Commit graph

8319 commits

Author SHA1 Message Date
Jeff Mitchell 762f08eac2 Mention delegating change password privs in ad docs 2018-06-15 17:01:47 -04:00
Jeff Mitchell 164c7225f1 Remove msa info from AD page 2018-06-15 16:55:28 -04:00
Jeff Mitchell 3fc71999c6 changelog++ 2018-06-15 15:35:43 -04:00
Jeff Mitchell ebe3f09f82
Add kv rollback (#4774)
* Add `kv rollback`

Like `kv patch` this is more of a helper than anything else; it provides
a single command to fetch the current version (for CAS), read the
version you want to roll back to, and set it as the new version (using
CAS for safety).
2018-06-15 15:34:17 -04:00
Jeff Mitchell f82404022a changelog++ 2018-06-15 15:33:45 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Jeff Mitchell 734b46ea5b
Add a hidden combine-logs flag (#4766)
This can be used when errors are happening early on to avoid them being
swallowed by logGate.

This also does a bit of cleanup of format env var checking --
helper/logging internally looks for this so it was totally unnecessary
since moving to hclog.
2018-06-15 14:47:37 -04:00
Matthew Irish 96277531eb
UI - auth method edit (#4770)
* add configuration tab for ldap, okta, radius auth methods
* add tests to assert that configuration tabs show on supported auth methods
2018-06-15 12:53:21 -05:00
Becca Petrin e285915915
update go-ldap (#4776) 2018-06-15 10:13:57 -07:00
Nándor István Krácser d4303bc53e docs: kv 2 is used by default in the dev server only (#4773) 2018-06-15 09:09:27 -04:00
Wim 3e1930e7c3 Use %q in error output for better visibility (#4771) 2018-06-14 18:19:22 -04:00
madalynrose 090e19beb4
Update CHANGELOG.md 2018-06-14 15:07:26 -04:00
madalynrose 9fb8be5a72
Masked input (#4759)
* create masked-input component
2018-06-14 14:52:00 -04:00
Jeff Mitchell 75eb0f862e
Revert some of commit 050ab805a7565c5b0cadb0176023031ee5f0d17b. (#4768)
If we have a panic defer functions are run but unlocks aren't. Since we
can't really trust plugins and storage, this backs out the changes for
those parts of the request path.
2018-06-14 13:44:13 -04:00
Jeff Mitchell 43d9ae5c0a
Update index.html.md
Fixes #4763
2018-06-14 10:19:38 -04:00
Jeff Mitchell d054d76bbb changelog++ 2018-06-14 09:55:54 -04:00
Michael Russell 063221b44a Allow vault ssh to accept ssh commands in any ssh compatible format (#4710)
* Allow vault ssh to accept ssh commands in any ssh compatible format

Previously vault ssh required ssh commands to be in the format
`username@hostname <flags> command`. While this works just fine for human
users this breaks a lot of automation workflows and is not compatible
with the options that the ssh client supports.

Motivation

We currently run ansible which uses vault ssh to connect to hosts.
Ansible generates ssh commands with the format `ssh <flags> -o User=username hostname
command`. While this is a valid ssh command it currently breaks with
vault because vault expects the format to be `username@hostname`. To work
around this we currently use a wrapper script to parse the correct username being set
by ansible and translate this into a vault ssh compatible `username@hostname` format

Changes

* You can now specify arguments in any order that ssh client allows. All
arguments are passed directly to the ssh command and the format isn't
modified in any way.
* The username and port are parsed from the specified ssh command. It
will accept all of the options supported by the ssh command and also
will properly prefer `-p` and `user@` if both options are specified.
* The ssh port is only added from the vault credentials if it hasn't
been specified on the command line
2018-06-14 09:54:48 -04:00
Jeff Mitchell ed6529e4ea changelog++ 2018-06-14 09:53:57 -04:00
Jeff Mitchell 61c26c6505 changelog++ 2018-06-14 09:52:17 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Jeff Mitchell 0c2d2226c4
Remove a lot of deferred functions in the request path. (#4733)
* Remove a lot of deferred functions in the request path.

There is an interesting benchmark at https://www.reddit.com/r/golang/comments/3h21nk/simple_micro_benchmark_to_measure_the_overhead_of/

It shows that defer actually adds quite a lot of overhead -- maybe 100ns
per call but we defer a *lot* of functions in the request path. So this
removes some of the ones in request handling, ha, barrier, router, and
physical cache.

One meta-note: nearly every metrics function is in a defer which means
every metrics call we add could add a non-trivial amount of time, e.g.
for every 10 extra metrics statements we add 1ms to a request. I don't
know how to solve this right now without doing what I did in some of
these cases and putting that call into a simple function call that then
goes before each return.

