Commit graph

6473 commits

Author SHA1 Message Date
Calvin Leung Huang 73fd103456 Update gcp auth backend docs (#3209)
* Update gcp auth backend docs

* Minor formatting and wording fixes

* Minor formatting fixes
2017-08-18 16:25:52 -04:00
Seth Vargo 51d8e5ff86 Do not revoke SSH key (#3208)
There is no secret to revoke - this produces an error on the CLI
2017-08-18 15:44:20 -04:00
Seth Vargo da7bc1f029
Update CHANGELOG 2017-08-18 13:02:38 -04:00
Seth Vargo 06df9a32a5 Merge pull request #3194 from hashicorp/sethvargo/ssh_ca_login
Add SSH CLI CA type authentication
2017-08-18 12:59:33 -04:00
Seth Vargo 2e3a9ebd06
Add host key checking for SSH CA 2017-08-18 12:59:09 -04:00
Seth Vargo 89cffaf25e
Revoke temporary cred after creation, update warning
/cc @vishalnayak
2017-08-18 12:59:09 -04:00
Seth Vargo 430fc22023
Initial pass at SSH CLI CA type authentication
1. The current implementation of the SSH command is heavily tied to the
assumptions of OTP/dynamic key types. The SSH CA backend is
fundamentally a different approach to login and authentication. As a
result, there was some restructuring of existing methods to share more
code and state.

2. Each authentication method (ca, otp, dynamic) are now fully-contained
in their own handle* function.

3. -mode and -role are going to be required for SSH CA, and I don't
think the magical UX (and overhead) of guessing them is a good UX. It's
confusing as to which role and how Vault guesses. We can reduce 66% of
the API calls and add more declaration to the CLI by making -mode and
-role required. This commit adds warnings for that deprecation, but
these values are both required for CA type authentication.

4. The principal and extensions are currently fixed, and I personally
believe that's good enough for the first pass at this. Until we
understand what configuration options users will want, I think we should
ship with all the local extensions enabled. Users who don't want that
can generate the key themselves directly (current behavior) or submit
PRs to make the map of extensions customizable.

5. Host key checking for the CA backend is not currently implemented.
It's not strictly required at setup, so I need to think about whether it
belongs here.

This is not ready for merge, but it's ready for early review.
2017-08-18 12:59:08 -04:00
Seth Vargo ae5996a737
Add SignKey endpoint for SSH API client 2017-08-18 12:59:08 -04:00
Paulo Ribeiro ba98b60e41 Fix typo in AppRole API page (#3207) 2017-08-18 10:46:29 -04:00
Seth Vargo e2e386784f Merge pull request #3200 from macInfinity/patch-1
Update policies.html.md
2017-08-17 18:35:41 -04:00
Chris Maki 7b5978634f Update policies.html.md
Using the latest vault release, I was getting the following error when the policy used `write`:

Error: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/sys/policy/secret
Code: 400. Errors:

* Failed to parse policy: path "secret/*": invalid capability 'write'

I think `create` is the correct new Capability.
2017-08-17 12:26:29 -07:00
Seth Vargo 6f4bd86be0
YAML is literally the worst 2017-08-17 11:42:47 -04:00
Seth Vargo 0ffe86963c
Update news 2017-08-17 11:34:22 -04:00
Seth Vargo 4beb12fc88 Merge pull request #3166 from hashicorp/sethvargo/ssh_ca_expanse
Refactor SSH CA backend docs
2017-08-16 18:39:19 -04:00
Seth Vargo b4bec62d47
Typo fix 2017-08-16 18:38:35 -04:00
Seth Vargo 7b1e013511
Refactor SSH CA backend docs 2017-08-16 18:38:35 -04:00
Calvin Leung Huang ea6a1382ff Improve auth-enable output for plugin backends (#3189)
* Improve auth-enable output for plugin backends

* Unquote authType on final output
2017-08-16 14:31:16 -04:00
Brian Kassouf 406396603a Fix a few links (#3188) 2017-08-16 10:27:12 -07:00
Jeff Mitchell bbcbe1f6d5 Fix ping docs location 2017-08-16 12:57:31 -04:00
Jeff Mitchell 908ce09161
Cut version 0.8.1 2017-08-16 12:41:35 -04:00
Jeff Mitchell 411419cbf8 plugins/backend/reload -> plugins/reload/backend (#3186) 2017-08-16 12:40:38 -04:00
Calvin Leung Huang ae75e39c44 Fix plugin docs (#3185)
* Fix plugin docs

