adb65bd0f2
* VAULT-6615 Update docs for 1.12 quota changes * VAULT-6615 Add info about globbing * VAULT-6615 some small updates for role param * Update website/content/docs/enterprise/lease-count-quotas.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/lease-count-quotas.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
60 lines
2.8 KiB
Plaintext
60 lines
2.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Enterprise Lease Count Quotas
|
|
description: |-
|
|
Vault Enterprise features a mechanism to create lease count quotas.
|
|
---
|
|
|
|
# Lease Count Quotas
|
|
|
|
Vault features an extension to resource quotas that allows operators to enforce
|
|
limits on how many leases are created. For a given lease count quota, if the
|
|
number of leases in the cluster hits the configured limit, `max_leases`, additional
|
|
lease creations will be forbidden for all clients until a lease has been revoked
|
|
or has expired.
|
|
|
|
It is important to note that lease count quotas do not apply to the root tokens.
|
|
If the number of leases in the cluster hits the configured limit, `max_leases`,
|
|
an operator could still create a root token and access the cluster to try to recover.
|
|
|
|
Additionally, batch token creation is blocked when the lease count quota is
|
|
exceeded, but batch tokens do not count towards the quota.
|
|
|
|
All the nodes in the Vault cluster will share the lease quota rules, meaning that
|
|
the lease counters will be shared, regardless of which node in the Vault cluster
|
|
receives lease generation requests. Lease quotas can be imposed across Vault's API,
|
|
or scoped down to API pertaining to specific namespaces or specific mounts.
|
|
|
|
A quota that is defined in the `root` namespace with no specified path is inherited by all namespaces.
|
|
Essentially, it applies to the entire Vault API unless a more specific quota has been defined
|
|
for a specific API path.
|
|
|
|
Lease count quotas defined on a namespace take precedence over the global
|
|
quotas. Lease count quotas defined for a mount will take precedence over global
|
|
and namespace quotas. Lease count quotas defined for a specific path will take precedence
|
|
over global, namespace, and mount quotas. Lease count quotas defined with a login role for
|
|
a specific auth mount will take precedence over every other quota when applying to
|
|
login requests using that auth method and the specified role.
|
|
|
|
The limits on quotas can either be increased or decreased. If a lower precedence quota
|
|
is very restrictive and if it is desired to relax the limits in one namespace,
|
|
or on a specific mount, it can be done using this precedence model. On the
|
|
other hand, if a lower precedence quota is very liberal and if it is desired to
|
|
further restrict usages in a specific namespace or mount, that can be done
|
|
using the precedence model too.
|
|
|
|
Vault also allows the inspection into the state of lease count quotas in a Vault
|
|
cluster through various [metrics](/docs/internals/telemetry#Resource-Quota-Metrics)
|
|
exposed and through enabling optional audit logging.
|
|
|
|
## Tutorial
|
|
|
|
Refer to [Protecting Vault with Resource
|
|
Quotas](https://learn.hashicorp.com/vault/security/resource-quotas) for a
|
|
step-by-step tutorial.
|
|
|
|
## API
|
|
|
|
Lease count quotas can be managed over the HTTP API. Please see
|
|
[Lease Count Quotas API](/api-docs/system/lease-count-quotas) for more details.
|