From 010575cb6008a21ab35ec7ec5a37db3cfb98af35 Mon Sep 17 00:00:00 2001 From: Chris Hoffman Date: Fri, 15 Sep 2017 09:02:29 -0400 Subject: [PATCH] Rename "generic" secret backend to "kv" (#3292) --- api/renewer_integration_test.go | 2 +- command/mount_test.go | 42 ++++++++++- command/remount.go | 2 +- command/remount_test.go | 6 +- command/server.go | 10 +-- http/handler_test.go | 8 +- http/sys_mount_test.go | 74 +++++++++---------- http/sys_mounts_test.go | 4 +- vault/core.go | 4 +- vault/init_test.go | 2 +- vault/logical_cubbyhole.go | 4 +- vault/logical_passthrough.go | 6 +- vault/logical_passthrough_test.go | 4 +- vault/logical_system_test.go | 10 +-- vault/mount.go | 17 +++-- vault/mount_test.go | 14 ++-- vault/request_handling.go | 6 +- vault/request_handling_test.go | 4 +- vault/router.go | 2 +- vault/testing.go | 2 +- website/redirects.txt | 2 + website/source/api/index.html.md | 6 +- .../api/secret/{generic => kv}/index.html.md | 22 +++--- website/source/docs/commands/help.html.md | 2 +- website/source/docs/concepts/lease.html.md | 2 +- .../docs/concepts/response-wrapping.html.md | 2 +- .../docs/enterprise/replication/index.html.md | 2 +- .../docs/internals/architecture.html.md | 2 +- .../source/docs/internals/telemetry.html.md | 4 +- website/source/docs/secrets/aws/index.html.md | 2 +- .../docs/secrets/cassandra/index.html.md | 2 +- .../source/docs/secrets/consul/index.html.md | 2 +- .../docs/secrets/cubbyhole/index.html.md | 4 +- website/source/docs/secrets/index.html.md | 4 +- .../secrets/{generic => kv}/index.html.md | 24 +++--- .../source/docs/secrets/mongodb/index.html.md | 2 +- .../source/docs/secrets/mssql/index.html.md | 2 +- .../source/docs/secrets/mysql/index.html.md | 2 +- website/source/docs/secrets/pki/index.html.md | 2 +- .../docs/secrets/postgresql/index.html.md | 2 +- .../docs/secrets/rabbitmq/index.html.md | 2 +- .../source/docs/secrets/totp/index.html.md | 2 +- .../source/docs/secrets/transit/index.html.md | 2 +- website/source/guides/plugin-backends.html.md | 4 +- .../source/intro/getting-started/help.html.md | 4 +- .../getting-started/secret-backends.html.md | 30 ++++---- website/source/layouts/api.erb | 4 +- website/source/layouts/docs.erb | 4 +- 48 files changed, 208 insertions(+), 159 deletions(-) rename website/source/api/secret/{generic => kv}/index.html.md (85%) rename website/source/docs/secrets/{generic => kv}/index.html.md (74%) diff --git a/api/renewer_integration_test.go b/api/renewer_integration_test.go index 82ffe508d1..7011c7d10a 100644 --- a/api/renewer_integration_test.go +++ b/api/renewer_integration_test.go @@ -25,7 +25,7 @@ func TestRenewer_Renew(t *testing.T) { defer pgDone() t.Run("group", func(t *testing.T) { - t.Run("generic", func(t *testing.T) { + t.Run("kv", func(t *testing.T) { t.Parallel() if _, err := client.Logical().Write("secret/value", map[string]interface{}{ diff --git a/command/mount_test.go b/command/mount_test.go index 314ac132c3..ea9108cb71 100644 --- a/command/mount_test.go +++ b/command/mount_test.go @@ -22,6 +22,46 @@ func TestMount(t *testing.T) { }, } + args := []string{ + "-address", addr, + "kv", + } + if code := c.Run(args); code != 0 { + t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String()) + } + + client, err := c.Client() + if err != nil { + t.Fatalf("err: %s", err) + } + + mounts, err := client.Sys().ListMounts() + if err != nil { + t.Fatalf("err: %s", err) + } + + mount, ok := mounts["kv/"] + if !ok { + t.Fatal("should have kv mount") + } + if mount.Type != "kv" { + t.Fatal("should be kv type") + } +} + +func TestMount_Generic(t *testing.T) { + core, _, token := vault.TestCoreUnsealed(t) + ln, addr := http.TestServer(t, core) + defer ln.Close() + + ui := new(cli.MockUi) + c := &MountCommand{ + Meta: meta.Meta{ + ClientToken: token, + Ui: ui, + }, + } + args := []string{ "-address", addr, "generic", @@ -42,7 +82,7 @@ func TestMount(t *testing.T) { mount, ok := mounts["generic/"] if !ok { - t.Fatal("should have generic mount") + t.Fatal("should have generic mount path") } if mount.Type != "generic" { t.Fatal("should be generic type") diff --git a/command/remount.go b/command/remount.go index a6defa7afc..a36f1410ad 100644 --- a/command/remount.go +++ b/command/remount.go @@ -65,7 +65,7 @@ Usage: vault remount [options] from to the data associated with the backend (such as configuration), will be preserved. - Example: vault remount secret/ generic/ + Example: vault remount secret/ kv/ General Options: ` + meta.GeneralOptionsUsage() diff --git a/command/remount_test.go b/command/remount_test.go index 0d6f1914c3..7ec1321432 100644 --- a/command/remount_test.go +++ b/command/remount_test.go @@ -24,7 +24,7 @@ func TestRemount(t *testing.T) { args := []string{ "-address", addr, - "secret/", "generic", + "secret/", "kv", } if code := c.Run(args); code != 0 { t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String()) @@ -45,8 +45,8 @@ func TestRemount(t *testing.T) { t.Fatal("should not have mount") } - _, ok = mounts["generic/"] + _, ok = mounts["kv/"] if !ok { - t.Fatal("should have generic") + t.Fatal("should have kv") } } diff --git a/command/server.go b/command/server.go index cb549f4ed9..4209d80312 100644 --- a/command/server.go +++ b/command/server.go @@ -72,7 +72,7 @@ type ServerCommand struct { } func (c *ServerCommand) Run(args []string) int { - var dev, verifyOnly, devHA, devTransactional, devLeasedGeneric, devThreeNode bool + var dev, verifyOnly, devHA, devTransactional, devLeasedKV, devThreeNode bool var configPath []string var logLevel, devRootTokenID, devListenAddress, devPluginDir string var devLatency, devLatencyJitter int @@ -87,7 +87,7 @@ func (c *ServerCommand) Run(args []string) int { flags.BoolVar(&verifyOnly, "verify-only", false, "") flags.BoolVar(&devHA, "dev-ha", false, "") flags.BoolVar(&devTransactional, "dev-transactional", false, "") - flags.BoolVar(&devLeasedGeneric, "dev-leased-generic", false, "") + flags.BoolVar(&devLeasedKV, "dev-leased-kv", false, "") flags.BoolVar(&devThreeNode, "dev-three-node", false, "") flags.Usage = func() { c.Ui.Output(c.Help()) } flags.Var((*sliceflag.StringFlag)(&configPath), "config", "config") @@ -141,7 +141,7 @@ func (c *ServerCommand) Run(args []string) int { devListenAddress = os.Getenv("VAULT_DEV_LISTEN_ADDRESS") } - if devHA || devTransactional || devLeasedGeneric || devThreeNode { + if devHA || devTransactional || devLeasedKV || devThreeNode { dev = true } @@ -264,8 +264,8 @@ func (c *ServerCommand) Run(args []string) int { } if dev { coreConfig.DevToken = devRootTokenID - if devLeasedGeneric { - coreConfig.LogicalBackends["generic"] = vault.LeasedPassthroughBackendFactory + if devLeasedKV { + coreConfig.LogicalBackends["kv"] = vault.LeasedPassthroughBackendFactory } if devPluginDir != "" { coreConfig.PluginDirectory = devPluginDir diff --git a/http/handler_test.go b/http/handler_test.go index bdf94bee1c..8eae984cca 100644 --- a/http/handler_test.go +++ b/http/handler_test.go @@ -157,8 +157,8 @@ func TestSysMounts_headerAuth(t *testing.T) { "auth": nil, "data": map[string]interface{}{ "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -188,8 +188,8 @@ func TestSysMounts_headerAuth(t *testing.T) { }, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), diff --git a/http/sys_mount_test.go b/http/sys_mount_test.go index 4e9681bf6e..57f6dd7728 100644 --- a/http/sys_mount_test.go +++ b/http/sys_mount_test.go @@ -27,8 +27,8 @@ func TestSysMounts(t *testing.T) { "auth": nil, "data": map[string]interface{}{ "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -58,8 +58,8 @@ func TestSysMounts(t *testing.T) { }, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -111,7 +111,7 @@ func TestSysMount(t *testing.T) { TestServerAuth(t, addr, token) resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{ - "type": "generic", + "type": "kv", "description": "foo", }) testResponseStatus(t, resp, 204) @@ -129,7 +129,7 @@ func TestSysMount(t *testing.T) { "data": map[string]interface{}{ "foo/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -138,8 +138,8 @@ func TestSysMount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -170,7 +170,7 @@ func TestSysMount(t *testing.T) { }, "foo/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -179,8 +179,8 @@ func TestSysMount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -232,7 +232,7 @@ func TestSysMount_put(t *testing.T) { TestServerAuth(t, addr, token) resp := testHttpPut(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{ - "type": "generic", + "type": "kv", "description": "foo", }) testResponseStatus(t, resp, 204) @@ -248,7 +248,7 @@ func TestSysRemount(t *testing.T) { TestServerAuth(t, addr, token) resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{ - "type": "generic", + "type": "kv", "description": "foo", }) testResponseStatus(t, resp, 204) @@ -272,7 +272,7 @@ func TestSysRemount(t *testing.T) { "data": map[string]interface{}{ "bar/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -281,8 +281,8 @@ func TestSysRemount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -313,7 +313,7 @@ func TestSysRemount(t *testing.T) { }, "bar/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -322,8 +322,8 @@ func TestSysRemount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -375,7 +375,7 @@ func TestSysUnmount(t *testing.T) { TestServerAuth(t, addr, token) resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{ - "type": "generic", + "type": "kv", "description": "foo", }) testResponseStatus(t, resp, 204) @@ -395,8 +395,8 @@ func TestSysUnmount(t *testing.T) { "auth": nil, "data": map[string]interface{}{ "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -426,8 +426,8 @@ func TestSysUnmount(t *testing.T) { }, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -479,7 +479,7 @@ func TestSysTuneMount(t *testing.T) { TestServerAuth(t, addr, token) resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{ - "type": "generic", + "type": "kv", "description": "foo", }) testResponseStatus(t, resp, 204) @@ -497,7 +497,7 @@ func TestSysTuneMount(t *testing.T) { "data": map[string]interface{}{ "foo/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -506,8 +506,8 @@ func TestSysTuneMount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -538,7 +538,7 @@ func TestSysTuneMount(t *testing.T) { }, "foo/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -547,8 +547,8 @@ func TestSysTuneMount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -639,7 +639,7 @@ func TestSysTuneMount(t *testing.T) { "data": map[string]interface{}{ "foo/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("259196400"), "max_lease_ttl": json.Number("259200000"), @@ -648,8 +648,8 @@ func TestSysTuneMount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), @@ -680,7 +680,7 @@ func TestSysTuneMount(t *testing.T) { }, "foo/": map[string]interface{}{ "description": "foo", - "type": "generic", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("259196400"), "max_lease_ttl": json.Number("259200000"), @@ -689,8 +689,8 @@ func TestSysTuneMount(t *testing.T) { "local": false, }, "secret/": map[string]interface{}{ - "description": "generic secret storage", - "type": "generic", + "description": "key/value secret storage", + "type": "kv", "config": map[string]interface{}{ "default_lease_ttl": json.Number("0"), "max_lease_ttl": json.Number("0"), diff --git a/http/sys_mounts_test.go b/http/sys_mounts_test.go index 5dc0bf9702..53e49960ae 100644 --- a/http/sys_mounts_test.go +++ b/http/sys_mounts_test.go @@ -54,12 +54,12 @@ func TestSysMountConfig(t *testing.T) { } } -// testMount sets up a test mount of a generic backend w/ a random path; caller +// testMount sets up a test mount of a kv backend w/ a random path; caller // is responsible for unmounting func testMount(client *api.Client) (string, error) { rand.Seed(time.Now().UTC().UnixNano()) randInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int() path := fmt.Sprintf("testmount-%d", randInt) - err := client.Sys().Mount(path, &api.MountInput{Type: "generic"}) + err := client.Sys().Mount(path, &api.MountInput{Type: "kv"}) return path, err } diff --git a/vault/core.go b/vault/core.go index d0472a467e..1259c03638 100644 --- a/vault/core.go +++ b/vault/core.go @@ -539,9 +539,9 @@ func NewCore(conf *CoreConfig) (*Core, error) { for k, f := range conf.LogicalBackends { logicalBackends[k] = f } - _, ok := logicalBackends["generic"] + _, ok := logicalBackends["kv"] if !ok { - logicalBackends["generic"] = PassthroughBackendFactory + logicalBackends["kv"] = PassthroughBackendFactory } logicalBackends["cubbyhole"] = CubbyholeBackendFactory logicalBackends["system"] = func(config *logical.BackendConfig) (logical.Backend, error) { diff --git a/vault/init_test.go b/vault/init_test.go index 91d691d00e..48581f791d 100644 --- a/vault/init_test.go +++ b/vault/init_test.go @@ -33,7 +33,7 @@ func testCore_NewTestCore(t *testing.T, seal Seal) (*Core, *CoreConfig) { Physical: inm, DisableMlock: true, LogicalBackends: