Commit graph

2827 commits

Author SHA1 Message Date
Jeff Mitchell 4253299dfe Store uint32s in radix 2016-01-12 17:24:01 -05:00
Jeff Mitchell e58705b34c Cleanup 2016-01-12 17:10:48 -05:00
Jeff Mitchell 87fba5dad0 Convert map to bitmap 2016-01-12 17:08:10 -05:00
Jeff Mitchell da87d490eb Add some commenting around create/update 2016-01-12 15:13:54 -05:00
Jeff Mitchell 9db22dcfad Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell ce5bd64244 Clean up HelpOperation 2016-01-12 14:34:49 -05:00
Jeff Mitchell 1efb33cfd5 changelog++ 2016-01-12 09:31:07 -05:00
Jeff Mitchell e89a1b1396 Merge pull request #924 from richardzone/patch-1
Fix typo
2016-01-12 09:30:40 -05:00
Ziyi, LIU 5204da4edd Fix typo
Change "...implements is own login endpoint..." to "...implements its own login endpoint..."
2016-01-12 22:22:13 +08:00
Jeff Mitchell ae6df99b19 changelog++ 2016-01-12 08:47:33 -05:00
Jeff Mitchell 8cb23835d7 Fix read panic when an empty argument is given.
Fixes #923
2016-01-12 08:46:49 -05:00
Jeff Mitchell e815db8756 Update audit sys docs 2016-01-11 19:08:23 -05:00
Eric Kidd 69434fd13e etcd: Allow disabling sync for load balanced etcd
Some etcd configurations (such as that provided by compose.io) place the
etcd cluster behind multiple load balancers or proxies.  In this
configuration, calling Sync (or AutoSync) on the etcd client will
replace the load balancer addresses with the underlying etcd server
address.

This will cause the etcd client to bypass the load balancers, and may
cause the connection to fail completely if the etcd servers are
protected by a firewall.

This patch provides a "sync" option for the etcd backend, which defaults
to the current behavior, but which can be used to turn off of sync.
This corresponds to etcdctl's --no-sync option.
2016-01-11 13:56:58 -05:00
Eric Kidd ebabcd857a etcd: Document existing username and password options
These options were present in the source code, but not in the
documentation.  They're needed to connect to some hosted etcd services.
2016-01-11 11:30:51 -05:00
Jeff Mitchell 8e131e4ea4 Make sure VAULT_TOKEN is empty during unit tests 2016-01-09 14:47:55 -05:00
Jeff Mitchell 2527a9d18e changelog++ 2016-01-09 14:21:36 -05:00
Jeff Mitchell b7e68633a3 Merge pull request #878 from seiffert/dynamodb_backend
Add DynamoDB physical backend.
2016-01-09 14:16:15 -05:00
Jeff Mitchell a2bd31d493 Fix up PGP tests from earlier code fixes 2016-01-08 22:21:41 -05:00
Jeff Mitchell a99787afeb Don't allow a policy with no name, even though it is a valid slice member 2016-01-08 21:23:40 -05:00
Jeff Mitchell 676008b2c5 Lotsa warnings if you choose not to be safe 2016-01-08 17:35:07 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 26e1837a82 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Paul Seiffert 3a0ea3bcaa Add documentation for the DynamoDB backend 2016-01-08 17:34:31 +01:00
Paul Seiffert 99f7659bb4 Add recovery option to DynamoDB backend
When Vault is killed without the chance to clean up the lock
entry in DynamoDB, no further Vault nodes can become leaders after
that.

To recover from this situation, this commit adds an environment
variable and a configuration flag that when set to "1" causes Vault
to delete the lock entry from DynamoDB.
2016-01-08 17:31:37 +01:00
Paul Seiffert 8853e50691 Explicitly read AWS credentials from environment 2016-01-08 17:31:37 +01:00
Paul Seiffert 9618d95c4e Godeps: install new requirements from AWS SDK 2016-01-08 17:31:37 +01:00
Paul Seiffert 277de77256 Add tests for DynamoDB backend 2016-01-08 17:31:37 +01:00
Paul Seiffert 870bc6c5b4 Implement DynamoDB physical HA backend 2016-01-08 17:31:37 +01:00
Jeff Mitchell 87f686997f changelog++ 2016-01-07 11:36:32 -05:00
Jeff Mitchell c9f9bcdeaf Merge pull request #912 from hashicorp/fix-renew-regression
Have 'sys/renew' return the value provided in Secret.
2016-01-07 11:35:52 -05:00
Jeff Mitchell 455acc255b Have 'sys/renew' return the value provided in Secret.
Fixes a regression introduced in 0.3.
2016-01-07 11:35:09 -05:00
Jeff Mitchell 2412c078ac Also convert policy store cache to 2q.
Ping #908
2016-01-07 09:26:08 -05:00
Jeff Mitchell d6b6cbe9aa changelog++ 2016-01-07 09:22:45 -05:00
Jeff Mitchell 0cda012d20 Merge pull request #908 from hashicorp/physical-2q
Replace physical cache with TwoQueue instead of LRU.
2016-01-07 09:22:15 -05:00
Jeff Mitchell 287954beef Replace physical cache with TwoQueue instead of LRU. 2016-01-07 09:21:33 -05:00
Jeff Mitchell 85509e7ba5 Simplify some logic and ensure that if key share backup fails, we fail
the operation as well.

Ping #907
2016-01-06 13:14:23 -05:00
Jeff Mitchell 20a6f37b38 Merge pull request #907 from hashicorp/rekey-work
Add rekey nonce/backup.
2016-01-06 09:55:19 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Marcin Wielgoszewski bde81080c9 Address issues with properly revoking a user via these additional REVOKE statements 2016-01-06 09:22:55 -05:00
Jeff Mitchell d4bc51751e Fix typo in docs 2016-01-05 11:45:23 -05:00
Jeff Mitchell 06d19e4269 changelog++ 2016-01-05 11:27:08 -05:00
Jeff Mitchell d5c72f2083 Merge pull request #904 from hashicorp/policy-doc
Update documentation with policy fetching information.
2016-01-05 10:26:53 -06:00
Jeff Mitchell e54edd54ac Update documentation with policy fetching information. 2016-01-05 11:26:19 -05:00
Jeff Mitchell d51d723c1f Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases) 2016-01-04 17:11:22 -05:00
Jeff Mitchell a99c29dad4 changelog++ 2016-01-04 17:01:32 -05:00
Jeff Mitchell 0972e60253 Merge pull request #896 from hashicorp/last-renewal-time
Store a last renewal time in the token entry and return it upon lookup
2016-01-04 16:00:21 -06:00
Jeff Mitchell e990b77d6e Address review feedback; move storage of these values to the expiration manager 2016-01-04 16:43:07 -05:00
Jonathan Thomas df5f5d68bd Merge pull request #888 from aedotj/patch-1
Fixed "edit this page" not clickable
2016-01-04 11:29:21 -08:00