Commit graph

7 commits

Author SHA1 Message Date
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Mitchell Hashimoto 0cc0fb066b command/renew 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto 214218a993 api: RevokePrefix 2015-03-31 19:23:52 -07:00
Mitchell Hashimoto bbaa137f4e command/revoke: revoke 2015-03-31 19:21:02 -07:00
Mitchell Hashimoto c0ede206bb api: use /v1 prefix 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto 88ed41abc2 api: lease renew should parse the secret 2015-03-11 19:48:32 -05:00
Mitchell Hashimoto 39884c7bde api: secret parsing and leasing 2015-03-11 19:48:31 -05:00