map[string]logical.Factory{ - "generic": LeasedPassthroughBackendFactory, + "kv": LeasedPassthroughBackendFactory, }, Seal: seal, } diff --git a/vault/logical_cubbyhole.go b/vault/logical_cubbyhole.go index 76353b0bed..cedb241a3d 100644 --- a/vault/logical_cubbyhole.go +++ b/vault/logical_cubbyhole.go @@ -46,7 +46,7 @@ func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, erro // CubbyholeBackend is used for storing secrets directly into the physical // backend. The secrets are encrypted in the durable storage. -// This differs from generic in that every token has its own private +// This differs from kv in that every token has its own private // storage view. The view is removed when the token expires. type CubbyholeBackend struct { *framework.Backend @@ -185,7 +185,7 @@ The secrets are encrypted/decrypted by Vault: they are never stored unencrypted in the backend and the backend never has an opportunity to see the unencrypted value. -This backend differs from the 'generic' backend in that it is namespaced +This backend differs from the 'kv' backend in that it is namespaced per-token. Tokens can only read and write their own values, with no sharing possible (per-token cubbyholes). This can be useful for implementing certain authentication workflows, as well as "scratch" areas for individual diff --git a/vault/logical_passthrough.go b/vault/logical_passthrough.go index 2b43379882..5fc013ea8b 100644 --- a/vault/logical_passthrough.go +++ b/vault/logical_passthrough.go @@ -53,7 +53,7 @@ func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) ( b.Backend.Secrets = []*framework.Secret{ &framework.Secret{ - Type: "generic", + Type: "kv", Renew: b.handleRead, Revoke: b.handleRevoke, @@ -116,7 +116,7 @@ func (b *PassthroughBackend) handleRead( var resp *logical.Response if b.generateLeases { // Generate the response - resp = b.Secret("generic").Response(rawData, nil) + resp = b.Secret("kv").Response(rawData, nil) resp.Secret.Renewable = false } else { resp = &logical.Response{ @@ -207,7 +207,7 @@ func (b *PassthroughBackend) handleList( } const passthroughHelp = ` -The generic backend reads and writes arbitrary secrets to the backend. +The kv backend reads and writes arbitrary secrets to the backend. The secrets are encrypted/decrypted by Vault: they are never stored unencrypted in the backend and the backend never has an opportunity to see the unencrypted value. diff --git a/vault/logical_passthrough_test.go b/vault/logical_passthrough_test.go index b7bc3999e3..1ccda69720 100644 --- a/vault/logical_passthrough_test.go +++ b/vault/logical_passthrough_test.go @@ -197,10 +197,10 @@ func TestPassthroughBackend_List(t *testing.T) { func TestPassthroughBackend_Revoke(t *testing.T) { test := func(b logical.Backend) { - req := logical.TestRequest(t, logical.RevokeOperation, "generic") + req := logical.TestRequest(t, logical.RevokeOperation, "kv") req.Secret = &logical.Secret{ InternalData: map[string]interface{}{ - "secret_type": "generic", + "secret_type": "kv", }, } diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 613e4ea2c1..3f9243b017 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -117,8 +117,8 @@ func TestSystemBackend_mounts(t *testing.T) { // copy what's given exp := map[string]interface{}{ "secret/": map[string]interface{}{ - "type": "generic", - "description": "generic secret storage", + "type": "kv", + "description": "key/value secret storage", "accessor": resp.Data["secret/"].(map[string]interface{})["accessor"], "config": map[string]interface{}{ "default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64), @@ -159,7 +159,7 @@ func TestSystemBackend_mount(t *testing.T) { b := testSystemBackend(t) req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/") - req.Data["type"] = "generic" + req.Data["type"] = "kv" resp, err := b.HandleRequest(req) if err != nil { @@ -174,7 +174,7 @@ func TestSystemBackend_mount_force_no_cache(t *testing.T) { core, b, _ := testCoreSystemBackend(t) req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/") - req.Data["type"] = "generic" + req.Data["type"] = "kv" req.Data["config"] = map[string]interface{}{ "force_no_cache": true, } @@ -423,7 +423,7 @@ func TestSystemBackend_leases(t *testing.T) { t.Fatalf("err: %v", err) } if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) { - t.Fatal("generic leases are not renewable") + t.Fatal("kv leases are not renewable") } // Invalid lease diff --git a/vault/mount.go b/vault/mount.go index f721bea23d..41aece9762 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -65,6 +65,10 @@ var ( "system", "token", } + + // mountAliases maps old backend names to new backend names, allowing us + // to move/rename backends but maintain backwards compatibility + mountAliases = map[string]string{"generic": "kv"} ) func (c *Core) generateMountAccessor(entryType string) (string, error) { @@ -760,6 +764,9 @@ func (c *Core) unloadMounts() error { // newLogicalBackend is used to create and configure a new logical backend by name func (c *Core) newLogicalBackend(t string, sysView logical.SystemView, view logical.Storage, conf map[string]string) (logical.Backend, error) { + if alias, ok := mountAliases[t]; ok { + t = alias + } f, ok := c.logicalBackends[t] if !ok { return nil, fmt.Errorf("unknown backend type: %s", t) @@ -801,19 +808,19 @@ func (c *Core) defaultMountTable() *MountTable { if err != nil { panic(fmt.Sprintf("could not create default secret mount UUID: %v", err)) } - mountAccessor, err := c.generateMountAccessor("generic") + mountAccessor, err := c.generateMountAccessor("kv") if err != nil { panic(fmt.Sprintf("could not generate default secret mount accessor: %v", err)) } - genericMount := &MountEntry{ + kvMount := &MountEntry{ Table: mountTableType, Path: "secret/", - Type: "generic", - Description: "generic secret storage", + Type: "kv", + Description: "key/value secret storage", UUID: mountUUID, Accessor: mountAccessor, } - table.Entries = append(table.Entries, genericMount) + table.Entries = append(table.Entries, kvMount) table.Entries = append(table.Entries, c.requiredMountTable().Entries...) return table } diff --git a/vault/mount_test.go b/vault/mount_test.go index 346f88f069..cf24e18a0f 100644 --- a/vault/mount_test.go +++ b/vault/mount_test.go @@ -47,7 +47,7 @@ func TestCore_Mount(t *testing.T) { me := &MountEntry{ Table: mountTableType, Path: "foo", - Type: "generic", + Type: "kv", } err := c.mount(me) if err != nil { @@ -95,16 +95,16 @@ func TestCore_Mount_Local(t *testing.T) { &MountEntry{ Table: mountTableType, Path: "noop/", - Type: "generic", + Type: "kv", UUID: "abcd", - Accessor: "generic-abcd", + Accessor: "kv-abcd", }, &MountEntry{ Table: mountTableType, Path: "noop2/", - Type: "generic", + Type: "kv", UUID: "bcde", - Accessor: "generic-bcde", + Accessor: "kv-bcde", }, }, } @@ -164,7 +164,7 @@ func TestCore_Mount_Local(t *testing.T) { compEntries := c.mounts.Entries[:0] // Filter out required mounts for _, v := range c.mounts.Entries { - if v.Type == "generic" { + if v.Type == "kv" { compEntries = append(compEntries, v) } } @@ -609,7 +609,7 @@ func verifyDefaultTable(t *testing.T, table *MountTable) { if entry.Path != "secret/" { t.Fatalf("bad: %v", entry) } - if entry.Type != "generic" { + if entry.Type != "kv" { t.Fatalf("bad: %v", entry) } case 2: diff --git a/vault/request_handling.go b/vault/request_handling.go index 3d97ebb543..b003b3ff4a 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -27,7 +27,7 @@ func (c *Core) HandleRequest(req *logical.Request) (resp *logical.Response, err } // Allowing writing to a path ending in / makes it extremely difficult to - // understand user intent for the filesystem-like backends (generic, + // understand user intent for the filesystem-like backends (kv, // cubbyhole) -- did they want a key named foo/ or did they want to write // to a directory foo/ with no (or forgotten) key, or...? It also affects // lookup, because paths ending in / are considered prefixes by some @@ -252,12 +252,12 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r resp.Secret.TTL = maxTTL } - // Generic mounts should return the TTL but not register + // KV mounts should return the TTL but not register // for a lease as this provides a massive slowdown registerLease := true matchingBackend := c.router.MatchingBackend(req.Path) if matchingBackend == nil { - c.logger.Error("core: unable to retrieve generic backend from router") + c.logger.Error("core: unable to retrieve kv backend from router") retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go index c966b04d34..5f148c8100 100644 --- a/vault/request_handling_test.go +++ b/vault/request_handling_test.go @@ -12,14 +12,14 @@ import ( func TestRequestHandling_Wrapping(t *testing.T) { core, _, root := TestCoreUnsealed(t) - core.logicalBackends["generic"] = PassthroughBackendFactory + core.logicalBackends["kv"] = PassthroughBackendFactory meUUID, _ := uuid.GenerateUUID() err := core.mount(&MountEntry{ Table: mountTableType, UUID: meUUID, Path: "wraptest", - Type: "generic", + Type: "kv", }) if err != nil { t.Fatalf("err: %v", err) diff --git a/vault/router.go b/vault/router.go index 6e516be6a6..f05e2076d5 100644 --- a/vault/router.go +++ b/vault/router.go @@ -22,7 +22,7 @@ type Router struct { // storagePrefix maps the prefix used for storage (ala the BarrierView) // to the backend. This is used to map a key back into the backend that owns it. - // For example, logical/uuid1/foobar -> secrets/ (generic backend) + foobar + // For example, logical/uuid1/foobar -> secrets/ (kv backend) + foobar storagePrefix *radix.Tree } diff --git a/vault/testing.go b/vault/testing.go index d8078a11ec..3e500c2fe1 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -158,7 +158,7 @@ func testCoreConfig(t testing.T, physicalBackend physical.Backend, logger log.Lo for backendName, backendFactory := range noopBackends { logicalBackends[backendName] = backendFactory } - logicalBackends["generic"] = LeasedPassthroughBackendFactory + logicalBackends["kv"] = LeasedPassthroughBackendFactory for backendName, backendFactory := range testLogicalBackends { logicalBackends[backendName] = backendFactory } diff --git a/website/redirects.txt b/website/redirects.txt index f3e96b6016..fe5d0394ee 100644 --- a/website/redirects.txt +++ b/website/redirects.txt @@ -36,6 +36,7 @@ # - Items are case-sensitive (please use all lowercase) # +/api/secret/generic/index.html /api/secret/kv/index.html /api/system/renew.html /api/system/leases.html /api/system/revoke.html /api/system/leases.html /api/system/revoke-force.html /api/system/leases.html @@ -81,6 +82,7 @@ /docs/guides/upgrading/upgrade-to-0.6.4.html /guides/upgrading/upgrade-to-0.6.4.html /docs/guides/upgrading/upgrade-to-0.7.0.html /guides/upgrading/upgrade-to-0.7.0.html /docs/secrets/custom.html /docs/plugin/index.html +/docs/secrets/generic/index.html /docs/secrets/kv/index.html /intro/getting-started/acl.html /intro/getting-started/policies.html /docs/vault-enterprise/index.html /docs/enterprise/index.html diff --git a/website/source/api/index.html.md b/website/source/api/index.html.md index 4f84f82ec4..144bb0cf8a 100644 --- a/website/source/api/index.html.md +++ b/website/source/api/index.html.md @@ -52,7 +52,7 @@ via the `X-Vault-Token` header for future requests. ## Reading, Writing, and Listing Secrets Different backends implement different APIs according to their functionality. -The examples below are created with the `generic` backend, which acts like a +The examples below are created with the `kv` backend, which acts like a Key/Value store. Read the documentation for a particular backend for detailed information on its API; this simply provides a general overview. @@ -64,7 +64,7 @@ following URL: ``` This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which -is mounted by default on a fresh Vault install and is of type `generic`. +is mounted by default on a fresh Vault install and is of type `kv`. Here is an example of reading a secret using cURL: @@ -76,7 +76,7 @@ $ curl \ ``` You can list secrets as well. To do this, either issue a GET with the query -parameter `list=true`, or you can use the LIST HTTP verb. For the `generic` +parameter `list=true`, or you can use the LIST HTTP verb. For the `kv` backend, listing is allowed on directories only, and returns the keys in the given directory: diff --git a/website/source/api/secret/generic/index.html.md b/website/source/api/secret/kv/index.html.md similarity index 85% rename from website/source/api/secret/generic/index.html.md rename to website/source/api/secret/kv/index.html.md index 9cdae66a5e..ffa784e664 100644 --- a/website/source/api/secret/generic/index.html.md +++ b/website/source/api/secret/kv/index.html.md @@ -1,18 +1,18 @@ --- layout: "api" -page_title: "Generic Secret Backend - HTTP API" -sidebar_current: "docs-http-secret-generic" +page_title: "Key/Value Secret Backend - HTTP API" +sidebar_current: "docs-http-secret-kv" description: |- - This is the API documentation for the Vault