* Simplify barrier defer cleanup
2018-06-14 09:49:10 -04:00
Matthew Irish be6827feaa Skip flakey UI test (#4762)
* skip flakey ui test

* only show failures in JS test output
2018-06-14 09:43:38 -04:00
Matthew Irish 4d29d70b98
UI - upgrading generic secret engines to v2 format (#4750)
* remove dev-leased-kv flag, handle non-secret responses in the console

* skip lease tests for now

* use the newer collection api for ember-page-object

* include generic in types that can have a v2

* add tests for generic v2

* isolate kv v2 logic in the secret-engine model and add unit tests
2018-06-13 23:06:19 -05:00
Laura Uva 44e874e06f Update kv v2 documentation to better warn and elaborate on changes needed when upgrading a mount from version 1 to version 2 (customer request) (#4754) 2018-06-13 16:44:15 -07:00
Brian Kassouf 1b77db5138
Update replication status (#4761)
* Update replication-performance.html.md

* Update replication-dr.html.md

* Update replication.html.md

* Update replication-dr.html.md

* Update replication-dr.html.md

* Update replication-performance.html.md

* Update replication.html.md
2018-06-13 16:43:39 -07:00
Becca Petrin aa390e0e7e
add link to api docs (#4757) 2018-06-13 09:35:37 -07:00
Yoko 7df8b15451
Vault guides example update (#4756)
* Typos in the sample payload JSON

* AWS support files were added

* yet another typo
2018-06-13 09:34:07 -07:00
Jeff Mitchell 507cbd1550 changelog++ 2018-06-13 11:47:58 -04:00
Matthew Irish 924d1b4ddc
UI - code cleanup (#4699)
* use lazyCapabilities macro in models

* use expandAttributeMeta and fieldToAttrs everywhere

* add angle bracket component polyfill

* use PageHeader component throughout
2018-06-12 16:06:37 -05:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell 28761f5828 changelog++ 2018-06-12 12:25:24 -04:00
Jeff Mitchell 76b0d11793
Redo transit locking (#4720)
This massively simplifies transit locking behavior by pushing some
locking down to the Policy level, and embedding either a local or global
lock in the Policy depending on whether caching is enabled or not.
2018-06-12 12:24:12 -04:00
Chris Hoffman 8b8a62b675
Fix MSSQL Root Rotation Statement (#4748)
* fixing default rotate statement for MSSQL

* only run with ACC
2018-06-12 12:11:48 -04:00
Jim Kalafut 1f648271b6
Add DynamoDB marshaling update test (#4746)
This test fails before the d3604289be99 update.
2018-06-12 08:22:02 -07:00
Jim Kalafut 88102708a2
Update aws-sdk-go/service/dynamodb/dynamodbattribute (#4744)
Fixes #4721, Fixes #4742
2018-06-12 06:07:15 -07:00
Jeff Mitchell 5b05bfe593 Add a basic transit bench test 2018-06-11 17:02:33 -04:00
Jeff Mitchell 45da5a45ba
Store lease times suitable for export in pending (#4730)
* Store lease times suitable for export in pending

This essentially caches lease information for token lookups, preventing
going to disk over and over.

* Simplify logic
2018-06-11 11:58:56 -04:00
vishalnayak b6b5f6437f changelog++ 2018-06-11 11:23:55 -04:00
Vishal Nayak cb3c689798
Fix panic due to metadata being nil (#4719)
* Fix panic due to metadata being nil

* added a nil check

* Added a test

* ensure metadata is never nil

* Remove unnecessary allocation

* revert back to early initialization
2018-06-11 11:22:26 -04:00
Jeff Mitchell b65959c8a0 Fix build 2018-06-11 11:21:37 -04:00
Jeff Mitchell 5b45f57b73 changelog++ 2018-06-11 11:03:42 -04:00
Jeff Mitchell 8d3503a048
Add context handling to Consul operations (#4739) 2018-06-11 11:03:00 -04:00
Jeff Mitchell 2dd190bc85 changelog++ 2018-06-11 10:39:23 -04:00
Pavlos Ratis 49834a3a83 Use shell highlighting in the command snippets (#4736) 2018-06-11 08:46:35 -04:00
Tom Schlenkhoff dc7631b994 Fix typo (#4738) 2018-06-11 05:38:21 -07:00
Jeff Mitchell f32cb9e905 Fix another test error 2018-06-09 18:31:47 -04:00
Jeff Mitchell 16356a3969 Fix nil pointer in transactional_inmem 2018-06-09 18:22:45 -04:00
Jeff Mitchell 4994f95ee2 Bump Travis Go version 2018-06-09 18:18:32 -04:00
Jeff Mitchell 256a6b2b33 Fix test build 2018-06-09 18:18:00 -04:00
Jeff Mitchell 405bce896c Bump Go version in cross Dockerfile 2018-06-09 18:09:45 -04:00