Commit graph

5067 commits

Author SHA1 Message Date
Vishal Nayak 6e9bffade5 Merge pull request #1967 from hashicorp/mysql-revoke-sql
Refactor mysql's revoke SQL
2016-10-04 20:01:54 -04:00
vishalnayak 2b760d5bb7 changelog++ 2016-10-04 19:47:37 -04:00
vishalnayak de5dec6b15 Refactor mysql's revoke SQL 2016-10-04 19:30:25 -04:00
Vishal Nayak 1ab7023483 Merge pull request #1914 from jpweber/mysql-revoke
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
Jim Weber 87f206b536 removed an unused ok variable. Added warning and force use for default queries if role is nil 2016-10-04 17:15:29 -04:00
vishalnayak 40f4b4647f changelog++ 2016-10-04 16:18:47 -04:00
Pawel Rozlach 41ade15f73 Fix file backend so that it properly removes nested secrets.
This patch makes file backend properly remove nested secrets, without leaving
empty directory artifacts, no matter how nested directories were.
2016-10-04 21:56:12 +02:00
Pawel Rozlach 44b4704cfa Fix zookeeper backend so that properly deletes/lists secrets.
This patch fixes two bugs in Zookeeper backends:
 * backend was determining if the node is a leaf or not basing on the number
   of the childer given node has. This is incorrect if you consider the fact
   that deleteing nested node can leave empty prefixes/dirs behind which have
   neither children nor data inside. The fix changes this situation by testing
   if the node has any data set - if not then it is not a leaf.
 * zookeeper does not delete nodes that do not have childern just like consul
   does and this leads to leaving empty nodes behind. In order to fix it, we
   scan the logical path of a secret being deleted for empty dirs/prefixes and
   remove them up until first non-empty one.
2016-10-04 21:56:12 +02:00
Pawel Rozlach 68fc52958d Add tests for nested/prefixed secrets removal.
Current tests were not checking if backends are properly removing
nested secrets. We follow here the behaviour of Consul backend, where
empty "directories/prefixes" are automatically removed by Consul itself.
2016-10-04 21:55:33 +02:00
Vishal Nayak 661a8a4734 Merge pull request #1961 from hashicorp/aws-ec2-auth-rsa-signature
aws-ec2-auth using identity doc and RSA digest
2016-10-04 15:45:12 -04:00
vishalnayak 0f8c132ede Minor doc updates 2016-10-04 15:46:09 -04:00
vishalnayak 2e1aa80f31 Address review feedback 2 2016-10-04 15:30:42 -04:00
vishalnayak 59475d7f14 Address review feedback 2016-10-04 15:05:44 -04:00
Vishal Nayak 4141b632fa Merge pull request #1957 from hashicorp/website-list-userpass
Added user listing endpoint to userpass docs
2016-10-04 14:10:49 -04:00
Jim Weber cc38f3253a fixed an incorrect assignment 2016-10-03 21:51:40 -04:00
vishalnayak 348a09e05f Add only relevant certificates 2016-10-03 20:34:28 -04:00
vishalnayak dbd364453e aws-ec2 config endpoints support type option to distinguish certs 2016-10-03 20:25:07 -04:00
Jim Weber ac78ddc178 More resilient around cases of missing role names and using the default when needed. 2016-10-03 20:20:00 -04:00
vishalnayak b105f8ccf3 Authenticate aws-ec2 instances using identity document and its RSA signature 2016-10-03 18:57:41 -04:00
Vishal Nayak 5fb6758538 Merge pull request #1960 from hashicorp/atlas-listener-docs
document the atlas listener
2016-10-03 16:13:32 -04:00
Matthew Irish 61975f4265 add documentation for cluster_name and link atlas listener docs 2016-10-03 15:04:33 -05:00
Jim Weber 0a7f1089ca Refactored logic some to make sure we can always fall back to default revoke statments
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
Jim Weber 704fccaf2e fixed some more issues I had with the tests. 2016-10-03 15:58:09 -04:00
Jim Weber a2d6624a69 renamed rolname to role 2016-10-03 15:57:47 -04:00
Jim Weber 7ab1092c7c Removed file that should not have been added in the first place. 2016-10-03 14:53:22 -04:00
Jim Weber bfb0c2d3ff Reduced duplicated code and fixed comments and simple variable name mistakes 2016-10-03 14:53:05 -04:00
Matthew Irish 34a6abcbb6 document the atlas listener 2016-10-03 10:41:50 -05:00
Jim Weber bb70ecc5a7 Added test for revoking mysql user with wild card host and non-wildcard host 2016-10-02 22:28:54 -04:00
Jim Weber dbb00534d9 saving role name to the Secret Internal data. Default revoke query added
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path

Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.

Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
Jeff Mitchell 8cfcbd7943 changelog++ 2016-10-02 14:55:48 -04:00
Jeff Mitchell 2c85fdfeb9 Switch default case of disable cluster. (#1959) 2016-10-02 14:54:01 -04:00
Jeff Mitchell 86b9349d2b changelog++ 2016-10-02 13:29:52 -04:00
vishalnayak aef1a88de4 Added docs for reading and deleting username 2016-09-30 16:13:57 -04:00
vishalnayak 2ad698ec0b Added user listing endpoint to userpass docs 2016-09-30 15:47:33 -04:00
Jeff Mitchell 606d717ad9 Update changelog and website for GH-1958 2016-09-30 15:08:38 -04:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell 16991d823e Bump deps 2016-09-30 09:50:46 -04:00
Jeff Mitchell 85315ff188 Rejig where the reload functions live 2016-09-30 00:07:22 -04:00
Jeff Mitchell 4a505bfa3e Update text around cubbyhole/response 2016-09-29 17:44:15 -04:00
Vishal Nayak 47796eac7e Merge pull request #1952 from stevenscg/stevenscg-docs-mysql-connection
Docs/Website: MySQL config parameter should be "verify_connection"
2016-09-29 15:25:38 -04:00
Chris Stevens 7a8fcfcf55 Docs/Website: MySQL config parameter "verify-connection" should be "verify_connection"
The only instance of `verify-connection` I can find is on this docs page. The API style for parameters is underscores, so this one stands out.

The code for this and the other backends with similar connection verification features seem to use `verify_connection`.
2016-09-29 14:05:47 -05:00
Jeff Mitchell 5657789627 Audit unwrapped response (#1950) 2016-09-29 12:03:47 -07:00
vishalnayak eb8f449a61 changelog++ 2016-09-29 11:43:48 -04:00
Vishal Nayak 4c74b646fe Merge pull request #1947 from hashicorp/secret-id-lookup-delete
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
Jeff Mitchell abdfd3f161 changelog++ 2016-09-29 00:03:50 -04:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
vishalnayak 34e76f8b41 Added website docs for lookup and destroy APIs 2016-09-28 22:11:48 -04:00
vishalnayak d20819949c Make secret-id reading and deleting, a POST op instead of GET 2016-09-28 20:22:37 -04:00
Vishal Nayak c474af7d24 Merge pull request #1945 from zendesk/update_iam_documentation
Update documentation for required AWS API permissions
2016-09-28 19:53:52 -04:00
Michael S. Fischer 2dd1f584e6 Update documentation for required AWS API permissions
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00