Generic secret backend. + This is the API documentation for the Vault Key/Value secret backend. --- -# Generic Secret Backend HTTP API +# Key/Value Secret Backend HTTP API -This is the API documentation for the Vault Generic secret backend. For general -information about the usage and operation of the Generic backend, please see -the [Vault Generic backend documentation](/docs/secrets/generic/index.html). +This is the API documentation for the Vault Key/Value secret backend. For general +information about the usage and operation of the Key/Value backend, please see +the [Vault Key/Value backend documentation](/docs/secrets/kv/index.html). -This documentation assumes the Generic backend is mounted at the `/secret` +This documentation assumes the Key/Value backend is mounted at the `/secret` path in Vault. Since it is possible to mount secret backends at any location, please update your API calls accordingly. @@ -54,7 +54,7 @@ $ curl \ _Note_: the `lease_duration` field (which on the CLI shows as `refresh_interval`) is advisory. No lease is created. This is a way for writers to indicate how often a given value shold be re-read by the client. See the -[Vault Generic backend documentation](/docs/secrets/generic/index.html) for +[Vault Key/Value backend documentation](/docs/secrets/kv/index.html) for more details. ## List Secrets @@ -122,8 +122,8 @@ policy granting the `update` capability. - `:key` `(string: "")` – Specifies a key, paired with an associated value, to be held at the given location. Multiple key/value pairs can be specified, and all will be returned on a read operation. A key called `ttl` will trigger - some special behavior; see the [Vault Generic backend - documentation](/docs/secrets/generic/index.html) for details. + some special behavior; see the [Vault Key/Value backend + documentation](/docs/secrets/kv/index.html) for details. ### Sample Payload diff --git a/website/source/docs/commands/help.html.md b/website/source/docs/commands/help.html.md index 48f596b463..408bbcd0f7 100644 --- a/website/source/docs/commands/help.html.md +++ b/website/source/docs/commands/help.html.md @@ -45,7 +45,7 @@ the paths it supports. $ vault path-help secret ## DESCRIPTION -The generic backend reads and writes arbitrary secrets to the backend. +The key/value backend reads and writes arbitrary secrets to the backend. The secrets are encrypted/decrypted by Vault: they are never stored unencrypted in the backend and the backend never has an opportunity to see the unencrypted value. diff --git a/website/source/docs/concepts/lease.html.md b/website/source/docs/concepts/lease.html.md index 504f4446c9..44aefc98b6 100644 --- a/website/source/docs/concepts/lease.html.md +++ b/website/source/docs/concepts/lease.html.md @@ -34,7 +34,7 @@ Revocation can happen manually via the API, via the `vault revoke` cli command, or automatically by Vault. When a lease is expired, Vault will automatically revoke that lease. -**Note**: The [Generic Backend](/docs/secrets/generic/index.html) which stores +**Note**: The [Key/Value Backend](/docs/secrets/kv/index.html) which stores arbitrary secrets does not issue leases. ## Lease IDs diff --git a/website/source/docs/concepts/response-wrapping.html.md b/website/source/docs/concepts/response-wrapping.html.md index e0b1dda043..373961aaa5 100644 --- a/website/source/docs/concepts/response-wrapping.html.md +++ b/website/source/docs/concepts/response-wrapping.html.md @@ -160,7 +160,7 @@ Validation is best performed by the following steps: what you expect, it is possible that the data contained inside was read and then put into a new response-wrapping token. (This is especially likely if the path starts with `cubbyhole` or `sys/wrapping/wrap`.) Particular care - should be taken with `generic` KV mounts: exact matches on the path are best + should be taken with `kv` mounts: exact matches on the path are best there. For example, if you expect a secret to come from `secret/foo` and the interceptor provides a token with `secret/bar` as the path, simply checking for a prefix of `secret/` is not enough. diff --git a/website/source/docs/enterprise/replication/index.html.md b/website/source/docs/enterprise/replication/index.html.md index 22221a0dc2..e96a262dc1 100644 --- a/website/source/docs/enterprise/replication/index.html.md +++ b/website/source/docs/enterprise/replication/index.html.md @@ -50,7 +50,7 @@ encryption keys for `transit`, etc). If a user action would modify underlying shared state, the secondary forwards the request to the primary to be handled; this is transparent to the client. In practice, most -high-volume workloads (reads in the `generic` backend, encryption/decryption operations +high-volume workloads (reads in the `kv` backend, encryption/decryption operations in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale relatively horizontally with the number of secondaries rather than vertically as in the past. diff --git a/website/source/docs/internals/architecture.html.md b/website/source/docs/internals/architecture.html.md index 1ae709575b..341c8c2326 100644 --- a/website/source/docs/internals/architecture.html.md +++ b/website/source/docs/internals/architecture.html.md @@ -34,7 +34,7 @@ clarify what is being discussed: in. Much like a bank vault, the barrier must be "unsealed" before anything inside can be accessed. * **Secret Backend** - A secret backend is responsible for managing secrets. Simple secret backends - like the "generic" backend simply return the same secret when queried. Some backends support + like the "kv" backend simply return the same secret when queried. Some backends support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL backend could be configured with a "web" policy. When the "web" secret diff --git a/website/source/docs/internals/telemetry.html.md b/website/source/docs/internals/telemetry.html.md index 5358ec9a4d..e1416943da 100644 --- a/website/source/docs/internals/telemetry.html.md +++ b/website/source/docs/internals/telemetry.html.md @@ -128,12 +128,12 @@ These metrics relate to supported authentication backends. | `vault.rollback.attempt.auth-token-` | This measures the number of rollback operations attempted for authentication tokens backend | Number of operations | Summary | | `vault.rollback.attempt.auth-ldap-` | This measures the number of rollback operations attempted for the LDAP authentication backend | Number of operations | Summary | | `vault.rollback.attempt.cubbyhole-` | This measures the