luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/configuration/storage/zookeeper.html.md
Jeff Escalante a3dfde5cec New Docs Website (#5535) 
* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads
2018-10-19 08:40:11 -07:00

5.1 KiB
Raw Blame History

layout page_title sidebar_title sidebar_current description
docs Zookeeper - Storage Backends - Configuration Zookeeper docs-configuration-storage-zookeeper The Zookeeper storage backend is used to persist Vault's data in Zookeeper.

Zookeeper Storage Backend

The Zookeeper storage backend is used to persist Vault's data in Zookeeper.

  • High Availability the Zookeeper storage backend supports high availability.

  • Community Supported the Zookeeper storage backend is supported by the community. While it has undergone review by HashiCorp employees, they may not be as knowledgeable about the technology. If you encounter problems with them, you may be referred to the original author.

storage "zookeeper" {
  address = "localhost:2181"
  path    = "vault/"
}

zookeeper Parameters

  • address (string: "localhost:2181") Specifies the addresses of the Zookeeper instances as a comma-separated list.

  • path (string: "vault/") Specifies the path in Zookeeper where data will be stored.

The following optional settings can be used to configure zNode ACLs:

~> Warning! If neither auth_info nor znode_owner are set, the backend will not authenticate with Zookeeper and will set the OPEN_ACL_UNSAFE ACL on all nodes. In this scenario, anyone connected to Zookeeper could change Vaults znodes and, potentially, take Vault out of service.

  • auth_info (string: "") Specifies an authentication string in Zookeeper AddAuth format. For example, digest:UserName:Password could be used to authenticate as user UserName using password Password with the digest mechanism.

  • znode_owner (string: "") If specified, Vault will always set all permissions (CRWDA) to the ACL identified here via the Schema and User parts of the Zookeeper ACL format. The expected format is schema:user-ACL-match, for example:

    # Access for user "UserName" with corresponding digest "HIDfRvTv623G=="
digest:UserName:HIDfRvTv623G==

    # Access from localhost only
ip:127.0.0.1

    # Access from any host on the 70.95.0.0 network (Zookeeper 3.5+)
ip:70.95.0.0/16

  • tls_enabled (bool: false) Specifies if TLS communication with the Zookeeper backend has to be enabled.

  • tls_ca_file (string: "") Specifies the path to the CA certificate file used for Zookeeper communication. Multiple CA certificates can be provided in the same file.

  • tls_cert_file (string: "") (optional) Specifies the path to the client certificate for Zookeeper communication.

  • tls_key_file (string: "") Specifies the path to the private key for Zookeeper communication.

  • tls_min_version (string: "tls12") Specifies the minimum TLS version to use. Accepted values are "tls10", "tls11" or "tls12".

  • tls_skip_verify (bool: false) Specifies if the TLS host verification should be disabled. It is highly discouraged that you disable this option.

  • tls_verify_ip (bool: false) - This property comes into play only when 'tls_skip_verify' is set to false. When 'tls_verify_ip' is set to 'true', the zookeeper server's IP is verified in the presented certificates CN/SAN entry. When set to 'false' the server's DNS name is verified in the certificates CN/SAN entry.

zookeeper Examples

Custom Address and Path

This example shows configuring Vault to communicate with a Zookeeper installation running on a custom port and to store data at a custom path.

storage "zookeeper" {
  address = "localhost:3253"
  path    = "my-vault-data/"
}

zNode Vault User Only

This example instructs Vault to set an ACL on all of its zNodes which permit access only to the user "vaultUser". As per Zookeeper's ACL model, the digest value in znode_owner must match the user in znode_owner.

storage "zookeeper" {
  znode_owner = "digest:vaultUser:raxgVAfnDRljZDAcJFxznkZsExs="
  auth_info   = "digest:vaultUser:abc"
}

zNode Localhost Only

This example instructs Vault to only allow access from localhost. As this is the ip no auth_info is required since Zookeeper uses the address of the client for the ACL check.

storage "zookeeper" {
  znode_owner = "ip:127.0.0.1"
}

zNode connection over TLS.

This example instructs Vault to connect to Zookeeper using the provided TLS configuration. The host verification will happen with the presented certificate using the servers IP because 'tls_verify_ip' is set to true.

storage "zookeeper" {
  address = "host1.com:5200,host2.com:5200,host3.com:5200"
  path = "vault_path_on_zk/"
  znode_owner = "digest:vault_user:digestvalueforpassword="
  auth_info = "digest:vault_user:thisisthepassword"
  redirect_addr = "http://localhost:8200"
  tls_verify_ip = "true"
  tls_enabled= "true"
  tls_min_version= "tls12"
  tls_cert_file = "/path/to/the/cert/file/zkcert.pem"
  tls_key_file = "/path/to/the/key/file/zkkey.pem"
  tls_skip_verify= "false"
  tls_ca_file= "/path/to/the/ca/file/ca.pem"
}