Commit graph

535 commits

Author SHA1 Message Date
Jason O'Donnell 20e485a9d3
Add leeway parameters to JWT auth doc (#6947)
* Add leeway parameters to JWT auth doc

* Clarify leeway doc

* Apply suggestions from code review

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* Add note about only being applicable to JWT

* Update for negative values
2019-07-01 10:12:53 -04:00
Michel Vocks 2b5aca4300
Token identity support (#6267)
* Implemented token backend support for identity

* Fixed tests

* Refactored a few checks for the token entity overwrite. Fixed tests.

* Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list

* go mod vendor

* Added glob pattern

* Optimized allowed entity alias check

* Added test for asterisk only

* Changed to glob pattern anywhere

* Changed response code in case of failure. Changed globbing pattern check. Added docs.

* Added missing token role get parameter. Added more samples

* Fixed failing tests

* Corrected some cosmetical review points

* Changed response code for invalid provided entity alias

* Fixed minor things

* Fixed failing test
2019-07-01 11:39:54 +02:00
Mike Ruth ee705088be Include Daytona as a third party tool (#6999)
* Include Daytona as third party tool

This is to include [Cruise's Daytona](https://github.com/cruise-automation/daytona) to the list of third party tools.
2019-06-30 20:49:11 -04:00
Vishal Nayak 2fcac90052
Raft Docs (#6966)
* Raft configuration doc

* API docs

* join sample

* Fix the Join API

* Add snapshot-force

* Update sys/storage subsection

* Use actual certs in examples

* Add sample configuration response

* Fix link

* remove TLS config options
2019-06-28 14:09:14 -04:00
Calvin Leung Huang 21059820d2
KMIP docs (#6969)
* docs: add docs/secrets/kmip

* Add KMIP API docs.

* small typo fix

* Update website/source/api/secret/kmip/index.html.md

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update website/source/api/secret/kmip/index.html.md

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update website/source/api/secret/kmip/index.html.md

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update website/source/api/secret/kmip/index.html.md

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* format tables in api docs

* fix table formatting

* Fix wording.

* Remove references to tls_max_path_length.
2019-06-28 11:05:00 -07:00
Michael Gaffney 9366f95816 Remove delete-version-after from kv put and undelete subcommands
Removes the optional parameter "delete-version-after" from the following
CLI subcommands:

- kv put
- kv undelete
- kv rollback
2019-06-27 14:17:46 -04:00
Michael Gaffney 42324c22ff Add delete-version-after to kv CLI subcommands
Adds a new optional parameter "delete-version-after" to the following
CLI subcommands:

- kv metadata put
- kv put
- kv undelete
- kv rollback
2019-06-27 14:17:46 -04:00
Thomas Kula be998aeeac Cert auth method examples need to use https (#6961)
In order to present a client certificate to use the certificate
auth method, you must use https.
2019-06-27 11:04:09 -04:00
Lexman a4ba0e22ac Identity tokens documentation (#6971) 2019-06-26 07:31:10 -07:00
Jim Kalafut 4066a1d09c
Correct API docs examples (#6963) 2019-06-24 07:39:34 -07:00
Clint 4b00597609
Combined Database backend: remove create/delete support (#6951)
* remove create/update database user for static accounts

* update tests after create/delete removed

* small cleanups

* update postgresql setcredentials test
2019-06-23 15:58:07 -05:00
Becca Petrin cd0f2ec5f6
Merge pull request #6913 from hashicorp/pcf-docs
PCF documentation
2019-06-20 09:28:06 -07:00
Aaron Bedra db25895001 Adds libvault to list of client libraries (#6890) 2019-06-20 08:01:12 -07:00
Brian Shumate 630de4d1ae Switch to simpler 'configured' (#6892) 2019-06-20 08:00:12 -07:00
Clint b55303eddb
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk

* fix issue of storing pointers and now copy

* update to use copy structure

* Remove file, put Item struct def. into other file

* add link

* clean up docs

* refactor internal data structure to hide heap method implementations. Other cleanup after feedback

* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods

* updates after feedback

* refactoring/renaming

* guard against pushing a nil item

* minor updates after feedback

* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC

* Initial Combined database backend implementation of static accounts and automatic rotation

* vendor updates

* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation

* add lock and setup of rotation queue

* vendor the queue

* rebase on new method signature of queue

* remove mongo tests for now

* update default role sql

* gofmt after rebase

* cleanup after rebasing to remove checks for ErrNotFound error

* rebase cdcr-priority-queue

* vendor dependencies with 'go mod vendor'