number of rollback operations attempted for the cubbyhole authentication backend | Number of operations | Summary | -| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the generic secret backend | Number of operations | Summary | +| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the kv secret backend | Number of operations | Summary | | `vault.rollback.attempt.sys-` | This measures the number of rollback operations attempted for the sys backend | Number of operations | Summary | | `vault.route.rollback.auth-ldap-` | This measures the number of rollback operations for the LDAP authentication backend | Number of operations | Summary | | `vault.route.rollback.auth-token-` | This measures the number of rollback operations for the authentication tokens backend | Number of operations | Summary | | `vault.route.rollback.cubbyhole-` | This measures the number of rollback operations for the cubbyhole authentication backend | Number of operations | Summary | -| `vault.route.rollback.secret-` | This measures the number of rollback operations for the generic secret backend | Number of operations | Summary | +| `vault.route.rollback.secret-` | This measures the number of rollback operations for the kv secret backend | Number of operations | Summary | | `vault.route.rollback.sys-` | This measures the number of rollback operations for the sys backend | Number of operations | Summary | ### Storage Backend Metrics diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md index f4091c2b62..972d203892 100644 --- a/website/source/docs/secrets/aws/index.html.md +++ b/website/source/docs/secrets/aws/index.html.md @@ -21,7 +21,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the aws backend is to mount it. -Unlike the `generic` backend, the `aws` backend is not mounted by default. +Unlike the `kv` backend, the `aws` backend is not mounted by default. ```text $ vault mount aws diff --git a/website/source/docs/secrets/cassandra/index.html.md b/website/source/docs/secrets/cassandra/index.html.md index 7a8ac9833e..0269f64f0f 100644 --- a/website/source/docs/secrets/cassandra/index.html.md +++ b/website/source/docs/secrets/cassandra/index.html.md @@ -31,7 +31,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the Cassandra backend is to mount it. -Unlike the `generic` backend, the `cassandra` backend is not mounted by default. +Unlike the `kv` backend, the `cassandra` backend is not mounted by default. ```text $ vault mount cassandra diff --git a/website/source/docs/secrets/consul/index.html.md b/website/source/docs/secrets/consul/index.html.md index 8c0656b2b6..d12ef8cfe5 100644 --- a/website/source/docs/secrets/consul/index.html.md +++ b/website/source/docs/secrets/consul/index.html.md @@ -20,7 +20,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the consul backend is to mount it. -Unlike the `generic` backend, the `consul` backend is not mounted by default. +Unlike the `kv` backend, the `consul` backend is not mounted by default. ``` $ vault mount consul diff --git a/website/source/docs/secrets/cubbyhole/index.html.md b/website/source/docs/secrets/cubbyhole/index.html.md index dc15550f77..d991125c94 100644 --- a/website/source/docs/secrets/cubbyhole/index.html.md +++ b/website/source/docs/secrets/cubbyhole/index.html.md @@ -14,13 +14,13 @@ The `cubbyhole` secret backend is used to store arbitrary secrets within the configured physical storage for Vault. It is mounted at the `cubbyhole/` prefix by default and cannot be mounted elsewhere or removed. -This backend differs from the `generic` backend in that the `generic` backend's +This backend differs from the `kv` backend in that the `kv` backend's values are accessible to any token with read privileges on that path. In `cubbyhole`, paths are scoped per token; no token can access another token's cubbyhole, whether to read, write, list, or for any other operation. When the token expires, its cubbyhole is destroyed. -Also unlike the `generic` backend, because the cubbyhole's lifetime is linked +Also unlike the `kv` backend, because the cubbyhole's lifetime is linked to that of an authentication token, there is no concept of a TTL or refresh interval for values contained in the token's cubbyhole. diff --git a/website/source/docs/secrets/index.html.md b/website/source/docs/secrets/index.html.md index 7a1d32dcc7..ea8bb1c672 100644 --- a/website/source/docs/secrets/index.html.md +++ b/website/source/docs/secrets/index.html.md @@ -11,7 +11,7 @@ description: |- Secret backends are the components in Vault which store and generate secrets. -Some secret backends, such as "generic", simply store and read +Some secret backends, such as "kv", simply store and read secrets verbatim. Other secret backends, such as "aws", create _dynamic secrets_: secrets that are made on demand. @@ -21,7 +21,7 @@ in Vault. They behave very similarly to a virtual filesystem: any read/write/delete is sent to the secret backend, and the secret backend can choose to react to that operation however it sees fit. -For example, the "generic" backend passes through any operation back +For example, the "kv" backend passes through any operation back to the configured storage backend for Vault. A "read" turns into a "read" of the storage backend at the same path, a "write" turns into a write, etc. This is a lot like a normal filesystem. diff --git a/website/source/docs/secrets/generic/index.html.md b/website/source/docs/secrets/kv/index.html.md similarity index 74% rename from website/source/docs/secrets/generic/index.html.md rename to website/source/docs/secrets/kv/index.html.md index e2ccbb1997..8a4994bb60 100644 --- a/website/source/docs/secrets/generic/index.html.md +++ b/website/source/docs/secrets/kv/index.html.md @@ -1,22 +1,22 @@ --- layout: "docs" -page_title: "Generic Secret Backend" -sidebar_current: "docs-secrets-generic" +page_title: "Key/Value Secret Backend" +sidebar_current: "docs-secrets-kv" description: |- - The generic secret backend can store arbitrary secrets. + The key/value secret backend can store arbitrary secrets. --- -# Generic Secret Backend +# Key/Value Secret Backend -Name: `generic` +Name: `kv` -The generic secret backend is used to store arbitrary secrets within +The key/value secret backend is used to store arbitrary secrets within the configured physical storage for Vault. If you followed along with -the getting started guide, you interacted with a generic secret backend +the getting started guide, you interacted with a key/value secret