b55303eddb
* Add priority queue to sdk * fix issue of storing pointers and now copy * update to use copy structure * Remove file, put Item struct def. into other file * add link * clean up docs * refactor internal data structure to hide heap method implementations. Other cleanup after feedback * rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods * updates after feedback * refactoring/renaming * guard against pushing a nil item * minor updates after feedback * Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC * Initial Combined database backend implementation of static accounts and automatic rotation * vendor updates * initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation * add lock and setup of rotation queue * vendor the queue * rebase on new method signature of queue * remove mongo tests for now * update default role sql * gofmt after rebase * cleanup after rebasing to remove checks for ErrNotFound error * rebase cdcr-priority-queue * vendor dependencies with 'go mod vendor' * website database docs for Static Role support * document the rotate-role API endpoint * postgres specific static role docs * use constants for paths * updates from review * remove dead code * combine and clarify error message for older plugins * Update builtin/logical/database/backend.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * cleanups from feedback * code and comment cleanups * move db.RLock higher to protect db.GenerateCredentials call * Return output with WALID if we failed to delete the WAL * Update builtin/logical/database/path_creds_create.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * updates after running 'make fmt' * update after running 'make proto' * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * update comment and remove and rearrange some dead code * Update website/source/api/secret/databases/index.html.md Co-Authored-By: Jim Kalafut <jim@kalafut.net> * cleanups after review * Update sdk/database/dbplugin/grpc_transport.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * code cleanup after feedback * remove PasswordLastSet; it's not used * document GenerateCredentials and SetCredentials * Update builtin/logical/database/path_rotate_credentials.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * wrap pop and popbykey in backend methods to protect against nil cred rotation queue * use strings.HasPrefix instead of direct equality check for path * Forgot to commit this * updates after feedback * re-purpose an outdated test to now check that static and dynamic roles cannot share a name * check for unique name across dynamic and static roles * refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials * remove commented out code * refactor to have loadstaticwals filter out wals for roles that no longer exist * return error if nil input given * add nil check for input into setStaticAccount * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * add constant for queue tick time in seconds, used for comparrison in updates * Update builtin/logical/database/path_roles.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * code cleanup after review * remove misplaced code comment * remove commented out code * create a queue in the Factory method, even if it's never used * update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type * document new method * move rotation things into a specific file * rename test file and consolidate some static account tests * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * update code comments, method names, and move more methods into rotation.go * update comments to be capitalized * remove the item from the queue before we try to destroy it * findStaticWAL returns an error * use lowercase keys when encoding WAL entries * small cleanups * remove vestigial static account check * remove redundant DeleteWAL call in populate queue * if we error on loading role, push back to queue with 10 second backoff * poll in initqueue to make sure the backend is setup and can write/delete data * add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false * add code comments on read-only loop * code comment updates * re-push if error returned from find static wal * add locksutil and acquire locks when pop'ing from the queue * grab exclusive locks for updating static roles * Add SetCredentials and GenerateCredentials stubs to mockPlugin * add a switch in initQueue to listen for cancelation * remove guard on zero time, it should have no affect * create a new context in Factory to pass on and use for closing the backend queue * restore master copy of vendor dir
117 lines
2.5 KiB
Protocol Buffer
117 lines
2.5 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
option go_package = "github.com/hashicorp/vault/sdk/database/dbplugin";
|
|
|
|
package dbplugin;
|
|
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
message InitializeRequest {
|
|
option deprecated = true;
|
|
bytes config = 1;
|
|
bool verify_connection = 2;
|
|
}
|
|
|
|
message InitRequest {
|
|
bytes config = 1;
|
|
bool verify_connection = 2;
|
|
}
|
|
|
|
message CreateUserRequest {
|
|
Statements statements = 1;
|
|
UsernameConfig username_config = 2;
|
|
google.protobuf.Timestamp expiration = 3;
|
|
}
|
|
|
|
message RenewUserRequest {
|
|
Statements statements = 1;
|
|
string username = 2;
|
|
google.protobuf.Timestamp expiration = 3;
|
|
}
|
|
|
|
message RevokeUserRequest {
|
|
Statements statements = 1;
|
|
string username = 2;
|
|
}
|
|
|
|
message RotateRootCredentialsRequest {
|
|
repeated string statements = 1;
|
|
}
|
|
|
|
message Statements {
|
|
// DEPRECATED, will be removed in 0.12
|
|
string creation_statements = 1 [deprecated=true];
|
|
// DEPRECATED, will be removed in 0.12
|
|
string revocation_statements = 2 [deprecated=true];
|
|
// DEPRECATED, will be removed in 0.12
|
|
string rollback_statements = 3 [deprecated=true];
|
|
// DEPRECATED, will be removed in 0.12
|
|
string renew_statements = 4 [deprecated=true];
|
|
|
|
repeated string creation = 5;
|
|
repeated string revocation = 6;
|
|
repeated string rollback = 7;
|
|
repeated string renewal = 8;
|
|
repeated string rotation = 9;
|
|
}
|
|
|
|
message UsernameConfig {
|
|
string DisplayName = 1;
|
|
string RoleName = 2;
|
|
}
|
|
|
|
message InitResponse {
|
|
bytes config = 1;
|
|
}
|
|
|
|
message CreateUserResponse {
|
|
string username = 1;
|
|
string password = 2;
|
|
}
|
|
|
|
message TypeResponse {
|
|
string type = 1;
|
|
}
|
|
|
|
message RotateRootCredentialsResponse {
|
|
bytes config = 1;
|
|
}
|
|
|
|
message Empty {}
|
|
|
|
message GenerateCredentialsResponse {
|
|
string password = 1;
|
|
}
|
|
|
|
message StaticUserConfig{
|
|
string username = 1;
|
|
string password = 2;
|
|
bool create = 3;
|
|
}
|
|
|
|
message SetCredentialsRequest {
|
|
Statements statements = 1;
|
|
StaticUserConfig static_user_config = 2;
|
|
}
|
|
|
|
message SetCredentialsResponse {
|
|
string username = 1;
|
|
string password = 2;
|
|
}
|
|
|
|
service Database {
|
|
rpc Type(Empty) returns (TypeResponse);
|
|
rpc CreateUser(CreateUserRequest) returns (CreateUserResponse);
|
|
rpc RenewUser(RenewUserRequest) returns (Empty);
|
|
rpc RevokeUser(RevokeUserRequest) returns (Empty);
|
|
rpc RotateRootCredentials(RotateRootCredentialsRequest) returns (RotateRootCredentialsResponse);
|
|
rpc Init(InitRequest) returns (InitResponse);
|
|
rpc Close(Empty) returns (Empty);
|
|
rpc SetCredentials(SetCredentialsRequest) returns (SetCredentialsResponse);
|
|
rpc GenerateCredentials(Empty) returns (GenerateCredentialsResponse);
|
|
|
|
rpc Initialize(InitializeRequest) returns (Empty) {
|
|
option deprecated = true;
|
|
};
|
|
}
|