* website database docs for Static Role support

* document the rotate-role API endpoint

* postgres specific static role docs

* use constants for paths

* updates from review

* remove dead code

* combine and clarify error message for older plugins

* Update builtin/logical/database/backend.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups from feedback

* code and comment cleanups

* move db.RLock higher to protect db.GenerateCredentials call

* Return output with WALID if we failed to delete the WAL

* Update builtin/logical/database/path_creds_create.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* updates after running 'make fmt'

* update after running 'make proto'

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update comment and remove and rearrange some dead code

* Update website/source/api/secret/databases/index.html.md

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups after review

* Update sdk/database/dbplugin/grpc_transport.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* code cleanup after feedback

* remove PasswordLastSet; it's not used

* document GenerateCredentials and SetCredentials

* Update builtin/logical/database/path_rotate_credentials.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* wrap pop and popbykey in backend methods to protect against nil cred rotation queue

* use strings.HasPrefix instead of direct equality check for path

* Forgot to commit this

* updates after feedback

* re-purpose an outdated test to now check that static and dynamic roles cannot share a name

* check for unique name across dynamic and static roles

* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials

* remove commented out code

* refactor to have loadstaticwals filter out wals for roles that no longer exist

* return error if nil input given

* add nil check for input into setStaticAccount

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* add constant for queue tick time in seconds, used for comparrison in updates

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* code cleanup after review

* remove misplaced code comment

* remove commented out code

* create a queue in the Factory method, even if it's never used

* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type

* document new method

* move rotation things into a specific file

* rename test file and consolidate some static account tests

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update code comments, method names, and move more methods into rotation.go

* update comments to be capitalized

* remove the item from the queue before we try to destroy it

* findStaticWAL returns an error

* use lowercase keys when encoding WAL entries

* small cleanups

* remove vestigial static account check

* remove redundant DeleteWAL call in populate queue

* if we error on loading role, push back to queue with 10 second backoff

* poll in initqueue to make sure the backend is setup and can write/delete data

* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false

* add code comments on read-only loop

* code comment updates

* re-push if error returned from find static wal

* add locksutil and acquire locks when pop'ing from the queue

* grab exclusive locks for updating static roles

* Add SetCredentials and GenerateCredentials stubs to mockPlugin

* add a switch in initQueue to listen for cancelation

* remove guard on zero time, it should have no affect

* create a new context in Factory to pass on and use for closing the backend queue

* restore master copy of vendor dir
2019-06-19 14:45:39 -05:00
Becca Petrin 35faaef504 update field name to change from pr feedback 2019-06-19 09:54:18 -07:00
Becca Petrin 3fc63eb9d5 add api docs 2019-06-17 16:56:14 -07:00
Becca Petrin a420b966bb add docs 2019-06-17 15:00:30 -07:00
Becca Petrin 17a682da40 Merge branch 'opensource-master' into add-elasticsearch-auth 2019-06-17 11:12:51 -07:00
Frederic Hemberger 8c5476fb0c Website(api/secret/identity): Fix whitespace in JSON examples (#6889) 2019-06-16 09:26:37 -04:00
Becca Petrin 5b9d49fc2d add elasticsearch database engine 2019-06-10 09:19:11 -07:00
Lexman 9aa4662cec transit cache is an Interface implemented by wrapped versions of sync… (#6225)
* transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru

* transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru

* changed some import paths to point to sdk

* Apply suggestions from code review

Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com>

* updates docs with information on transit/cache-config endpoint

* updates vendored files

* fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic

* updates document links

* fixed a typo in a documentation link

* changes cache_size to just size for the cache-config endpoint
2019-06-04 15:40:56 -07:00
Jim Kalafut 8f1eeda737
Fix OIDC API examples (#6803)
Fixes #6684
2019-05-30 21:50:34 -05:00
nathan r. hruby 0762d9c6eb
fix indeting for mount options (#6780) 2019-05-23 19:09:52 -07:00
Jeff Mitchell 4e83328aaf Fix recovery key backup path documentation 2019-05-14 10:58:19 -04:00
Rich FitzJohn 9b123dd352 Add link to R client on libraries list (#6722) 2019-05-13 16:14:49 -04:00
Jim Kalafut 826653e7f5
JWKS docs (#6645) 2019-05-09 13:32:50 -07:00
Hugues Malphettes 520677fa9e [Doc]: PKI Fix allowed_uri_sans spelling mistake (#6660)
The doc of the PKI Role sample response currently reads:

