Jeff Mitchell
3e7bca82a1
Merge pull request #1146 from hashicorp/step-down
...
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell
9bf6c40974
Add default case for if the step down channel is blocked
2016-03-03 12:29:30 -05:00
Jeff Mitchell
9717ca5931
Strip leading paths in policies.
...
It appears to be a common mistake, but they won't ever match.
Fixes #1167
2016-03-03 11:32:48 -05:00
Jeff Mitchell
62f1b3f91c
Remove unneeded sleeps in test code
2016-03-03 11:09:27 -05:00
Jeff Mitchell
9c47b8c0a7
Remove sys_policy from special handling as it's implemented in
...
logical_system too. Clean up the mux handlers.
2016-03-02 14:16:54 -05:00
Jeff Mitchell
b5a8e5d724
Fix commenting
2016-02-29 20:29:04 -05:00
Jeff Mitchell
6a980b88fd
Address review feedback
2016-02-28 21:51:50 -05:00
Jeff Mitchell
11ddd2290b
Provide 'sys/step-down' and 'vault step-down'
...
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.
Fixes #1093
2016-02-26 19:43:55 -05:00
Jeff Mitchell
4c87c101f7
Fix tests
2016-02-26 16:44:35 -05:00
vishalnayak
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
Vishal Nayak
fff201014d
Merge pull request #1021 from hashicorp/vault-seal-1006
...
Sealing vault in standby mode
2016-02-03 15:22:16 -05:00
vishalnayak
eeea9710b6
Generalized the error message and updated doc
2016-02-03 15:06:18 -05:00
Jeff Mitchell
63d63e8dbc
Oops, we needed that, but for a different reason than the comment said. So put the test back but fix the comment
2016-02-03 14:05:29 -05:00
Jeff Mitchell
fd4283b430
Remove some unneeded copied logic from passthrough in cubbyhole
2016-02-03 13:57:34 -05:00
Jeff Mitchell
1394555a4d
Add listing of cubbyhole's root to the default policy.
...
This allows `vault list cubbyhole` to behave as expected rather than
requiring `vault list cubbyhole/`. It could be special cased in logic,
but it also serves as a model for the same behavior in e.g. `generic`
mounts where special casing is not possible due to unforeseen mount
paths.
2016-02-03 13:50:47 -05:00
vishalnayak
f5fbd12ac3
Test for seal on standby node
2016-02-03 12:28:01 -05:00
vishalnayak
a10888f1f1
Added comments to changes the error message
2016-02-03 11:35:47 -05:00
vishalnayak
f1facb0f9f
Throw error on sealing vault in standby mode
2016-02-03 10:58:33 -05:00
Jeff Mitchell
ff3adce39e
Make "ttl" reflect the actual TTL of the token in lookup calls.
...
Add a new value "creation_ttl" which holds the value at creation time.
Fixes #986
2016-02-01 11:16:32 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell
dcf844027b
Show entry path in log, not internal view path
2016-01-28 12:34:49 -05:00
Jeff Mitchell
8b9fa042fe
If the path is not correct, don't fail due to existence check, fail due to unsupported path
2016-01-23 14:05:09 -05:00
Jeff Mitchell
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell
9cac7ccd0f
Add some commenting
2016-01-22 10:13:49 -05:00
Jeff Mitchell
3955604d3e
Address more list feedback
2016-01-22 10:07:32 -05:00
Jeff Mitchell
eb847f4e36
Error out if trying to write to a directory path
2016-01-22 10:07:32 -05:00
Jeff Mitchell
be1b4c8a46
Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it.
2016-01-22 10:07:32 -05:00
Jeff Mitchell
e412ac8461
Remove bare option, prevent writes ending in slash, and return an exact file match as "."
2016-01-22 10:07:32 -05:00
Jeff Mitchell
455931873a
Address some review feedback
2016-01-22 10:07:32 -05:00
Jeff Mitchell
5341cb69cc
Updates and documentation
2016-01-22 10:07:32 -05:00
Jeff Mitchell
b2bde47b01
Pull out setting the root token ID; use the new ParseUUID method in
...
go-uuid instead, and revoke if there is an error.
2016-01-19 19:44:33 -05:00
Jeff Mitchell
7a59af7d18
Fix lost code after rebase
2016-01-19 19:19:07 -05:00
Jeff Mitchell
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
Jeff Mitchell
1ac2faa136
Implement existence check for cubbyhole
2016-01-16 19:35:11 -05:00
Jeff Mitchell
b830e29449
Use capabilities rather than policies in default policy. Also add cubbyhole to it.
2016-01-16 18:02:31 -05:00
Jeff Mitchell
9857da207c
Move rekey to its own files for cleanliness
2016-01-14 17:01:04 -05:00
Jeff Mitchell
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
Jeff Mitchell
f9bbe0fb04
Use logical operations instead of strings for comparison
2016-01-12 21:16:31 -05:00
Jeff Mitchell
d949043cac
Merge pull request #914 from hashicorp/acl-rework
...
More granular ACL capabilities
2016-01-12 21:11:52 -05:00
Jeff Mitchell
4253299dfe
Store uint32s in radix
2016-01-12 17:24:01 -05:00
Jeff Mitchell
e58705b34c
Cleanup
2016-01-12 17:10:48 -05:00
Jeff Mitchell
87fba5dad0
Convert map to bitmap
2016-01-12 17:08:10 -05:00
Jeff Mitchell
da87d490eb
Add some commenting around create/update
2016-01-12 15:13:54 -05:00
Jeff Mitchell
9db22dcfad
Address some more review feedback
2016-01-12 15:09:16 -05:00
Jeff Mitchell
ce5bd64244
Clean up HelpOperation
2016-01-12 14:34:49 -05:00
Jeff Mitchell
a99787afeb
Don't allow a policy with no name, even though it is a valid slice member
2016-01-08 21:23:40 -05:00
Jeff Mitchell
f6d2271a3c
Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup
2016-01-08 14:29:23 -05:00
Jeff Mitchell
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00