backend via the `secret/` prefix that Vault mounts by default. You can mount as many of these backends at different mount points as you like. -Writing to a key in the `generic` backend will replace the old value; +Writing to a key in the `kv` backend will replace the old value; sub-fields are not merged together. This backend honors the distinction between the `create` and `update` @@ -28,7 +28,7 @@ secret's path. ## Quick Start -The generic backend allows for writing keys with arbitrary values. When data is +The kv backend allows for writing keys with arbitrary values. When data is returned, the `lease_duration` field (in the API JSON) or `refresh_interval` field (on the CLI) gives a hint as to how often a reader should look for a new value. This comes from the value of the `default_lease_ttl` set on the mount, @@ -44,7 +44,7 @@ if it fits your input data. The backend _never_ removes data on its own; the `ttl` key is merely advisory. -As an example, we can write a new key "foo" to the generic backend mounted at +As an example, we can write a new key "foo" to the kv backend mounted at "secret/" by default: ``` @@ -72,6 +72,6 @@ seconds (one hour) as specified. ## API -The Generic secret backend has a full HTTP API. Please see the -[Generic secret backend API](/api/secret/generic/index.html) for more +The Key/Value secret backend has a full HTTP API. Please see the +[Key/Value secret backend API](/api/secret/kv/index.html) for more details. diff --git a/website/source/docs/secrets/mongodb/index.html.md b/website/source/docs/secrets/mongodb/index.html.md index 9072e7c104..654278191e 100644 --- a/website/source/docs/secrets/mongodb/index.html.md +++ b/website/source/docs/secrets/mongodb/index.html.md @@ -35,7 +35,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the mongodb backend is to mount it. -Unlike the `generic` backend, the `mongodb` backend is not mounted by default. +Unlike the `kv` backend, the `mongodb` backend is not mounted by default. ``` $ vault mount mongodb diff --git a/website/source/docs/secrets/mssql/index.html.md b/website/source/docs/secrets/mssql/index.html.md index 92d1136386..443ba6fc2e 100644 --- a/website/source/docs/secrets/mssql/index.html.md +++ b/website/source/docs/secrets/mssql/index.html.md @@ -34,7 +34,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the mssql backend is to mount it. -Unlike the `generic` backend, the `mssql` backend is not mounted by default. +Unlike the `kv` backend, the `mssql` backend is not mounted by default. ``` $ vault mount mssql diff --git a/website/source/docs/secrets/mysql/index.html.md b/website/source/docs/secrets/mysql/index.html.md index 87faef4fbe..cf970c95da 100644 --- a/website/source/docs/secrets/mysql/index.html.md +++ b/website/source/docs/secrets/mysql/index.html.md @@ -34,7 +34,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the mysql backend is to mount it. -Unlike the `generic` backend, the `mysql` backend is not mounted by default. +Unlike the `kv` backend, the `mysql` backend is not mounted by default. ``` $ vault mount mysql diff --git a/website/source/docs/secrets/pki/index.html.md b/website/source/docs/secrets/pki/index.html.md index 62e0ef184b..1ac49044a9 100644 --- a/website/source/docs/secrets/pki/index.html.md +++ b/website/source/docs/secrets/pki/index.html.md @@ -127,7 +127,7 @@ endpoint. #### Mount the backend -The first step to using the PKI backend is to mount it. Unlike the `generic` +The first step to using the PKI backend is to mount it. Unlike the `kv` backend, the `pki` backend is not mounted by default. ```text diff --git a/website/source/docs/secrets/postgresql/index.html.md b/website/source/docs/secrets/postgresql/index.html.md index 3451093ea2..4c4a363623 100644 --- a/website/source/docs/secrets/postgresql/index.html.md +++ b/website/source/docs/secrets/postgresql/index.html.md @@ -35,7 +35,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the PostgreSQL backend is to mount it. -Unlike the `generic` backend, the `postgresql` backend is not mounted by default. +Unlike the `kv` backend, the `postgresql` backend is not mounted by default. ```text $ vault mount postgresql diff --git a/website/source/docs/secrets/rabbitmq/index.html.md b/website/source/docs/secrets/rabbitmq/index.html.md index d5b9c4ccfd..56b99b8dbb 100644 --- a/website/source/docs/secrets/rabbitmq/index.html.md +++ b/website/source/docs/secrets/rabbitmq/index.html.md @@ -31,7 +31,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the RabbitMQ backend is to mount it. Unlike the -`generic` backend, the `rabbitmq` backend is not mounted by default. +`kv` backend, the `rabbitmq` backend is not mounted by default. ```text $ vault mount rabbitmq diff --git a/website/source/docs/secrets/totp/index.html.md b/website/source/docs/secrets/totp/index.html.md index 97cebceb87..6ae9ca14b5 100644 --- a/website/source/docs/secrets/totp/index.html.md +++ b/website/source/docs/secrets/totp/index.html.md @@ -20,7 +20,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start The first step to using the TOTP backend is to mount it. -Unlike the `generic` backend, the `totp` backend is not mounted by default. +Unlike the `kv` backend, the `totp` backend is not mounted by default. ```text $ vault mount totp diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md index 4b5da3fd10..e84dd57e51 100644 --- a/website/source/docs/secrets/transit/index.html.md +++ b/website/source/docs/secrets/transit/index.html.md @@ -63,7 +63,7 @@ on every path, use `vault path-help` after mounting the backend. ## Quick Start -The first step to using the transit backend is to mount it. Unlike the `generic` +The first step to using the transit backend is to mount it. Unlike the `kv` backend, the `transit` backend is not mounted by default. ``` diff --git a/website/source/guides/plugin-backends.html.md b/website/source/guides/plugin-backends.html.md index 60a5005be5..9cbb0869e0 100644 --- a/website/source/guides/plugin-backends.html.md +++ b/website/source/guides/plugin-backends.html.md @@ -73,7 +73,7 @@ $ vault mounts Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description cubbyhole/ cubbyhole cubbyhole_80ef4e30 n/a n/a n/a false local per-token private secret storage mock/ plugin plugin_10fc2cce mock-plugin system system false replicated -secret/ generic generic_ef2a14ec n/a system system false replicated generic secret storage +secret/ kv kv_ef2a14ec n/a system system false replicated key/value secret storage sys/ system