luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
2566 commits 1 branch 0 tags 214 MiB
Commit graph

2566 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jeff Mitchell 8cb23835d7 Fix read panic when an empty argument is given. 
Fixes #923
 2016-01-12 08:46:49 -05:00
Jeff Mitchell e815db8756 Update audit sys docs 2016-01-11 19:08:23 -05:00
Eric Kidd 69434fd13e etcd: Allow disabling sync for load balanced etcd 
Some etcd configurations (such as that provided by compose.io) place the
etcd cluster behind multiple load balancers or proxies.  In this
configuration, calling Sync (or AutoSync) on the etcd client will
replace the load balancer addresses with the underlying etcd server
address.

This will cause the etcd client to bypass the load balancers, and may
cause the connection to fail completely if the etcd servers are
protected by a firewall.

This patch provides a "sync" option for the etcd backend, which defaults
to the current behavior, but which can be used to turn off of sync.
This corresponds to etcdctl's --no-sync option.
 2016-01-11 13:56:58 -05:00
Eric Kidd ebabcd857a etcd: Document existing username and password options 
These options were present in the source code, but not in the
documentation.  They're needed to connect to some hosted etcd services.
 2016-01-11 11:30:51 -05:00
Jeff Mitchell 8e131e4ea4 Make sure VAULT_TOKEN is empty during unit tests 2016-01-09 14:47:55 -05:00
Jeff Mitchell 2527a9d18e changelog++ 2016-01-09 14:21:36 -05:00
Jeff Mitchell b7e68633a3 Merge pull request #878 from seiffert/dynamodb_backend 
Add DynamoDB physical backend.
 2016-01-09 14:16:15 -05:00
Jeff Mitchell a2bd31d493 Fix up PGP tests from earlier code fixes 2016-01-08 22:21:41 -05:00
Jeff Mitchell a99787afeb Don't allow a policy with no name, even though it is a valid slice member 2016-01-08 21:23:40 -05:00
Jeff Mitchell 676008b2c5 Lotsa warnings if you choose not to be safe 2016-01-08 17:35:07 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 26e1837a82 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities. 
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
 2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Paul Seiffert 3a0ea3bcaa Add documentation for the DynamoDB backend 2016-01-08 17:34:31 +01:00
Paul Seiffert 99f7659bb4 Add recovery option to DynamoDB backend 
When Vault is killed without the chance to clean up the lock
entry in DynamoDB, no further Vault nodes can become leaders after
that.

To recover from this situation, this commit adds an environment
variable and a configuration flag that when set to "1" causes Vault
to delete the lock entry from DynamoDB.
 2016-01-08 17:31:37 +01:00
Paul Seiffert 8853e50691 Explicitly read AWS credentials from environment 2016-01-08 17:31:37 +01:00
Paul Seiffert 9618d95c4e Godeps: install new requirements from AWS SDK 2016-01-08 17:31:37 +01:00
Paul Seiffert 277de77256 Add tests for DynamoDB backend 2016-01-08 17:31:37 +01:00
Paul Seiffert 870bc6c5b4 Implement DynamoDB physical HA backend 2016-01-08 17:31:37 +01:00
Jeff Mitchell 87f686997f changelog++ 2016-01-07 11:36:32 -05:00
Jeff Mitchell c9f9bcdeaf Merge pull request #912 from hashicorp/fix-renew-regression 
Have 'sys/renew' return the value provided in Secret.
 2016-01-07 11:35:52 -05:00
Jeff Mitchell 455acc255b Have 'sys/renew' return the value provided in Secret. 
Fixes a regression introduced in 0.3.
 2016-01-07 11:35:09 -05:00
Jeff Mitchell 2412c078ac Also convert policy store cache to 2q. 
Ping #908
 2016-01-07 09:26:08 -05:00
Jeff Mitchell d6b6cbe9aa changelog++ 2016-01-07 09:22:45 -05:00
Jeff Mitchell 0cda012d20 Merge pull request #908 from hashicorp/physical-2q 
Replace physical cache with TwoQueue instead of LRU.
 2016-01-07 09:22:15 -05:00
Jeff Mitchell 287954beef Replace physical cache with TwoQueue instead of LRU. 2016-01-07 09:21:33 -05:00
Jeff Mitchell 85509e7ba5 Simplify some logic and ensure that if key share backup fails, we fail 
the operation as well.

Ping #907
 2016-01-06 13:14:23 -05:00
Jeff Mitchell 20a6f37b38 Merge pull request #907 from hashicorp/rekey-work 
Add rekey nonce/backup.
 2016-01-06 09:55:19 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell d4bc51751e Fix typo in docs 2016-01-05 11:45:23 -05:00
Jeff Mitchell 06d19e4269 changelog++ 2016-01-05 11:27:08 -05:00
Jeff Mitchell d5c72f2083 Merge pull request #904 from hashicorp/policy-doc 
Update documentation with policy fetching information.
 2016-01-05 10:26:53 -06:00
Jeff Mitchell e54edd54ac Update documentation with policy fetching information. 2016-01-05 11:26:19 -05:00
Jeff Mitchell d51d723c1f Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases) 2016-01-04 17:11:22 -05:00
Jeff Mitchell a99c29dad4 changelog++ 2016-01-04 17:01:32 -05:00
Jeff Mitchell 0972e60253 Merge pull request #896 from hashicorp/last-renewal-time 
Store a last renewal time in the token entry and return it upon lookup
 2016-01-04 16:00:21 -06:00
Jeff Mitchell e990b77d6e Address review feedback; move storage of these values to the expiration manager 2016-01-04 16:43:07 -05:00
Jonathan Thomas df5f5d68bd Merge pull request #888 from aedotj/patch-1 
Fixed "edit this page" not clickable
 2016-01-04 11:29:21 -08:00
Jeff Mitchell 80866d036d update init/rekey documentation around keybase entries 2016-01-04 14:17:51 -05:00
Jeff Mitchell dbd7c9aaab changelog++ 2016-01-04 14:14:51 -05:00
Jeff Mitchell bf79b716ef Merge pull request #901 from hashicorp/keybase-pgp 
Add keybase support for PGP keys.
 2016-01-04 13:11:11 -06:00
Jeff Mitchell 8d1e5cb50d Add returning which user names could not be looked up 2016-01-04 13:56:45 -05:00
Jeff Mitchell 5ddd243144 Store a last renewal time in the token entry and return it upon lookup 
of the token.

Fixes #889
 2016-01-04 11:20:49 -05:00
Jeff Mitchell 90ec946dab Address review feedback. 2016-01-04 11:18:04 -05:00
Jeff Mitchell d11509830f Happy New Year everyone! (Add keybase support for PGP keys.) 
Keys specified in rekey and init operations can now be sourced from
keybase.io by using "keybase:[username]" as the key.
 2015-12-31 20:47:41 -05:00
Jeff Mitchell 80d92903f4 changelog++ 2015-12-31 18:11:32 -05:00
Jeff Mitchell 2bbc140fab Merge pull request #900 from kenjones-cisco/task/pki-doc 
Fixes mis-placed html tag
 2015-12-31 09:46:27 -06:00
kenjones-cisco 496e9962d0 Fixes mis-placed html tag 2015-12-31 10:37:01 -05:00
Jeff Mitchell 5ef7efffe3 Disable cmd/server tests for now so we can get Travis back on track 2015-12-31 08:48:53 -05:00