`"allow_uri_sans": ["example.com","spiffe://*"],`

It should read:

  `"allowed_uri_sans": ["example.com","spiffe://*"],`
2019-04-30 17:48:51 -07:00
Becca Petrin ba37546c08
Merge pull request #6642 from hashicorp/update-ad-docs
Update Active Directory secrets engine docs with new field
2019-04-29 13:48:09 -07:00
Becca Petrin e724d2f332 changes from feedback 2019-04-26 16:31:11 -07:00
Jim Kalafut 8f8ac67222
Minor GCP docs fixes (#6644) 2019-04-26 10:52:52 -07:00
Md Kamol Hasan 9b1b58f52a Add delete roleset option (#6635) 2019-04-26 10:48:34 -07:00
Becca Petrin 7183bc9594 update ad docs with new field 2019-04-26 09:40:26 -07:00
Raja Nadar ffbe2c378d docs: added support for .net standard 2.0 as well (#6620)
.net standard 2.0 support
2019-04-23 14:50:16 -04:00
Becca Petrin 22a6e54957
Merge pull request #6380 from povils/aws_user_path
AWS add user_path option for role.
2019-04-23 09:05:35 -07:00
Brian Shumate 681d13fe27 Link directly to the hints (#6623)
* Link directly to the hints

* Wrap
2019-04-22 16:10:38 -07:00
Brian Shumate fb0a55614b Add type to documentation for create in token auth API (#6622)
* Add type to documentation for create in token auth API

* Wrapped
2019-04-22 12:15:21 -07:00
Povilas Susinskas 67f5bbe88f AWS backend: Add user_path option for role. 2019-04-22 18:07:21 +02:00
Brian Shumate 5aed4f0f76 Add some missing default values (#6611) 2019-04-18 22:24:20 -07:00
Brian Shumate 09aa4c7c15 Typo fixes (#6610) 2019-04-18 22:20:46 -07:00
Jim Kalafut 75480642cf
Update JWT docs for bound_claims improvements (#6559) 2019-04-12 14:08:02 -07:00
Michel Vocks a24474df5f
Fixed small issues in identity group alias API docs (#6569) 2019-04-12 09:05:37 +02:00
Jim Kalafut 22587672ec
Minor updates to OIDC docs (#6551) 2019-04-08 15:08:55 -07:00
Kamol Hasan 307cc20712 Correct gcp api doc 2019-04-08 18:55:36 +06:00
Sean Malloy 29f3e0ed62 Add Docs For Prometheus Metrics (#6434)
Prometheus metrics were added as part of the Vault v1.1.0 release in PR #5308.
But no documentation was created. Adds the telemetry configuration docs and
the API docs.
2019-03-23 16:53:43 -05:00
Jeff Mitchell cdcd269b47 Add missing serial_number parameter from pki docs 2019-03-23 12:14:32 -04:00
Laura Gjerman-Uva 6193d4a0ac update AWS Auth API docs to show that role_id is the default for ec2_alias and iam_alias (auth/aws/config/identity endpoint) (#6460) 2019-03-22 15:09:54 -05:00
Jeff Mitchell 602d1e1a75
Remove response code info from non-overview API docs as it can be misinterpreted and is always the same anyways (#6459) 2019-03-22 11:15:37 -05:00
Jeff Mitchell 0794d89d9d Minor updates to JWT docs 2019-03-22 01:15:59 -04:00
Jim Kalafut e399d39f0e
Remove beta docs (#6431) 2019-03-18 16:38:54 -07:00
Andrej van der Zee 85fb1784b5 Cassandra plugin: Support for datacenter aware deployments (#6127)
* Added option 'local_datacenter' to Casssandra database plugin for DC aware Casssandra deployments.

* Fixed spelling errors in Cassandra database plugin.

* Added website documentation.

* Added local_datacenter to Cassanra database plugin.

