Commit graph

3077 commits

Author SHA1 Message Date
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Chris Hoffman 0b4a8f5b94 Adding mssql secret backend 2016-03-03 09:19:17 -05:00
Jeff Mitchell 6ed5d10580 Remove proxy function as it's unneeded now 2016-03-02 14:55:51 -05:00
Jeff Mitchell 8ecba87807 Merge pull request #1163 from hashicorp/mux-cleanup
Remove sys_policy from special handling as it's implemented in
2016-03-02 14:48:30 -05:00
Jeff Mitchell 9c47b8c0a7 Remove sys_policy from special handling as it's implemented in
logical_system too. Clean up the mux handlers.
2016-03-02 14:16:54 -05:00
Jeff Mitchell 7b4478faba Add a sleep in the RedirectStandby test to try to fix raciness 2016-03-02 12:06:16 -05:00
Jeff Mitchell 32b91bd531 changelog++ 2016-03-02 12:05:16 -05:00
Jeff Mitchell 8670f5ac9c Merge pull request #1162 from hashicorp/dev-root-id
Allow specifying an initial root token ID in dev mode.
2016-03-02 12:04:25 -05:00
Jeff Mitchell 8011148fb5 Allow specifying an initial root token ID in dev mode.
Ping #1160
2016-03-02 12:03:26 -05:00
Jeff Mitchell 5b9c478a2c changelog++ 2016-03-01 20:27:08 -05:00
Jeff Mitchell ac57c22fe0 Merge pull request #1156 from hashicorp/renew-self-CLI
Allow `token-renew` to not be given a token; it will then use the
2016-03-01 20:26:02 -05:00
Jeff Mitchell 521a956e4d Address review feedback 2016-03-01 20:25:40 -05:00
vishalnayak 934123d9a3 changelog++ 2016-03-01 17:18:20 -05:00
Jeff Mitchell c438dd186a changelog++ 2016-03-01 17:12:14 -05:00
Jeff Mitchell addf92e185 Allow token-renew to not be given a token; it will then use the
renew-self endpoint. Otherwise it will use the renew endpoint, even if
the token matches the client token.

Adds an -increment flag to allow increments even with no token passed
in.

Fixes #1150
2016-03-01 17:02:48 -05:00
Vishal Nayak f965d1d510 Merge pull request #1153 from hashicorp/cert-non-ca-fix
Non-CA cert registration to the cert backend
2016-03-01 16:56:59 -05:00
vishalnayak 44208455f6 continue if non-CA policy is not found 2016-03-01 16:43:51 -05:00
vishalnayak 9a3ddc9696 Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow 2016-03-01 16:37:01 -05:00
vishalnayak cc1592e27a corrections, policy matching changes and test cert changes 2016-03-01 16:37:01 -05:00
vishalnayak 09eef70853 Added testcase for cert writes 2016-03-01 16:37:01 -05:00
vishalnayak f056e8a5a5 supporting non-ca certs for verification 2016-03-01 16:37:01 -05:00
Jeff Mitchell 7c5f810bc0 Address first round of feedback 2016-03-01 15:30:37 -05:00
Jeff Mitchell 02362a5873 Update token documentation 2016-03-01 14:00:52 -05:00
Jeff Mitchell 8a500e0181 Add command and token store documentation for roles 2016-03-01 13:02:40 -05:00
Jeff Mitchell 54232eb980 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
Jeff Mitchell df2e337e4c Update tests to add expected role parameters 2016-03-01 12:41:40 -05:00
Jeff Mitchell b8b59560dc Add token role CRUD tests 2016-03-01 12:41:40 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak 6314057b9a fix typo 2016-03-01 11:48:17 -05:00
Vishal Nayak 89e778b2d0 Merge pull request #1154 from hashicorp/ssh-docs-fix
zeroaddress documentation fix
2016-03-01 11:22:45 -05:00
vishalnayak fd585ecf8a removed datatype and corrected a sentense 2016-03-01 11:21:29 -05:00
vishalnayak 724823b8f7 zeroaddress documentation fix 2016-03-01 10:57:00 -05:00
Jeff Mitchell b5a8e5d724 Fix commenting 2016-02-29 20:29:04 -05:00
vishalnayak aee006ba2d moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell 64ab16d137 Don't spawn consul servers when testing unless it's an acceptance test 2016-02-29 14:58:06 -05:00
Jeff Mitchell f6092f8311 Don't run transit fuzzing if not during acceptance tests 2016-02-29 14:44:04 -05:00
Jeff Mitchell 2205133ae4 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
Jeff Mitchell d131d99c34 Merge branch 'master' into step-down 2016-02-29 11:02:09 -05:00
Vishal Nayak 88aefca25a Merge pull request #1152 from hashicorp/cert-tests-fix
tls backend: replaced test certs and disabled InsecureSkipVerify
2016-02-29 10:41:55 -05:00
vishalnayak cf672400d6 fixed the error log message 2016-02-29 10:41:10 -05:00
Jeff Mitchell 3cc35a554b Update doc, it's now 10 seconds 2016-02-29 10:09:11 -05:00
vishalnayak cc2c989b07 delete old certs 2016-02-28 22:21:45 -05:00
vishalnayak dca18aec2e replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00
Jeff Mitchell 6a980b88fd Address review feedback 2016-02-28 21:51:50 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak d02d3124b5 fix api tests 2016-02-26 17:01:40 -05:00
Jeff Mitchell 4c87c101f7 Fix tests 2016-02-26 16:44:35 -05:00
Jeff Mitchell a73c43564e changelog++ 2016-02-26 15:28:12 -05:00
Jeff Mitchell a57cc9e1ff Merge pull request #1144 from hashicorp/fix-cassandra-displayName-hyphens
Apply hyphen/underscore replacement across the entire username.
2016-02-26 15:27:20 -05:00
Jeff Mitchell 7ae573b35b Apply hyphen/underscore replacement across the entire username.
Handles app-id generated display names.

Fixes #1140
2016-02-26 15:26:23 -05:00