh commands in any ssh compatible format

Previously vault ssh required ssh commands to be in the format
`username@hostname <flags> command`. While this works just fine for human
users this breaks a lot of automation workflows and is not compatible
with the options that the ssh client supports.

Motivation

We currently run ansible which uses vault ssh to connect to hosts.
Ansible generates ssh commands with the format `ssh <flags> -o User=username hostname
command`. While this is a valid ssh command it currently breaks with
vault because vault expects the format to be `username@hostname`. To work
around this we currently use a wrapper script to parse the correct username being set
by ansible and translate this into a vault ssh compatible `username@hostname` format

Changes

* You can now specify arguments in any order that ssh client allows. All
arguments are passed directly to the ssh command and the format isn't
modified in any way.
* The username and port are parsed from the specified ssh command. It
will accept all of the options supported by the ssh command and also
will properly prefer `-p` and `user@` if both options are specified.
* The ssh port is only added from the vault credentials if it hasn't
been specified on the command line
2018-06-14 09:54:48 -04:00
Jeff Mitchell ed6529e4ea changelog++ 2018-06-14 09:53:57 -04:00
Jeff Mitchell 61c26c6505 changelog++ 2018-06-14 09:52:17 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Jeff Mitchell 0c2d2226c4
Remove a lot of deferred functions in the request path. (#4733)
* Remove a lot of deferred functions in the request path.

There is an interesting benchmark at https://www.reddit.com/r/golang/comments/3h21nk/simple_micro_benchmark_to_measure_the_overhead_of/

It shows that defer actually adds quite a lot of overhead -- maybe 100ns
per call but we defer a *lot* of functions in the request path. So this
removes some of the ones in request handling, ha, barrier, router, and
physical cache.

One meta-note: nearly every metrics function is in a defer which means
every metrics call we add could add a non-trivial amount of time, e.g.
for every 10 extra metrics statements we add 1ms to a request. I don't
know how to solve this right now without doing what I did in some of
these cases and putting that call into a simple function call that then
goes before each return.

* Simplify barrier defer cleanup
2018-06-14 09:49:10 -04:00
Matthew Irish be6827feaa Skip flakey UI test (#4762)
* skip flakey ui test

* only show failures in JS test output
2018-06-14 09:43:38 -04:00
Matthew Irish 4d29d70b98
UI - upgrading generic secret engines to v2 format (#4750)
* remove dev-leased-kv flag, handle non-secret responses in the console

* skip lease tests for now

* use the newer collection api for ember-page-object

* include generic in types that can have a v2

* add tests for generic v2

* isolate kv v2 logic in the secret-engine model and add unit tests
2018-06-13 23:06:19 -05:00
Laura Uva 44e874e06f Update kv v2 documentation to better warn and elaborate on changes needed when upgrading a mount from version 1 to version 2 (customer request) (#4754) 2018-06-13 16:44:15 -07:00
Brian Kassouf 1b77db5138
Update replication status (#4761)
* Update replication-performance.html.md

* Update replication-dr.html.md

* Update replication.html.md

* Update replication-dr.html.md

* Update replication-dr.html.md

* Update replication-performance.html.md

* Update replication.html.md
2018-06-13 16:43:39 -07:00