* Reverted datacenter-aware change in deprecated Cassandra builtin secret engine.
2019-03-14 13:37:28 -07:00
Alessandro De Blasis 4b7f595b4c docs: pki - adding missing ext_key_usage_oids desc (#6367)
Adding missing entries

Just copied over the FieldSchema descriptions
2019-03-07 14:07:10 -05:00
Jim Kalafut a34099b9bb
Use HashTypeMap and remove structs in batch HMAC (#6334) 2019-03-04 14:49:29 -08:00
martinwaite 04c174214c Batch hmac - (#5850) (#5875) 2019-03-04 12:26:20 -08:00
Jeff Mitchell d71b0e7b10
Add missing consistency param in docs for Cassandra in combined DB (#6330) 2019-03-04 10:21:33 -05:00
Becca Petrin 4ecaa1b597
Merge pull request #6304 from bradjones1/patch-2
RabbitMQ 'vhost' parameter on roles endpoint should be 'vhosts'
2019-02-28 10:03:47 -08:00
Becca Petrin 4cf21cda87
Merge pull request #6221 from emilymye/website
Remove unsupported config delete for GCP auth docs
2019-02-28 09:52:52 -08:00
Brad Jones da99b6d088
RabbitMQ 'vhost' parameter on roles endpoint should be 'vhosts'
In deploying this, I noted that passing `vhost` was unsuccessful, yet `vhosts` is.
2019-02-27 15:19:54 -07:00
Jim Kalafut 9bac5158cd
Update JWT docs for OIDC feature (#6270) 2019-02-21 17:06:23 -08:00
Emily Ye 79c8f05dee remove unsupported config delete docs 2019-02-12 13:48:30 -08:00
Sean Carolan 58ba07f666 Make this easier for new users (#6211) 2019-02-11 17:34:22 -05:00
Clint 0db43e697b Add signed key constraints to SSH CA [continued] (#6030)
* Adds the ability to enforce particular ssh key types and minimum key
lengths when using Signed SSH Certificates via the SSH Secret Engine.
2019-02-11 13:03:26 -05:00
Andrej van der Zee 604e8dd0f0 Added socket keep alive option to Cassandra plugin. (#6201) 2019-02-10 18:34:50 -05:00
Brian Nuszkowski 707c6d1813 Add SHA1 signing/verification support to transit engine (#6037)
* Add SHA1 signing/verification support to transit engine

* Update signing/verification endpoint documentation to include sha1 hash algorithm
2019-02-07 15:31:31 -08:00
Martins Sipenko ea56be1e69 Fix section heading size (#6137) 2019-02-07 11:18:58 -08:00
Jeff Mitchell ea61e8fbec Remove refresh_interval from kvv1 API docs and CLI docs since kv get doesn't use it 2019-02-06 21:51:08 -05:00
Jeff Mitchell 5f249d4005
Add allowed_response_headers (#6115) 2019-02-05 16:02:15 -05:00
Brian Shumate 18c8f390f9 Update AppRole API docs (#6047)
- Use consistent "Create/Update" heading text style
2019-02-04 11:17:16 -05:00
nickwales e2429522fa Removed typo (#6162) 2019-02-04 11:13:37 -05:00
Matthew Potter 5e374d5cd1 Add libvault to the list of elixir libraries (#6158) 2019-02-04 11:12:29 -05:00
Jeff Mitchell adccccae69 Update example output for PKI serial -> serial_number
Fixes #6146
2019-02-01 10:29:34 -05:00
Jeff Mitchell 47accf8086 Add role_id as an alias name source for AWS and change the defaults 2019-01-30 15:51:45 -05:00
Jeff Mitchell 5e126f6de8
Implement JWS-compatible signature marshaling (#6077)
This currently only applies to ECDSA signatures, and is a toggleable
option.
2019-01-23 12:31:34 -05:00
Jim Kalafut 0f2fcfb6f1
Update JWT docs with new jwt_supported_algs parameter (#6069) 2019-01-17 15:27:20 -08:00
Dilan Bellinghoven f9dacbf221 Add docker-credential-vault-login to Third-Party Tools (#6003)
* Added Docker credential helper to list of Third-Party tools

* website/source/api/relatedtools.html.md: Fixed a typo
2019-01-10 10:46:18 -05:00
Yoko 9a4de34dce Allowed characters in paths (#6015) 2019-01-10 10:39:20 -05:00
Vishal Nayak 0c30f46587
Add option to configure ec2_alias values (#5846)
* Add option to configure ec2_alias values

* Doc updates

* Fix overwriting of previous config value

* s/configEntry/config

* Fix formatting

* Address review feedback

* Address review feedback
2019-01-09 18:28:29 -05:00
Yoko 0a97f95ff4
Document upper limit on Transit encryption size (#6014) 2019-01-08 17:57:43 -08:00
Giacomo Tirabassi 0d3845c537 Influxdb secret engine built-in plugin (#5924)
* intial work for influxdb secret plugin

