mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-12-16 15:01:13 +01:00
Code Issues Projects Releases Wiki Activity

api: update spec

Browse Source
This commit is contained in:
Mitchell Hashimoto 2015-03-04 15:41:21 -08:00
parent c24137e914
commit 36b7b84ec4
1 changed files with 58 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
api/SPEC.md
View File

@ -170,11 +170,13 @@ shown to the user as documentation.
+ Response 200 (application/json) + Response 200 (application/json)
[{ [{
"name": "token", "id": "token",
"type": "token",
"help": "base64-encoded human-friendly docs", "help": "base64-encoded human-friendly docs",
"keys": ["token"] "keys": ["token"]
}, { }, {
"name": "password", "id": "password",
"type": "password",
"help": "base64-encoded human-friendly docs", "help": "base64-encoded human-friendly docs",
"keys": ["username", "password"] "keys": ["username", "password"]
}] }]
@ -182,7 +184,7 @@ shown to the user as documentation.
## Single Auth Method [/sys/auth/{id}] ## Single Auth Method [/sys/auth/{id}]
+ Parameters + Parameters
+ id (required, string) ... The name of the auth method. + id (required, string) ... The ID of the auth method.
### Enable an auth method [PUT] ### Enable an auth method [PUT]
Enables an authentication method. Enables an authentication method.
@ -193,13 +195,13 @@ authentication method you're enabling in order to determine what
parameters you must give it. parameters you must give it.
If an authentication method is already enabled, then this can be If an authentication method is already enabled, then this can be
used to change the configuration. Multiple authentication methods used to change the configuration, including even the type of
with the same type but different settings cannot be enabled at this the configuration.
time in Vault.
+ Request (application/json) + Request (application/json)
{ {
"type": "type",
"key": "value", "key": "value",
"key2": "value2" "key2": "value2"
} }
@ -219,10 +221,14 @@ Authenticate with Vault, returning an access token to use for
future requests. This access token should be passed in as a cookie future requests. This access token should be passed in as a cookie
for future requests. for future requests.
It can be renewed like any other Vault secret, and will expire The request body of this request is arbitrary depending on the
like any other Vault secret. authentication method being used above. Authentication strategies
are treated like middleware: each one will be tried in turn, and
if one succeeds, then the user will be authentiated. Otherwise,
it is an authentication failure.
The token will also be set in the standard `Set-Cookie` headers. The response can be treated like any normal Vault secret:
renewed, revoked, etc.
+ Response 200 (application/json) + Response 200 (application/json)
@ -232,6 +238,49 @@ The token will also be set in the standard `Set-Cookie` headers.
"key": "value" "key": "value"
} }
# Group ACLs
ACLs are named permission sets that identities returned by
credential stores are bound to. This separates _authetication_
from _authorization_.
## ACLs [/sys/acls]
### List all ACLs [GET]
List all the ACLs.
+ Response 200 (application/json)
[{
"id": "root",
"acl": "base64-encoded HCL describing ACL"
}]
## Single ACL [/sys/acls/{id}]
+ Parameters
+ id (required, string) ... The ID of the ACL
### Upsert [PUT]
Create or update an ACL with the given ID.
+ Request (application/json)
{
"acl": "base64-encoded HCL"
}
+ Response 204
### Delete [DELETE]
Delete an ACL with the given ID. Any identities bound to this
ACL will immediately become "deny all" despite already being
authenticated.
+ Response 204
# Group Mounts # Group Mounts
Logical backends are mounted at _mount points_, similar to Logical backends are mounted at _mount points_, similar to