* Add plugin_name to auth endpoint
2017-08-16 12:36:46 -04:00
Jeff Mitchell 8a168cd0a0 Bump version for release 2017-08-16 11:55:06 -04:00
Jeff Mitchell f7ac55efc9 Bump go-plugin dep 2017-08-16 11:41:06 -04:00
Jeff Mitchell 4dc55474e6 Remove erroneous flag from hmac docs 2017-08-16 11:27:39 -04:00
Jeff Mitchell c34a5b2e93 * Add ability to specify a plugin dir in dev mode (#3184)
* Change (with backwards compatibility) sha_256 to sha256 for plugin
registration
2017-08-16 11:17:50 -04:00
Jeff Mitchell c5918ff79b Add gcp auth backend (#3183) 2017-08-16 10:31:34 -04:00
Calvin Leung Huang f4dbc796f2 changelog++ 2017-08-15 22:21:42 -04:00
Calvin Leung Huang 86ea7e945d Add plugin auto-reload capability (#3171)
* Add automatic plugin reload

* Refactor builtin/backend

* Remove plugin reload at the core level

* Refactor plugin tests

* Add auto-reload test case

* Change backend to use sync.RWMutex, fix dangling test plugin processes

* Add a canary to plugin backends to avoid reloading many times (#3174)

* Call setupPluginCatalog before mount-related operations in postUnseal

* Don't create multiple system backends since core only holds a reference (#3176)

to one.
2017-08-15 22:10:32 -04:00
Jeff Mitchell 102848b30a changelog++ 2017-08-15 22:07:39 -04:00
Jeff Mitchell 87be043a05 changelog++ 2017-08-15 22:05:40 -04:00
emily 31a994e452 Initial GCP auth backend documentation (#3167) 2017-08-15 22:03:04 -04:00
Jeff Mitchell 0c2c078e48 Add PingID MFA docs (#3182) 2017-08-15 22:01:34 -04:00
Jeff Mitchell 7fe115fcf6 changelog++ 2017-08-15 21:48:33 -04:00
Jeff Mitchell fed9d8a2ab changelog++ 2017-08-15 21:28:58 -04:00
Jeff Mitchell 83cd8cd26a Add the ability to use root credentials for AWS IAM authentication. (#3181)
Partial fix for #3179
2017-08-15 21:26:16 -04:00
Seth Vargo f8922bf674 Update help output (spaces instead of tabs) (#3178) 2017-08-15 21:21:30 -04:00
Brian Kassouf 89b81bcb4c Oracle plugin docs (#3131)
* Add oracle database docs

* Add oracle database docs

* Fix commas in json output

* Update oracle.html.md
2017-08-15 17:24:01 -07:00
Seth Vargo c1e6e0bdf2 Use SSHPASS envvar instead of -p for sshpass (#3177)
From the sshpass manpage:

> The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

This PR changes the sshpass behavior to execute a subprocess with the
SSHPASS envvar (which is generally regarded as more secure) than using
the -p option.
2017-08-15 19:43:39 -04:00
Jeff Mitchell 48bf1d6edc Add core sealing to test cluster shutdown 2017-08-15 17:06:38 -04:00
Jeff Mitchell e30b1057df changelog++ 2017-08-15 16:45:02 -04:00
Jeff Mitchell c864c0bad5 Return 500 if existence check fails, not 400 (#3173)
Fixes #3162
2017-08-15 16:44:16 -04:00
Jeff Mitchell aa4e4b90ff changelog++ 2017-08-15 16:17:42 -04:00
Jeff Mitchell 340fe4e609 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Jeff Mitchell 64f9b9f43b Bump go-plugin version 2017-08-15 16:06:56 -04:00
Jeff Mitchell f154a244c8 changelog++ 2017-08-15 14:01:42 -04:00
Jeff Mitchell e4eb6e9020 Make PKI root generation idempotent-ish and add delete endpoint. (#3165) 2017-08-15 14:00:40 -04:00
vishalnayak 8902240dfa Added persona to logical auth 2017-08-15 13:55:58 -04:00
Calvin Leung Huang b023d46cb8 Direct plugin logs through vault's logger (#3142)
* Direct plugin logs through vault's logger

* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
Andy Manoske bc7d77c83f Update index.html.md
Updated replication docs for DR
2017-08-14 19:02:02 -07:00