* fixed typo

* added comment

* added documentation

* added tests

* fixed tests

* added vendoring

* minor testing issue with hardcoded values

* minor fixes
2019-01-08 17:26:16 -08:00
Becca Petrin d108843a0a
Merge pull request #5947 from hmalphettes/master
Docs: JWT API - List Roles: fix the path
2018-12-20 09:15:57 -08:00
R.B. Boyer 0ebb30938c website: fix simple typo (#5979) 2018-12-19 14:46:54 -08:00
Janosch Maier b95fbbafe9 Docs: Fix project resource name in gcp roleset documentation (#5966)
The resource name when referring to a GCP project needs to have a "s". This PR adds the missing letter in the documentation.
2018-12-17 16:22:02 -08:00
Matthew Irish 4e06fd698e update help output examples and mention openapi fragment support (#5954) 2018-12-14 09:12:03 -05:00
Hugues Malphettes 6ea6844ef9
JWT API - List Roles: fix the path
With vault-1.0.0 and vault-0.11.4 a different path is needed to list the jwt registered roles:

```
$ vault list auth/jwt/roles
No value found at auth/jwt/roles/

$ vault list auth/jwt/role
Keys
----
myrole
```
I hope this helps!
2018-12-13 06:27:30 +08:00
Sergey Trasko f24a4f189e Fixed markdown for cert documentation (#5735) 2018-12-12 15:27:28 -05:00
Joel Thompson 286b3f4e9f auth/aws: Clarify docs for cross-account access with IAM auth (#5900)
The docs hadn't been updated to reflect the ability to do cross-account
AWS IAM auth, and so it was a bit confusing as to whether that was
supported. This removes the ambiguity by explicitly mentioning AWS IAM
principals.
2018-12-12 15:21:27 -05:00
emily 94c03d1072 Update GCP auth BE docs (#5753)
Documented changes from https://github.com/hashicorp/vault-plugin-auth-gcp/pull/55
* Deprecating `project_id` for `bound_projects` and making it optional
* Deprecating `google_certs_endpoint` (unused)
* Adding group aliases 

Also, some general reformatting
2018-12-10 12:54:18 -08:00
Jeff Mitchell c67ef8be09
Update PKI docs (#5929) 2018-12-10 10:24:47 -05:00
Chris Hoffman cebbe43f70
removing beta tag (#5904) 2018-12-05 10:45:22 -05:00
ncabatoff b53437a2f8
Fix documentation re substitutions. It appears this was broken from day one. (#5896) 2018-12-04 13:14:00 -05:00
Jim Kalafut 1f3ea9b30a
Fix docs typos (#5881) 2018-11-30 14:32:04 -08:00
Martins Sipenko 3c0d63169c Fix config/sts docs (#5839) 2018-11-30 11:08:47 -08:00
Mike Christof a82ff1f92e fixed api/secret/ssh docs (#5833) 2018-11-30 10:55:33 -08:00
Lucy Davinhart 046e5fcf57 Document /sys/health?perfstandbyok (#5870)
* Document /sys/health?perfstandbyok

Discovered that in Vault Enterprise 0.11.5, `/sys/health?standbyok` returns a 473 status for performance standby nodes, compared to a 200 for standard standby nodes.

Turns out there was an additional `perfstandbyok` option added, here:
e5aaf80764

* Update health.html.md

Slight tweak to wording for perfstandbyok
2018-11-29 09:57:30 -08:00
Martins Sipenko 640bae4b65 Remove false statement from docs. (#5854) 2018-11-27 07:47:34 -05:00
Janosch Maier 192c8b5c84 Fix incorrect parameter name in docs (#5798) 2018-11-15 13:56:12 -08:00
Clint 7db8d4031e
Add read config endpoint docs (#5790)
* Add read config endpoint docs

* fix response code, remove empty fields from sample response
2018-11-15 11:51:06 -06:00
Yoko 4c6de9f808
Fixing broken link (#5794) 2018-11-15 09:23:05 -08:00
Jim Kalafut d45220159d
Fix incorrect parameter name in docs (#5793)
Fixes https://github.com/hashicorp/vault-plugin-auth-gcp/issues/56
2018-11-14 17:16:04 -08:00
Becca Petrin 8f82809c78
Update docs to match running builtins as plugins (#5727) 2018-11-14 09:17:12 -08:00