system_e3a4cccd n/a n/a n/a false replicated system endpoints used for control, policy and debugging ``` @@ -95,7 +95,7 @@ Successfully unmounted 'mock' if it was mounted $ vault mounts Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description cubbyhole/ cubbyhole cubbyhole_80ef4e30 n/a n/a n/a false local per-token private secret storage -secret/ generic generic_ef2a14ec n/a system system false replicated generic secret storage +secret/ kv kv_ef2a14ec n/a system system false replicated key/value secret storage sys/ system system_e3a4cccd n/a n/a n/a false replicated system endpoints used for control, policy and debugging ``` diff --git a/website/source/intro/getting-started/help.html.md b/website/source/intro/getting-started/help.html.md index 7280b9fe06..a8a046fae3 100644 --- a/website/source/intro/getting-started/help.html.md +++ b/website/source/intro/getting-started/help.html.md @@ -9,7 +9,7 @@ description: |- # Built-in Help You've now worked with `vault write` and `vault read` for multiple -paths: the generic secret backend with `secret/` and dynamic AWS +paths: the kv secret backend with `secret/` and dynamic AWS credentials with the AWS backend provider at `aws/`. In both cases, the structure and usage of each backend differed, for example the AWS backend has special paths like `aws/config`. @@ -109,7 +109,7 @@ There is also a description of what that path does. Go ahead and explore more paths! Mount other backends, traverse their help systems and learn about what they do. For example, learn about the -generic `secret/` path. +kv `secret/` path. ## Next diff --git a/website/source/intro/getting-started/secret-backends.html.md b/website/source/intro/getting-started/secret-backends.html.md index 796ecc2491..9ff188db26 100644 --- a/website/source/intro/getting-started/secret-backends.html.md +++ b/website/source/intro/getting-started/secret-backends.html.md @@ -10,11 +10,11 @@ description: |- Previously, we saw how to read and write arbitrary secrets to Vault. To do this, we used the `secret/` prefix. This prefix specifies which -backend to use. By default, Vault mounts a backend called _generic_ to -`secret/`. The generic backend reads and writes raw data to the backend +backend to use. By default, Vault mounts a backend called _kv_ to +`secret/`. The kv backend reads and writes raw data to the backend storage. -Vault supports other backends in addition to the _generic_ backend, and this feature +Vault supports other backends in addition to the _kv_ backend, and this feature in particular is what makes Vault unique. For example, the _aws_ backend generates AWS access keys dynamically, on demand. Another example -- this type of backend does not yet exist -- is a backend that @@ -23,7 +23,7 @@ reads and writes data directly to an As Vault matures, more and more backends will be added. To represent backends, Vault behaves much like a filesystem: backends -are mounted at specific paths. For example, the _generic_ backend is +are mounted at specific paths. For example, the _kv_ backend is mounted at the `secret/` prefix. On this page, we'll learn about the mount system and the operations @@ -32,7 +32,7 @@ for the next page, where we'll create dynamic secrets. ## Mount a Backend -To start, let's mount another _generic_ backend. Just like a normal +To start, let's mount another _kv_ backend. Just like a normal filesystem, Vault can mount a backend multiple times at different mount points. This is useful if you want different policies (covered later) or configurations for different paths. @@ -40,32 +40,32 @@ mount points. This is useful if you want different policies To mount the backend: ``` -$ vault mount generic -Successfully mounted 'generic' at 'generic'! +$ vault mount kv +Successfully mounted 'kv' at 'kv'! ``` By default, the mount point will be the same name as the backend. This is because 99% of the time, you don't want to customize this mount point. -In this example, we mounted the _generic_ backend at `generic/`. +In this example, we mounted the _kv_ backend at `kv/`. You can inspect mounts using `vault mounts`: ``` $ vault mounts Path Type Description -generic/ generic -secret/ generic generic secret storage +kv/ kv +secret/ kv key/value secret storage sys/ system system endpoints used for control, policy and debugging ``` -You can see the `generic/` path we just mounted, as well as the built-in +You can see the `kv/` path we just mounted, as well as the built-in secret path. You can also see the `sys/` path. We won't cover this in this guide, but this mount point is used to interact with the Vault core system. Spend some time reading and writing secrets to the new mount point to convince yourself it works. As a bonus, write to the `secret/` endpoint -and observe that those values are unavailable via the `generic/` path: they share the +and observe that those values are unavailable via the `kv/` path: they share the same backend, but do not share any data. In addition to this, backends (of the same type or otherwise) _cannot_ access the data of other backends; they can only access data within their mount point. @@ -78,8 +78,8 @@ and its data is deleted. If either of these operations fail, the backend remains mounted. ``` -$ vault unmount generic/ -Successfully unmounted 'generic/' if it was mounted +$ vault unmount kv/ +Successfully unmounted 'kv/' if it was mounted ``` In addition to unmounting, you can remount a backend. Remounting a @@ -95,7 +95,7 @@ Now that you've mounted and unmounted a backend, you might wonder: Vault behaves a lot like a [virtual filesystem](https://en.wikipedia.org/wiki/Virtual_file_system). The read/write/delete operations are forwarded to the backend, and the backend can choose to react to these operations however it wishes. -For example, the _generic_ backend simply passes this through to the +For example, the _kv_ backend simply passes this through to the storage backend (after encrypting data first). However, the _aws_ backend (which you'll see soon), will read/write IAM diff --git a/website/source/layouts/api.erb b/website/source/layouts/api.erb index d5c3dd3152..b261393399 100644 --- a/website/source/layouts/api.erb +++ b/website/source/layouts/api.erb @@ -50,8 +50,8 @@ - > - Generic + > + Key/Value > Identity diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb index 5597279158..2d69857243 100644 --- a/website/source/layouts/docs.erb +++ b/website/source/layouts/docs.erb @@ -213,8 +213,8 @@ - > - Generic + > + Key/Value >